Update to use security import instead of the certificate store

javiercn · javiercn · commit df86b350e725 · 2020-03-20T03:47:30.000-07:00
diff --git a/src/Shared/CertificateGeneration/CertificateManager.cs b/src/Shared/CertificateGeneration/CertificateManager.cs
@@ -78,7 +78,7 @@ public IList<X509Certificate2> ListCertificates(
                     matchingCertificates = matchingCertificates
                         .Where(c => HasOid(c, AspNetHttpsOid));
 
-                    Log.DescribeFoundCertificates(CertificateManagerEventSource.ToCertificateDescription(matchingCertificates));
+                    Log.DescribeFoundCertificates(ToCertificateDescription(matchingCertificates));
 
                     if (isValid)
                     {
@@ -95,8 +95,8 @@ public IList<X509Certificate2> ListCertificates(
 
                         var invalidCertificates = matchingCertificates.Except(validCertificates);
 
-                        Log.DescribeValidCertificates(CertificateManagerEventSource.ToCertificateDescription(validCertificates));
-                        Log.DescribeInvalidValidCertificates(CertificateManagerEventSource.ToCertificateDescription(invalidCertificates));
+                        Log.DescribeValidCertificates(ToCertificateDescription(validCertificates));
+                        Log.DescribeInvalidValidCertificates(ToCertificateDescription(invalidCertificates));
 
                         matchingCertificates = validCertificates;
                     }
@@ -165,8 +165,8 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
             var filteredCertificates = certificates.Where(c => c.Subject == Subject);
             var excludedCertificates = certificates.Except(filteredCertificates);
 
-            Log.FilteredCertificates(CertificateManagerEventSource.ToCertificateDescription(filteredCertificates));
-            Log.ExcludedCertificates(CertificateManagerEventSource.ToCertificateDescription(excludedCertificates));
+            Log.FilteredCertificates(ToCertificateDescription(filteredCertificates));
+            Log.ExcludedCertificates(ToCertificateDescription(excludedCertificates));
 
             certificates = filteredCertificates;
 
@@ -185,7 +185,7 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
                         {
                             try
                             {
-                                Log.CorrectCertificateStateStart(CertificateManagerEventSource.GetDescription(candidate));
+                                Log.CorrectCertificateStateStart(GetDescription(candidate));
                                 CorrectCertificateState(candidate);
                                 Log.CorrectCertificateStateEnd();
                             }
@@ -195,14 +195,14 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
                                 result = EnsureCertificateResult.FailedToMakeKeyAccessible;
                                 return result;
                             }
-                        } 
+                        }
                     }
                 }
                 else
                 {
-                    Log.ValidCertificatesFound(CertificateManagerEventSource.ToCertificateDescription(certificates));
+                    Log.ValidCertificatesFound(ToCertificateDescription(certificates));
                     certificate = certificates.First();
-                    Log.SelectedCertificate(CertificateManagerEventSource.GetDescription(certificate));
+                    Log.SelectedCertificate(GetDescription(certificate));
                     result = EnsureCertificateResult.ValidCertificatePresent;
                 }
             }
@@ -237,7 +237,7 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
                 {
                     try
                     {
-                        Log.CorrectCertificateStateStart(CertificateManagerEventSource.GetDescription(certificate));
+                        Log.CorrectCertificateStateStart(GetDescription(certificate));
                         CorrectCertificateState(certificate);
                         Log.CorrectCertificateStateEnd();
                     }
@@ -298,8 +298,8 @@ public void CleanupHttpsCertificates()
             var filteredCertificates = certificates.Where(c => c.Subject == Subject);
             var excludedCertificates = certificates.Except(filteredCertificates);
 
-            Log.FilteredCertificates(CertificateManagerEventSource.ToCertificateDescription(filteredCertificates));
-            Log.ExcludedCertificates(CertificateManagerEventSource.ToCertificateDescription(excludedCertificates));
+            Log.FilteredCertificates(ToCertificateDescription(filteredCertificates));
+            Log.ExcludedCertificates(ToCertificateDescription(excludedCertificates));
 
             foreach (var certificate in filteredCertificates)
             {
@@ -321,7 +321,7 @@ public void CleanupHttpsCertificates()
 
         internal void ExportCertificate(X509Certificate2 certificate, string path, bool includePrivateKey, string password)
         {
-            Log.ExportCertificateStart(CertificateManagerEventSource.GetDescription(certificate), path, includePrivateKey);
+            Log.ExportCertificateStart(GetDescription(certificate), path, includePrivateKey);
             if (includePrivateKey && password == null)
             {
                 Log.NoPasswordForCertificate();
@@ -416,7 +416,7 @@ internal X509Certificate2 SaveCertificate(X509Certificate2 certificate)
             var name = StoreName.My;
             var location = StoreLocation.CurrentUser;
 
-            Log.SaveCertificateInStoreStart(CertificateManagerEventSource.GetDescription(certificate), name, location);
+            Log.SaveCertificateInStoreStart(GetDescription(certificate), name, location);
 
             certificate = SaveCertificateCore(certificate);
 
@@ -428,7 +428,7 @@ internal void TrustCertificate(X509Certificate2 certificate)
         {
             try
             {
-                Log.TrustCertificateStart(CertificateManagerEventSource.GetDescription(certificate));
+                Log.TrustCertificateStart(GetDescription(certificate));
                 TrustCertificateCore(certificate);
                 Log.TrustCertificateEnd();
             }
@@ -528,7 +528,7 @@ private static void RemoveCertificateFromUserStore(X509Certificate2 certificate)
         {
             try
             {
-                Log.RemoveCertificateFromUserStoreStart(CertificateManagerEventSource.GetDescription(certificate));
+                Log.RemoveCertificateFromUserStoreStart(GetDescription(certificate));
                 using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
                 store.Open(OpenFlags.ReadWrite);
                 var matching = store.Certificates
@@ -546,6 +546,15 @@ private static void RemoveCertificateFromUserStore(X509Certificate2 certificate)
             }
         }
 
+        internal static string ToCertificateDescription(IEnumerable<X509Certificate2> matchingCertificates) =>
+        string.Join(Environment.NewLine, matchingCertificates
+            .OrderBy(c => c.Thumbprint)
+            .Select(c => GetDescription(c))
+            .ToArray());
+
+        internal static string GetDescription(X509Certificate2 c) =>
+            $"{c.Thumbprint[0..6]} - {c.Subject} - {c.GetEffectiveDateString()} - {c.GetExpirationDateString()} - {Instance.IsHttpsDevelopmentCertificate(c)} - {Instance.IsExportable(c)}";
+
         [EventSource(Name = "Dotnet-dev-certs")]
         public class CertificateManagerEventSource : EventSource
         {
@@ -719,14 +728,14 @@ public void ExportCertificateStart(string certificate, string path, bool include
             [Event(52, Level = EventLevel.Error)]
             public void CorrectCertificateStateError(string error) => WriteEvent(53, $"An error has ocurred while correcting the certificate state: {error}.");
 
-            internal static string ToCertificateDescription(IEnumerable<X509Certificate2> matchingCertificates) =>
-                string.Join(Environment.NewLine, matchingCertificates
-                    .OrderBy(c => c.Thumbprint)
-                    .Select(c => GetDescription(c))
-                    .ToArray());
+            [Event(54, Level = EventLevel.Verbose)]
+            internal void MacOSAddCertificateToKeyChainStart(string keychain, string certificate) => WriteEvent(54, $"Importing the certificate {certificate} to the keychain '{keychain}'");
+
+            [Event(55, Level = EventLevel.Verbose)]
+            internal void MacOSAddCertificateToKeyChainEnd() => WriteEvent(55, "Finished importing the certificate to the key chain.");
 
-            internal static string GetDescription(X509Certificate2 c) =>
-                $"{c.Thumbprint[0..6]} - {c.Subject} - {c.GetEffectiveDateString()} - {c.GetExpirationDateString()} - {Instance.IsHttpsDevelopmentCertificate(c)} - {Instance.IsExportable(c)}";
+            [Event(56, Level = EventLevel.Error)]
+            internal void MacOSAddCertificateToKeyChainError(int exitCode) => WriteEvent(56, $"An error has ocurred while importing the certificate to the keychain: {exitCode}.");
         }
 
         internal class UserCancelledTrustException : Exception
diff --git a/src/Shared/CertificateGeneration/MacOSCertificateManager.cs b/src/Shared/CertificateGeneration/MacOSCertificateManager.cs
@@ -1,5 +1,6 @@
 
 using System;
+using System.Buffers.Text;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.IO;
@@ -13,6 +14,7 @@ namespace Microsoft.AspNetCore.Certificates.Generation
     internal class MacOSCertificateManager : CertificateManager
     {
         private const string CertificateSubjectRegex = "CN=(.*[^,]+).*";
+        private static readonly string MacOSUserKeyChain = Environment.GetEnvironmentVariable("HOME") + "/Library/Keychains/login.keychain-db";
         private const string MacOSSystemKeyChain = "/Library/Keychains/System.keychain";
         private const string MacOSFindCertificateCommandLine = "security";
         private static readonly string MacOSFindCertificateCommandLineArgumentsFormat = "find-certificate -c {0} -a -Z -p " + MacOSSystemKeyChain;
@@ -24,6 +26,9 @@ internal class MacOSCertificateManager : CertificateManager
         private const string MacOSTrustCertificateCommandLine = "sudo";
         private static readonly string MacOSTrustCertificateCommandLineArguments = "security add-trusted-cert -d -r trustRoot -k " + MacOSSystemKeyChain + " ";
 
+        private const string MacOSAddCertificateToKeyChainCommandLine = "security";
+        private static readonly string MacOSAddCertificateToKeyChainCommandLineArgumentsFormat = "import {0} -k " + MacOSUserKeyChain + " -t cert -f pkcs12 -P {1} -A";
+
         public const string InvalidCertificateState = "The ASP.NET Core developer certificate is in an invalid state. " +
             "To fix this issue, run the following commands 'dotnet dev-certs https --clean' and 'dotnet dev-certs https' to remove all existing ASP.NET Core development certificates " +
             "and create a new untrusted developer certificate. " +
@@ -175,13 +180,13 @@ protected override void RemoveCertificateFromTrustedRoots(X509Certificate2 certi
             }
             else
             {
-                Log.MacOSCertificateUntrusted(CertificateManagerEventSource.GetDescription(certificate));
+                Log.MacOSCertificateUntrusted(GetDescription(certificate));
             }
         }
 
         private static void RemoveCertificateTrustRule(X509Certificate2 certificate)
         {
-            Log.MacOSRemoveCertificateTrustRuleStart(CertificateManagerEventSource.GetDescription(certificate));
+            Log.MacOSRemoveCertificateTrustRuleStart(GetDescription(certificate));
             var certificatePath = Path.GetTempFileName();
             try
             {
@@ -231,7 +236,7 @@ private static void RemoveCertificateFromKeyChain(string keyChain, X509Certifica
                 RedirectStandardError = true
             };
 
-            Log.MacOSRemoveCertificateFromKeyChainStart(keyChain, CertificateManagerEventSource.GetDescription(certificate));
+            Log.MacOSRemoveCertificateFromKeyChainStart(keyChain, GetDescription(certificate));
             using (var process = Process.Start(processInfo))
             {
                 var output = process.StandardOutput.ReadToEnd() + process.StandardError.ReadToEnd();
@@ -254,16 +259,43 @@ private static void RemoveCertificateFromKeyChain(string keyChain, X509Certifica
 
         protected override X509Certificate2 SaveCertificateCore(X509Certificate2 certificate)
         {
-            var name = StoreName.My;
-            var location = StoreLocation.CurrentUser;
+            // security import https.pfx -k $loginKeyChain -t cert -f pkcs12 -P password -A;
+            var passwordBytes = new byte[48];
+            RandomNumberGenerator.Fill(passwordBytes.AsSpan()[0..35]);
+            var password = Convert.ToBase64String(passwordBytes, 0, 36);
+            var certBytes = certificate.Export(X509ContentType.Pfx, password);
+            var certificatePath = Path.GetTempFileName();
+            File.WriteAllBytes(certificatePath, certBytes);
 
-            using (var store = new X509Store(name, location))
+            var processInfo = new ProcessStartInfo(
+                MacOSAddCertificateToKeyChainCommandLine,
+            string.Format(
+                MacOSAddCertificateToKeyChainCommandLineArgumentsFormat,
+                certificatePath,
+                password
+            ))
             {
-                store.Open(OpenFlags.ReadWrite);
-                store.Add(certificate);
-                store.Close();
+                RedirectStandardOutput = true,
+                RedirectStandardError = true
             };
 
+            Log.MacOSAddCertificateToKeyChainStart(MacOSUserKeyChain, GetDescription(certificate));
+            using (var process = Process.Start(processInfo))
+            {
+                var output = process.StandardOutput.ReadToEnd() + process.StandardError.ReadToEnd();
+                process.WaitForExit();
+
+                if (process.ExitCode != 0)
+                {
+                    Log.MacOSAddCertificateToKeyChainError(process.ExitCode);
+                    throw new InvalidOperationException($@"There was an error importing the certificate into the user key chain '{certificate.Thumbprint}'.
+
+{output}");
+                }
+            }
+
+            Log.MacOSAddCertificateToKeyChainEnd();
+
             return certificate;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ public IList<X509Certificate2> ListCertificates(`
`78`	`78`	`matchingCertificates = matchingCertificates`
`79`	`79`	`.Where(c => HasOid(c, AspNetHttpsOid));`
`80`	`80`
`81`		`- Log.DescribeFoundCertificates(CertificateManagerEventSource.ToCertificateDescription(matchingCertificates));`
	`81`	`+ Log.DescribeFoundCertificates(ToCertificateDescription(matchingCertificates));`
`82`	`82`
`83`	`83`	`if (isValid)`
`84`	`84`	`{`
`@@ -95,8 +95,8 @@ public IList<X509Certificate2> ListCertificates(`
`95`	`95`
`96`	`96`	`var invalidCertificates = matchingCertificates.Except(validCertificates);`
`97`	`97`
`98`		`- Log.DescribeValidCertificates(CertificateManagerEventSource.ToCertificateDescription(validCertificates));`
`99`		`- Log.DescribeInvalidValidCertificates(CertificateManagerEventSource.ToCertificateDescription(invalidCertificates));`
	`98`	`+ Log.DescribeValidCertificates(ToCertificateDescription(validCertificates));`
	`99`	`+ Log.DescribeInvalidValidCertificates(ToCertificateDescription(invalidCertificates));`
`100`	`100`
`101`	`101`	`matchingCertificates = validCertificates;`
`102`	`102`	`}`
`@@ -165,8 +165,8 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(`
`165`	`165`	`var filteredCertificates = certificates.Where(c => c.Subject == Subject);`
`166`	`166`	`var excludedCertificates = certificates.Except(filteredCertificates);`
`167`	`167`
`168`		`- Log.FilteredCertificates(CertificateManagerEventSource.ToCertificateDescription(filteredCertificates));`
`169`		`- Log.ExcludedCertificates(CertificateManagerEventSource.ToCertificateDescription(excludedCertificates));`
	`168`	`+ Log.FilteredCertificates(ToCertificateDescription(filteredCertificates));`
	`169`	`+ Log.ExcludedCertificates(ToCertificateDescription(excludedCertificates));`
`170`	`170`
`171`	`171`	`certificates = filteredCertificates;`
`172`	`172`
`@@ -185,7 +185,7 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(`
`185`	`185`	`{`
`186`	`186`	`try`
`187`	`187`	`{`
`188`		`- Log.CorrectCertificateStateStart(CertificateManagerEventSource.GetDescription(candidate));`
	`188`	`+ Log.CorrectCertificateStateStart(GetDescription(candidate));`
`189`	`189`	`CorrectCertificateState(candidate);`
`190`	`190`	`Log.CorrectCertificateStateEnd();`
`191`	`191`	`}`
`@@ -195,14 +195,14 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(`
`195`	`195`	`result = EnsureCertificateResult.FailedToMakeKeyAccessible;`
`196`	`196`	`return result;`
`197`	`197`	`}`
`198`		`- }`
	`198`	`+ }`
`199`	`199`	`}`
`200`	`200`	`}`
`201`	`201`	`else`
`202`	`202`	`{`
`203`		`- Log.ValidCertificatesFound(CertificateManagerEventSource.ToCertificateDescription(certificates));`
	`203`	`+ Log.ValidCertificatesFound(ToCertificateDescription(certificates));`
`204`	`204`	`certificate = certificates.First();`
`205`		`- Log.SelectedCertificate(CertificateManagerEventSource.GetDescription(certificate));`
	`205`	`+ Log.SelectedCertificate(GetDescription(certificate));`
`206`	`206`	`result = EnsureCertificateResult.ValidCertificatePresent;`
`207`	`207`	`}`
`208`	`208`	`}`
`@@ -237,7 +237,7 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(`
`237`	`237`	`{`
`238`	`238`	`try`
`239`	`239`	`{`
`240`		`- Log.CorrectCertificateStateStart(CertificateManagerEventSource.GetDescription(certificate));`
	`240`	`+ Log.CorrectCertificateStateStart(GetDescription(certificate));`
`241`	`241`	`CorrectCertificateState(certificate);`
`242`	`242`	`Log.CorrectCertificateStateEnd();`
`243`	`243`	`}`
`@@ -298,8 +298,8 @@ public void CleanupHttpsCertificates()`
`298`	`298`	`var filteredCertificates = certificates.Where(c => c.Subject == Subject);`
`299`	`299`	`var excludedCertificates = certificates.Except(filteredCertificates);`
`300`	`300`
`301`		`- Log.FilteredCertificates(CertificateManagerEventSource.ToCertificateDescription(filteredCertificates));`
`302`		`- Log.ExcludedCertificates(CertificateManagerEventSource.ToCertificateDescription(excludedCertificates));`
	`301`	`+ Log.FilteredCertificates(ToCertificateDescription(filteredCertificates));`
	`302`	`+ Log.ExcludedCertificates(ToCertificateDescription(excludedCertificates));`
`303`	`303`
`304`	`304`	`foreach (var certificate in filteredCertificates)`
`305`	`305`	`{`
`@@ -321,7 +321,7 @@ public void CleanupHttpsCertificates()`
`321`	`321`
`322`	`322`	`internal void ExportCertificate(X509Certificate2 certificate, string path, bool includePrivateKey, string password)`
`323`	`323`	`{`
`324`		`- Log.ExportCertificateStart(CertificateManagerEventSource.GetDescription(certificate), path, includePrivateKey);`
	`324`	`+ Log.ExportCertificateStart(GetDescription(certificate), path, includePrivateKey);`
`325`	`325`	`if (includePrivateKey && password == null)`
`326`	`326`	`{`
`327`	`327`	`Log.NoPasswordForCertificate();`
`@@ -416,7 +416,7 @@ internal X509Certificate2 SaveCertificate(X509Certificate2 certificate)`
`416`	`416`	`var name = StoreName.My;`
`417`	`417`	`var location = StoreLocation.CurrentUser;`
`418`	`418`
`419`		`- Log.SaveCertificateInStoreStart(CertificateManagerEventSource.GetDescription(certificate), name, location);`
	`419`	`+ Log.SaveCertificateInStoreStart(GetDescription(certificate), name, location);`
`420`	`420`
`421`	`421`	`certificate = SaveCertificateCore(certificate);`
`422`	`422`
`@@ -428,7 +428,7 @@ internal void TrustCertificate(X509Certificate2 certificate)`
`428`	`428`	`{`
`429`	`429`	`try`
`430`	`430`	`{`
`431`		`- Log.TrustCertificateStart(CertificateManagerEventSource.GetDescription(certificate));`
	`431`	`+ Log.TrustCertificateStart(GetDescription(certificate));`
`432`	`432`	`TrustCertificateCore(certificate);`
`433`	`433`	`Log.TrustCertificateEnd();`
`434`	`434`	`}`
`@@ -528,7 +528,7 @@ private static void RemoveCertificateFromUserStore(X509Certificate2 certificate)`
`528`	`528`	`{`
`529`	`529`	`try`
`530`	`530`	`{`
`531`		`- Log.RemoveCertificateFromUserStoreStart(CertificateManagerEventSource.GetDescription(certificate));`
	`531`	`+ Log.RemoveCertificateFromUserStoreStart(GetDescription(certificate));`
`532`	`532`	`using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);`
`533`	`533`	`store.Open(OpenFlags.ReadWrite);`
`534`	`534`	`var matching = store.Certificates`
`@@ -546,6 +546,15 @@ private static void RemoveCertificateFromUserStore(X509Certificate2 certificate)`
`546`	`546`	`}`
`547`	`547`	`}`
`548`	`548`
	`549`	`+ internal static string ToCertificateDescription(IEnumerable<X509Certificate2> matchingCertificates) =>`
	`550`	`+ string.Join(Environment.NewLine, matchingCertificates`
	`551`	`+ .OrderBy(c => c.Thumbprint)`
	`552`	`+ .Select(c => GetDescription(c))`
	`553`	`+ .ToArray());`
	`554`	`+`
	`555`	`+ internal static string GetDescription(X509Certificate2 c) =>`
	`556`	`+ $"{c.Thumbprint[0..6]} - {c.Subject} - {c.GetEffectiveDateString()} - {c.GetExpirationDateString()} - {Instance.IsHttpsDevelopmentCertificate(c)} - {Instance.IsExportable(c)}";`
	`557`	`+`
`549`	`558`	`[EventSource(Name = "Dotnet-dev-certs")]`
`550`	`559`	`public class CertificateManagerEventSource : EventSource`
`551`	`560`	`{`
`@@ -719,14 +728,14 @@ public void ExportCertificateStart(string certificate, string path, bool include`
`719`	`728`	`[Event(52, Level = EventLevel.Error)]`
`720`	`729`	`public void CorrectCertificateStateError(string error) => WriteEvent(53, $"An error has ocurred while correcting the certificate state: {error}.");`
`721`	`730`
`722`		`- internal static string ToCertificateDescription(IEnumerable<X509Certificate2> matchingCertificates) =>`
`723`		`- string.Join(Environment.NewLine, matchingCertificates`
`724`		`- .OrderBy(c => c.Thumbprint)`
`725`		`- .Select(c => GetDescription(c))`
`726`		`- .ToArray());`
	`731`	`+ [Event(54, Level = EventLevel.Verbose)]`
	`732`	`+ internal void MacOSAddCertificateToKeyChainStart(string keychain, string certificate) => WriteEvent(54, $"Importing the certificate {certificate} to the keychain '{keychain}'");`
	`733`	`+`
	`734`	`+ [Event(55, Level = EventLevel.Verbose)]`
	`735`	`+ internal void MacOSAddCertificateToKeyChainEnd() => WriteEvent(55, "Finished importing the certificate to the key chain.");`
`727`	`736`
`728`		`- internal static string GetDescription(X509Certificate2 c) =>`
`729`		`- $"{c.Thumbprint[0..6]} - {c.Subject} - {c.GetEffectiveDateString()} - {c.GetExpirationDateString()} - {Instance.IsHttpsDevelopmentCertificate(c)} - {Instance.IsExportable(c)}";`
	`737`	`+ [Event(56, Level = EventLevel.Error)]`
	`738`	`+ internal void MacOSAddCertificateToKeyChainError(int exitCode) => WriteEvent(56, $"An error has ocurred while importing the certificate to the keychain: {exitCode}.");`
`730`	`739`	`}`
`731`	`740`
`732`	`741`	`internal class UserCancelledTrustException : Exception`