[automated] Merge branch 'release/2.1' => 'release/3.1' (#18396)

dotnet-maestro-bot · javiercn · danroth27 · mkArtakMSFT · commit 2dc908d50288 · 2020-01-17T08:30:12.000-08:00
* [Platform] Detect and fix certificates with potentially inaccessible keys on Mac OS (2.1) (#17560) * [Https] Detects and fixes HTTPS certificates where the key is not guaranteed to be accessible across security partitions * Fix dotnet dev-certs https --check * Update logic for detecting missing certs * Fix security command * Update warning logic * Check that the key is accessible in Kestrel * Add correct link to docs * Update src/Tools/dotnet-dev-certs/src/Program.cs Co-Authored-By: Daniel Roth <daroth@microsoft.com> * Update src/Tools/dotnet-dev-certs/src/Program.cs Co-Authored-By: Daniel Roth <daroth@microsoft.com> * Add test for 2.1 * Update src/Tools/dotnet-dev-certs/src/Program.cs Co-Authored-By: Chris Ross <Tratcher@Outlook.com> * Address feedback * Fix non-interctive path * Fix tests * Remove a couple of test from an unshipped product * Check only for certificates considered valid * Switch the exception being caught, remove invalid test Co-authored-by: Daniel Roth <daroth@microsoft.com> Co-authored-by: Chris Ross <Tratcher@Outlook.com> * Fix patchconfig merge (#18389) * Fix flaky HubConnectionHandler test (#18391) Co-authored-by: Javier Calvarro Nelson <jacalvar@microsoft.com> Co-authored-by: Daniel Roth <daroth@microsoft.com> Co-authored-by: Chris Ross <Tratcher@Outlook.com> Co-authored-by: Brennan <brecon@microsoft.com>
diff --git a/src/Servers/Kestrel/Core/src/CoreStrings.resx b/src/Servers/Kestrel/Core/src/CoreStrings.resx
@@ -620,4 +620,4 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="BadDeveloperCertificateState" xml:space="preserve">
     <value>The ASP.NET Core developer certificate is in an invalid state. To fix this issue, run the following commands 'dotnet dev-certs https --clean' and 'dotnet dev-certs https' to remove all existing ASP.NET Core development certificates and create a new untrusted developer certificate. On macOS or Windows, use 'dotnet dev-certs https --trust' to trust the new certificate.</value>
   </data>
-</root>
+</root>
diff --git a/src/Servers/Kestrel/shared/test/TestResources.cs b/src/Servers/Kestrel/shared/test/TestResources.cs
@@ -40,5 +40,10 @@ public static X509Certificate2 GetTestCertificate(string certName = "testCert.pf
                 importPfxMutex?.ReleaseMutex();
             }
         }
+
+        public static X509Certificate2 GetTestCertificate(string certName, string password)
+        {
+            return new X509Certificate2(GetCertPath(certName), password);
+        }
     }
 }
diff --git a/src/Shared/CertificateGeneration/CertificateManager.cs b/src/Shared/CertificateGeneration/CertificateManager.cs
@@ -7,6 +7,7 @@
 using System.IO;
 using System.Linq;
 using System.Runtime.InteropServices;
+using System.Runtime.InteropServices.ComTypes;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
@@ -740,12 +741,12 @@ public DetailedEnsureCertificateResult EnsureValidCertificateExists(
             DateTimeOffset notBefore,
             DateTimeOffset notAfter,
             CertificatePurpose purpose,
-            string path,
-            bool trust,
-            bool includePrivateKey,
-            string password,
-            string subject,
-            bool isInteractive)
+            string path = null,
+            bool trust = false,
+            bool includePrivateKey = false,
+            string password = null,
+            string subjectOverride = null,
+            bool isInteractive = true)
         {
             if (purpose == CertificatePurpose.All)
             {
@@ -757,12 +758,12 @@ public DetailedEnsureCertificateResult EnsureValidCertificateExists(
             var certificates = ListCertificates(purpose, StoreName.My, StoreLocation.CurrentUser, isValid: true, requireExportable: true, result.Diagnostics).Concat(
                 ListCertificates(purpose, StoreName.My, StoreLocation.LocalMachine, isValid: true, requireExportable: true, result.Diagnostics));
 
-            var filteredCertificates = subject == null ? certificates : certificates.Where(c => c.Subject == subject);
-            if (subject != null)
+            var filteredCertificates = subjectOverride == null ? certificates : certificates.Where(c => c.Subject == subjectOverride);
+            if (subjectOverride != null)
             {
                 var excludedCertificates = certificates.Except(filteredCertificates);
 
-                result.Diagnostics.Debug($"Filtering found certificates to those with a subject equal to '{subject}'");
+                result.Diagnostics.Debug($"Filtering found certificates to those with a subject equal to '{subjectOverride}'");
                 result.Diagnostics.Debug(result.Diagnostics.DescribeCertificates(filteredCertificates));
                 result.Diagnostics.Debug($"Listing certificates excluded from consideration.");
                 result.Diagnostics.Debug(result.Diagnostics.DescribeCertificates(excludedCertificates));
@@ -825,7 +826,7 @@ public DetailedEnsureCertificateResult EnsureValidCertificateExists(
                         case CertificatePurpose.All:
                             throw new InvalidOperationException("The certificate must have a specific purpose.");
                         case CertificatePurpose.HTTPS:
-                            certificate = CreateAspNetCoreHttpsDevelopmentCertificate(notBefore, notAfter, subject, result.Diagnostics);
+                            certificate = CreateAspNetCoreHttpsDevelopmentCertificate(notBefore, notAfter, subjectOverride, result.Diagnostics);
                             break;
                         default:
                             throw new InvalidOperationException("The certificate must have a purpose.");
@@ -853,6 +854,11 @@ public DetailedEnsureCertificateResult EnsureValidCertificateExists(
                 {
                     MakeCertificateKeyAccessibleAcrossPartitions(certificate);
                 }
+
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && isInteractive)
+                {
+                    MakeCertificateKeyAccessibleAcrossPartitions(certificate);
+                }
             }
             if (path != null)
             {
@@ -894,10 +900,11 @@ public DetailedEnsureCertificateResult EnsureValidCertificateExists(
             return result;
         }
 
-        private void MakeCertificateKeyAccessibleAcrossPartitions(X509Certificate2 certificate)                {
+        private void MakeCertificateKeyAccessibleAcrossPartitions(X509Certificate2 certificate)
+        {
             if (OtherNonAspNetCoreHttpsCertificatesPresent())
             {
-                throw new InvalidOperationException("Unable to make HTTPS ceritificate key trusted across security partitions.");
+                throw new InvalidOperationException("Unable to make HTTPS certificate key trusted across security partitions.");
             }
             using (var process = Process.Start(MacOSSetPartitionKeyPermissionsCommandLine, MacOSSetPartitionKeyPermissionsCommandLineArguments))
             {
diff --git a/src/Shared/CertificateGeneration/EnsureCertificateResult.cs b/src/Shared/CertificateGeneration/EnsureCertificateResult.cs
@@ -15,3 +15,4 @@ internal enum EnsureCertificateResult
         FailedToMakeKeyAccessible,
     }
 }
+
diff --git a/src/Tools/dotnet-dev-certs/src/Program.cs b/src/Tools/dotnet-dev-certs/src/Program.cs
@@ -194,6 +194,13 @@ private static int EnsureHttpsCertificate(CommandOption exportPath, CommandOptio
             var now = DateTimeOffset.Now;
             var manager = new CertificateManager();
 
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && manager.HasValidCertificateWithInnaccessibleKeyAcrossPartitions() || manager.GetHttpsCertificates().Count == 0)
+            {
+                reporter.Warn($"A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:" + Environment.NewLine +
+                    "'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'" + Environment.NewLine +
+                    "This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues");
+            }
+
             if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && manager.HasValidCertificateWithInnaccessibleKeyAcrossPartitions() || manager.GetHttpsCertificates().Count == 0)
             {
                 reporter.Warn($"A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:" + Environment.NewLine +

Original file line number	Diff line number	Diff line change
`@@ -40,5 +40,10 @@ public static X509Certificate2 GetTestCertificate(string certName = "testCert.pf`
`40`	`40`	`importPfxMutex?.ReleaseMutex();`
`41`	`41`	`}`
`42`	`42`	`}`
	`43`	`+`
	`44`	`+ public static X509Certificate2 GetTestCertificate(string certName, string password)`
	`45`	`+ {`
	`46`	`+ return new X509Certificate2(GetCertPath(certName), password);`
	`47`	`+ }`
`43`	`48`	`}`
`44`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,3 +15,4 @@ internal enum EnsureCertificateResult`
`15`	`15`	`FailedToMakeKeyAccessible,`
`16`	`16`	`}`
`17`	`17`	`}`
	`18`	`+`