Fixes and improvements for dotnet-dev-certs:

* Revamps the HTTPS developer certificate tool implementation.
  * It accumulated a lot of cruft during the past few years and that has made making changes harder.
* Separated the CertificateManager implementation into different classes per platform.
  * This centralizes the decision point of choosing a platform in a single place.
  * Makes clear what the flow is for a given platform.
  * Isolates changes needed for a given platform in the future.
* Moved CertificateManager to a singleton
  * No more statics!
* Updates logging to use EventSource
  * We didn't have a good way of performing logging as the code is shared and must run in multiple contexts and the set of dependencies need to be kept to a minimum.
  * Adding ETW allow us to log/monitor the the tool execution and capture the logs with `dotnet trace` without having to invent our own logging.
  * We can decide to write an EventListener in `dotnet-dev-certs` to write the results to the console output.
* Updates the way we handle the dev-cert in Mac OS to use the security tool to import the certificate into the store instead of using the certificate store.

Author: javiercn

src/ProjectTemplates/test/Helpers/AspNetProcess.cs

@@ -89,7 +89,7 @@ public AspNetProcess(
         internal void EnsureDevelopmentCertificates()
         {
             var now = DateTimeOffset.Now;
-            var manager = new CertificateManager();
+            var manager = CertificateManager.Instance;
             var certificate = manager.CreateAspNetCoreHttpsDevelopmentCertificate(now, now.AddYears(1), "CN=localhost");
             manager.ExportCertificate(certificate, path: _certificatePath, includePrivateKey: true, _certificatePassword);
         }

src/Servers/Kestrel/Core/src/Internal/LoggerExtensions.cs

@@ -34,12 +34,28 @@ internal static class LoggerExtensions
                 new EventId(3, "FailedToLoadDevelopmentCertificate"),
                 "Failed to load the development https certificate at '{certificatePath}'.");
 
+        private static readonly Action<ILogger, Exception> _badDeveloperCertificateState =
+            LoggerMessage.Define(
+                LogLevel.Error,
+                new EventId(4, "BadDeveloperCertificateState"),
+                CoreStrings.BadDeveloperCertificateState);
+
+        private static readonly Action<ILogger, string, Exception> _developerCertificateFirstRun =
+            LoggerMessage.Define<string>(
+                LogLevel.Warning,
+                new EventId(5, "DeveloperCertificateFirstRun"),
+                "{Message}");
+
         public static void LocatedDevelopmentCertificate(this ILogger logger, X509Certificate2 certificate) => _locatedDevelopmentCertificate(logger, certificate.Subject, certificate.Thumbprint, null);
 
         public static void UnableToLocateDevelopmentCertificate(this ILogger logger) => _unableToLocateDevelopmentCertificate(logger, null);
 
         public static void FailedToLocateDevelopmentCertificateFile(this ILogger logger, string certificatePath) => _failedToLocateDevelopmentCertificateFile(logger, certificatePath, null);
 
         public static void FailedToLoadDevelopmentCertificate(this ILogger logger, string certificatePath) => _failedToLoadDevelopmentCertificate(logger, certificatePath, null);
+
+        public static void BadDeveloperCertificateState(this ILogger logger) => _badDeveloperCertificateState(logger, null);
+
+        public static void DeveloperCertificateFirstRun(this ILogger logger, string message) => _developerCertificateFirstRun(logger, message, null);
     }
 }

src/Servers/Kestrel/Core/src/KestrelServerOptions.cs

@@ -152,11 +152,29 @@ private void EnsureDefaultCert()
                 var logger = ApplicationServices.GetRequiredService<ILogger<KestrelServer>>();
                 try
                 {
-                    DefaultCertificate = CertificateManager.ListCertificates(CertificatePurpose.HTTPS, StoreName.My, StoreLocation.CurrentUser, isValid: true)
+                    DefaultCertificate = CertificateManager.Instance.ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true)
                         .FirstOrDefault();
 
                     if (DefaultCertificate != null)
                     {
+                        var status = CertificateManager.Instance.CheckCertificateState(DefaultCertificate, interactive: false);
+                        if (!status.Result)
+                        {
+                            // Display a warning indicating to the user that a prompt might appear and provide instructions on what to do in that
+                            // case. The underlying implementation of this check is specific to Mac OS and is handled within CheckCertificateState.
+                            // Kestrel must NEVER cause a UI prompt on a production system. We only attempt this here because Mac OS is not supported
+                            // in production.
+                            logger.DeveloperCertificateFirstRun(status.Message);
+
+                            // Now that we've displayed a warning in the logs so that the user gets a notification that a prompt might appear, try
+                            // and access the certificate key, which might trigger a prompt.
+                            status = CertificateManager.Instance.CheckCertificateState(DefaultCertificate, interactive: true);
+                            if (!status.Result)
+                            {
+                                logger.BadDeveloperCertificateState();
+                            }
+                        }
+
                         logger.LocatedDevelopmentCertificate(DefaultCertificate);
                     }
                     else

src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs

@@ -220,16 +220,10 @@ public async Task OnConnectionAsync(ConnectionContext context)
                 }
                 catch (AuthenticationException ex)
                 {
-                    if (_serverCertificate == null ||
-                        !CertificateManager.IsHttpsDevelopmentCertificate(_serverCertificate) ||
-                        CertificateManager.CheckDeveloperCertificateKey(_serverCertificate))
+                    if (_serverCertificate == null)
                     {
                         _logger.LogDebug(1, ex, CoreStrings.AuthenticationFailed);
                     }
-                    else
-                    {
-                        _logger.LogError(3, ex, CoreStrings.BadDeveloperCertificateState);
-                    }
 
                     await sslStream.DisposeAsync();
                     return;

src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs

@@ -386,6 +386,9 @@ await Assert.ThrowsAnyAsync<Exception>(() =>
         }
 
         [Fact]
+        [SkipOnHelix("", Queues = "Ubuntu.1604.Amd64.Open;Windows.10.Amd64.Open")]
+        [OSSkipCondition(OperatingSystems.Linux, SkipReason = "This check only applies to Mac OS as it is the one that checks the key for validity.")]
+        [OSSkipCondition(OperatingSystems.Windows, SkipReason = "This check only applies to Mac OS as it is the one that checks the key for validity.")]
         public async Task DevCertWithInvalidPrivateKeyProducesCustomWarning()
         {
             var loggerProvider = new HandshakeErrorLoggerProvider();