[Platform] Detect and fix certificates with potentially inaccessible keys on Mac OS (2.1) (#17560)

* [Https] Detects and fixes HTTPS certificates where the key is not guaranteed to be accessible across security partitions

* Fix dotnet dev-certs https --check

* Update logic for detecting missing certs

* Fix security command

* Update warning logic

* Check that the key is accessible in Kestrel

* Add correct link to docs

* Update src/Tools/dotnet-dev-certs/src/Program.cs

Co-Authored-By: Daniel Roth <[email protected]>

* Update src/Tools/dotnet-dev-certs/src/Program.cs

Co-Authored-By: Daniel Roth <[email protected]>

* Add test for 2.1

* Update src/Tools/dotnet-dev-certs/src/Program.cs

Co-Authored-By: Chris Ross <[email protected]>

* Address feedback

* Fix non-interctive path

* Fix tests

* Remove a couple of test from an unshipped product

* Check only for certificates considered valid

* Switch the exception being caught, remove invalid test

Co-authored-by: Daniel Roth <[email protected]>
Co-authored-by: Chris Ross <[email protected]>

Author: 3 people

src/Servers/Kestrel/Core/src/CoreStrings.resx

@@ -518,4 +518,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="ConnectionTimedOutByServer" xml:space="preserve">
     <value>The connection was timed out by the server.</value>
   </data>
+  <data name="BadDeveloperCertificateState" xml:space="preserve">
+    <value>The ASP.NET Core developer certificate is in an invalid state. To fix this issue, run the following commands 'dotnet dev-certs https --clean' and 'dotnet dev-certs https' to remove all existing ASP.NET Core development certificates and create a new untrusted developer certificate. On macOS or Windows, use 'dotnet dev-certs https --trust' to trust the new certificate.</value>
+  </data>
 </root>

src/Servers/Kestrel/Core/src/Internal/HttpsConnectionAdapter.cs

@@ -9,6 +9,7 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Certificates.Generation;
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
@@ -177,8 +178,9 @@ private async Task<IAdaptedConnection> InnerOnConnectionAsync(ConnectionAdapterC
                         EnsureCertificateIsAllowedForServerAuth(serverCert);
                     }
                 }
+
                 await sslStream.AuthenticateAsServerAsync(serverCert, certificateRequired,
-                        _options.SslProtocols, _options.CheckCertificateRevocation);
+                    _options.SslProtocols, _options.CheckCertificateRevocation);
 #endif
             }
             catch (OperationCanceledException)
@@ -187,12 +189,28 @@ await sslStream.AuthenticateAsServerAsync(serverCert, certificateRequired,
                 sslStream.Dispose();
                 return _closedAdaptedConnection;
             }
-            catch (Exception ex) when (ex is IOException || ex is AuthenticationException)
+            catch (IOException ex)
             {
                 _logger?.LogDebug(1, ex, CoreStrings.AuthenticationFailed);
                 sslStream.Dispose();
                 return _closedAdaptedConnection;
             }
+            catch (AuthenticationException ex)
+            {
+                if (_serverCertificate != null &&
+                    CertificateManager.IsHttpsDevelopmentCertificate(_serverCertificate) &&
+                    !CertificateManager.CheckDeveloperCertificateKey(_serverCertificate))
+                {
+                    _logger?.LogError(3, ex, CoreStrings.BadDeveloperCertificateState);
+                }
+                else
+                {
+                    _logger?.LogDebug(1, ex, CoreStrings.AuthenticationFailed);
+                }
+
+                sslStream.Dispose();
+                return _closedAdaptedConnection;
+            }
             finally
             {
                 timeoutFeature.CancelTimeout();

src/Servers/Kestrel/Core/src/Properties/CoreStrings.Designer.cs

@@ -22,5 +22,10 @@ public static X509Certificate2 GetTestCertificate(string certName)
         {
             return new X509Certificate2(GetCertPath(certName), "testPassword");
         }
+
+        public static X509Certificate2 GetTestCertificate(string certName, string password)
+        {
+            return new X509Certificate2(GetCertPath(certName), password);
+        }
     }
 }

src/Servers/Kestrel/shared/test/TestResources.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;

src/Servers/Kestrel/test/FunctionalTests/HttpsTests.cs

@@ -7,6 +7,7 @@
 using System.IO;
 using System.Linq;
 using System.Runtime.InteropServices;
+using System.Runtime.InteropServices.ComTypes;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
@@ -50,6 +51,8 @@ internal class CertificateManager
         private static readonly string MacOSTrustCertificateCommandLineArguments = "security add-trusted-cert -d -r trustRoot -k " + MacOSSystemKeyChain + " ";
 #endif
         private const int UserCancelledErrorCode = 1223;
+        private const string MacOSSetPartitionKeyPermissionsCommandLine = "sudo";
+        private static readonly string MacOSSetPartitionKeyPermissionsCommandLineArguments = "security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9 " + MacOSUserKeyChain;
 
         public IList<X509Certificate2> ListCertificates(
             CertificatePurpose purpose,
@@ -147,6 +150,39 @@ private void DisposeCertificates(IEnumerable<X509Certificate2> disposables)
             }
         }
 
+        internal static bool IsHttpsDevelopmentCertificate(X509Certificate2 certificate) =>
+            certificate.Extensions.OfType<X509Extension>()
+                .Any(e => string.Equals(AspNetHttpsOid, e.Oid.Value, StringComparison.Ordinal));
+
+        internal static bool CheckDeveloperCertificateKey(X509Certificate2 candidate)
+        {
+            // Tries to use the certificate key to validate it can't access it
+            try
+            {
+                var rsa = candidate.GetRSAPrivateKey();
+                if (rsa == null)
+                {
+                    return false;
+                }
+
+                // Encrypting a random value is the ultimate test for a key validity.
+                // Windows and Mac OS both return HasPrivateKey = true if there is (or there has been) a private key associated
+                // with the certificate at some point.
+                var value = new byte[32];
+                using (var rng = RandomNumberGenerator.Create())
+                {
+                    rsa.Decrypt(rsa.Encrypt(value, RSAEncryptionPadding.Pkcs1), RSAEncryptionPadding.Pkcs1);
+                }
+
+                // Being able to encrypt and decrypt a payload is the strongest guarantee that the key is valid.
+                return true;
+            }
+            catch (Exception)
+            {
+                return false;
+            }
+        }
+
 #if NETCOREAPP2_0 || NETCOREAPP2_1
 
         public X509Certificate2 CreateAspNetCoreHttpsDevelopmentCertificate(DateTimeOffset notBefore, DateTimeOffset notAfter, string subjectOverride)
@@ -192,6 +228,27 @@ public X509Certificate2 CreateAspNetCoreHttpsDevelopmentCertificate(DateTimeOffs
             return certificate;
         }
 
+        internal bool HasValidCertificateWithInnaccessibleKeyAcrossPartitions()
+        {
+            var certificates = GetHttpsCertificates();
+            if (certificates.Count == 0)
+            {
+                return false;
+            }
+
+            // We need to check all certificates as a new one might be created that hasn't been correctly setup.
+            var result = false;
+            foreach (var certificate in certificates)
+            {
+                result = result || !CanAccessCertificateKeyAcrossPartitions(certificate);
+            }
+
+            return result;
+        }
+
+        public IList<X509Certificate2> GetHttpsCertificates() =>
+            ListCertificates(CertificatePurpose.HTTPS, StoreName.My, StoreLocation.CurrentUser, isValid: true, requireExportable: true);
+
         public X509Certificate2 CreateApplicationTokenSigningDevelopmentCertificate(DateTimeOffset notBefore, DateTimeOffset notAfter, string subjectOverride)
         {
             var subject = new X500DistinguishedName(subjectOverride ?? IdentityDistinguishedName);
@@ -596,9 +653,10 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
             bool trust = false,
             bool includePrivateKey = false,
             string password = null,
-            string subject = LocalhostHttpsDistinguishedName)
+            string subject = LocalhostHttpsDistinguishedName,
+            bool isInteractive = true)
         {
-            return EnsureValidCertificateExists(notBefore, notAfter, CertificatePurpose.HTTPS, path, trust, includePrivateKey, password, subject);
+            return EnsureValidCertificateExists(notBefore, notAfter, CertificatePurpose.HTTPS, path, trust, includePrivateKey, password, subject, isInteractive);
         }
 
         public EnsureCertificateResult EnsureAspNetCoreApplicationTokensDevelopmentCertificate(
@@ -610,7 +668,7 @@ public EnsureCertificateResult EnsureAspNetCoreApplicationTokensDevelopmentCerti
             string password = null,
             string subject = IdentityDistinguishedName)
         {
-            return EnsureValidCertificateExists(notBefore, notAfter, CertificatePurpose.Signing, path, trust, includePrivateKey, password, subject);
+            return EnsureValidCertificateExists(notBefore, notAfter, CertificatePurpose.Signing, path, trust, includePrivateKey, password, subject, isInteractive: true);
         }
 
         public EnsureCertificateResult EnsureValidCertificateExists(
@@ -621,7 +679,8 @@ public EnsureCertificateResult EnsureValidCertificateExists(
             bool trust = false,
             bool includePrivateKey = false,
             string password = null,
-            string subjectOverride = null)
+            string subjectOverride = null,
+            bool isInteractive = true)
         {
             if (purpose == CertificatePurpose.All)
             {
@@ -633,6 +692,33 @@ public EnsureCertificateResult EnsureValidCertificateExists(
 
             certificates = subjectOverride == null ? certificates : certificates.Where(c => c.Subject == subjectOverride);
 
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+            {
+                foreach (var cert in certificates)
+                {
+                    if (!CanAccessCertificateKeyAcrossPartitions(cert))
+                    {
+                        if (!isInteractive)
+                        {
+                            // If the process is not interactive (first run experience) bail out. We will simply create a certificate
+                            // in case there is none or report success during the first run experience.
+                            break;
+                        }
+                        try
+                        {
+                            // The command we run handles making keys for all localhost certificates accessible across partitions. If it can not run the
+                            // command safely (because there are other localhost certificates that were not created by asp.net core, it will throw.
+                            MakeCertificateKeyAccessibleAcrossPartitions(cert);
+                            break;
+                        }
+                        catch (Exception)
+                        {
+                            return EnsureCertificateResult.FailedToMakeKeyAccessible;
+                        }
+                    }
+                }
+            }
+
             var result = EnsureCertificateResult.Succeeded;
 
             X509Certificate2 certificate = null;
@@ -672,6 +758,11 @@ public EnsureCertificateResult EnsureValidCertificateExists(
                 {
                     return EnsureCertificateResult.ErrorSavingTheCertificateIntoTheCurrentUserPersonalStore;
                 }
+
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && isInteractive)
+                {
+                    MakeCertificateKeyAccessibleAcrossPartitions(certificate);
+                }
             }
             if (path != null)
             {
@@ -704,6 +795,74 @@ public EnsureCertificateResult EnsureValidCertificateExists(
             return result;
         }
 
+        private void MakeCertificateKeyAccessibleAcrossPartitions(X509Certificate2 certificate)
+        {
+            if (OtherNonAspNetCoreHttpsCertificatesPresent())
+            {
+                throw new InvalidOperationException("Unable to make HTTPS ceritificate key trusted across security partitions.");
+            }
+            using (var process = Process.Start(MacOSSetPartitionKeyPermissionsCommandLine, MacOSSetPartitionKeyPermissionsCommandLineArguments))
+            {
+                process.WaitForExit();
+                if (process.ExitCode != 0)
+                {
+                    throw new InvalidOperationException("Error making the key accessible across partitions.");
+                }
+            }
+
+            var certificateSentinelPath = GetCertificateSentinelPath(certificate);
+            File.WriteAllText(certificateSentinelPath, "true");
+        }
+
+        private static string GetCertificateSentinelPath(X509Certificate2 certificate) =>
+            Path.Combine(Environment.GetEnvironmentVariable("HOME"), ".dotnet", $"certificate.{certificate.GetCertHashString(HashAlgorithmName.SHA256)}.sentinel");
+
+        private bool OtherNonAspNetCoreHttpsCertificatesPresent()
+        {
+            var certificates = new List<X509Certificate2>();
+            try
+            {
+                using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
+                {
+                    store.Open(OpenFlags.ReadOnly);
+                    certificates.AddRange(store.Certificates.OfType<X509Certificate2>());
+                    IEnumerable<X509Certificate2> matchingCertificates = certificates;
+                        // Ensure the certificate hasn't expired, has a private key and its exportable
+                        // (for container/unix scenarios).
+                        var now = DateTimeOffset.Now;
+                        matchingCertificates = matchingCertificates
+                            .Where(c => c.NotBefore <= now &&
+                                now <= c.NotAfter && c.Subject == LocalhostHttpsDistinguishedName);
+
+                    // We need to enumerate the certificates early to prevent dispoisng issues.
+                    matchingCertificates = matchingCertificates.ToList();
+
+                    var certificatesToDispose = certificates.Except(matchingCertificates);
+                    DisposeCertificates(certificatesToDispose);
+
+                    store.Close();
+
+                    return matchingCertificates.All(c => !HasOid(c, AspNetHttpsOid));
+                }
+            }
+            catch
+            {
+                DisposeCertificates(certificates);
+                certificates.Clear();
+                return true;
+            }
+
+            bool HasOid(X509Certificate2 certificate, string oid) =>
+                certificate.Extensions.OfType<X509Extension>()
+                .Any(e => string.Equals(oid, e.Oid.Value, StringComparison.Ordinal));
+        }
+
+        private bool CanAccessCertificateKeyAcrossPartitions(X509Certificate2 certificate)
+        {
+            var certificateSentinelPath = GetCertificateSentinelPath(certificate);
+            return File.Exists(certificateSentinelPath);
+        }
+
         private class UserCancelledTrustException : Exception
         {
         }
@@ -717,4 +876,4 @@ private enum RemoveLocations
         }
 #endif
     }
-}
+}

src/Shared/CertificateGeneration/CertificateManager.cs

@@ -13,8 +13,9 @@ internal enum EnsureCertificateResult
         ErrorSavingTheCertificateIntoTheCurrentUserPersonalStore,
         ErrorExportingTheCertificate,
         FailedToTrustTheCertificate,
-        UserCancelledTrustStep
+        UserCancelledTrustStep,
+        FailedToMakeKeyAccessible,
     }
 }
 
-#endif
+#endif

src/Shared/CertificateGeneration/EnsureCertificateResult.cs

@@ -9,7 +9,7 @@ public static void GenerateAspNetHttpsCertificate()
         {
             var manager = new CertificateManager();
             var now = DateTimeOffset.Now;
-            manager.EnsureAspNetCoreHttpsDevelopmentCertificate(now, now.AddYears(1));
+            manager.EnsureAspNetCoreHttpsDevelopmentCertificate(now, now.AddYears(1), isInteractive: false);
         }
     }
 }