[release/7.0] Make Kestrel prefer on-disk cert for macOS bind. (#44856)

github-actions[bot] · adityamandaleeka · web-flow · commit 76c143efd997 · 2022-11-08T10:35:20.000-08:00
* Make Kestrel prefer on-disk cert for macOS bind.

* Clarify Intersect behavior in comment.

Co-authored-by: Aditya Mandaleeka &lt;adityam@microsoft.com&gt;
diff --git a/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs b/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs
@@ -290,7 +290,7 @@ private void EnsureDefaultCert()
             var logger = ApplicationServices!.GetRequiredService<ILogger<KestrelServer>>();
             try
             {
-                DefaultCertificate = CertificateManager.Instance.ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true)
+                DefaultCertificate = CertificateManager.Instance.ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true, requireExportable: false)
                     .FirstOrDefault();
 
                 if (DefaultCertificate != null)
diff --git a/src/Shared/CertificateGeneration/CertificateManager.cs b/src/Shared/CertificateGeneration/CertificateManager.cs
@@ -78,7 +78,7 @@ public IList<X509Certificate2> ListCertificates(
         {
             using var store = new X509Store(storeName, location);
             store.Open(OpenFlags.ReadOnly);
-            PopulateCertificatesFromStore(store, certificates);
+            PopulateCertificatesFromStore(store, certificates, requireExportable);
             IEnumerable<X509Certificate2> matchingCertificates = certificates;
             matchingCertificates = matchingCertificates
                 .Where(c => HasOid(c, AspNetHttpsOid));
@@ -161,7 +161,7 @@ bool IsValidCertificate(X509Certificate2 certificate, DateTimeOffset currentDate
             GetCertificateVersion(certificate) >= AspNetHttpsCertificateVersion;
     }
 
-    protected virtual void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates)
+    protected virtual void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates, bool requireExportable)
     {
         certificates.AddRange(store.Certificates.OfType<X509Certificate2>());
     }
diff --git a/src/Shared/CertificateGeneration/MacOSCertificateManager.cs b/src/Shared/CertificateGeneration/MacOSCertificateManager.cs
@@ -373,25 +373,28 @@ protected override IList<X509Certificate2> GetCertificatesToRemove(StoreName sto
         return ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: false);
     }
 
-    protected override void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates)
+    protected override void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates, bool requireExportable)
     {
         if (store.Name! == StoreName.My.ToString() && store.Location == StoreLocation.CurrentUser && Directory.Exists(MacOSUserHttpsCertificateLocation))
         {
             var certsFromDisk = GetCertsFromDisk();
 
             var certsFromStore = new List<X509Certificate2>();
-            base.PopulateCertificatesFromStore(store, certsFromStore);
+            base.PopulateCertificatesFromStore(store, certsFromStore, requireExportable);
 
             // Certs created by pre-.NET 7.
             var onlyOnKeychain = certsFromStore.Except(certsFromDisk, ThumbprintComparer.Instance);
 
             // Certs created (or "upgraded") by .NET 7+.
             // .NET 7+ installs the certificate on disk as well as on the user keychain (for backwards
             // compatibility with pre-.NET 7).
-            // Note that the actual certs we populate need to be the ones from the store location, and
-            // not the version from disk, since we may do other operations with these certs later (such
-            // as exporting) which would fail with crypto errors otherwise.
-            var onDiskAndKeychain = certsFromStore.Intersect(certsFromDisk, ThumbprintComparer.Instance);
+            // Note that if we require exportable certs, the actual certs we populate need to be the ones
+            // from the store location, and not the version from disk. If we don't require exportability,
+            // we favor the version of the cert that's on disk (avoiding unnecessary keychain access
+            // prompts). Intersect compares with the specified comparer and returns the matching elements
+            // from the first set.
+            var onDiskAndKeychain = requireExportable ? certsFromStore.Intersect(certsFromDisk, ThumbprintComparer.Instance)
+                                                      : certsFromDisk.Intersect(certsFromStore, ThumbprintComparer.Instance);
 
             // The only times we can find a certificate on the keychain and a certificate on keychain+disk
             // are when the certificate on disk and keychain has expired and a pre-.NET 7 SDK has been
@@ -403,7 +406,7 @@ protected override void PopulateCertificatesFromStore(X509Store store, List<X509
         }
         else
         {
-            base.PopulateCertificatesFromStore(store, certificates);
+            base.PopulateCertificatesFromStore(store, certificates, requireExportable);
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -290,7 +290,7 @@ private void EnsureDefaultCert()`
`290`	`290`	`var logger = ApplicationServices!.GetRequiredService<ILogger<KestrelServer>>();`
`291`	`291`	`try`
`292`	`292`	`{`
`293`		`- DefaultCertificate = CertificateManager.Instance.ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true)`
	`293`	`+ DefaultCertificate = CertificateManager.Instance.ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true, requireExportable: false)`
`294`	`294`	`.FirstOrDefault();`
`295`	`295`
`296`	`296`	`if (DefaultCertificate != null)`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ public IList<X509Certificate2> ListCertificates(`
`78`	`78`	`{`
`79`	`79`	`using var store = new X509Store(storeName, location);`
`80`	`80`	`store.Open(OpenFlags.ReadOnly);`
`81`		`- PopulateCertificatesFromStore(store, certificates);`
	`81`	`+ PopulateCertificatesFromStore(store, certificates, requireExportable);`
`82`	`82`	`IEnumerable<X509Certificate2> matchingCertificates = certificates;`
`83`	`83`	`matchingCertificates = matchingCertificates`
`84`	`84`	`.Where(c => HasOid(c, AspNetHttpsOid));`
`@@ -161,7 +161,7 @@ bool IsValidCertificate(X509Certificate2 certificate, DateTimeOffset currentDate`
`161`	`161`	`GetCertificateVersion(certificate) >= AspNetHttpsCertificateVersion;`
`162`	`162`	`}`
`163`	`163`
`164`		`- protected virtual void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates)`
	`164`	`+ protected virtual void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates, bool requireExportable)`
`165`	`165`	`{`
`166`	`166`	`certificates.AddRange(store.Certificates.OfType<X509Certificate2>());`
`167`	`167`	`}`
Original file line number	Diff line number	Diff line change
`@@ -373,25 +373,28 @@ protected override IList<X509Certificate2> GetCertificatesToRemove(StoreName sto`
`373`	`373`	`return ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: false);`
`374`	`374`	`}`
`375`	`375`
`376`		`- protected override void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates)`
	`376`	`+ protected override void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates, bool requireExportable)`
`377`	`377`	`{`
`378`	`378`	`if (store.Name! == StoreName.My.ToString() && store.Location == StoreLocation.CurrentUser && Directory.Exists(MacOSUserHttpsCertificateLocation))`
`379`	`379`	`{`
`380`	`380`	`var certsFromDisk = GetCertsFromDisk();`
`381`	`381`
`382`	`382`	`var certsFromStore = new List<X509Certificate2>();`
`383`		`- base.PopulateCertificatesFromStore(store, certsFromStore);`
	`383`	`+ base.PopulateCertificatesFromStore(store, certsFromStore, requireExportable);`
`384`	`384`
`385`	`385`	`// Certs created by pre-.NET 7.`
`386`	`386`	`var onlyOnKeychain = certsFromStore.Except(certsFromDisk, ThumbprintComparer.Instance);`
`387`	`387`
`388`	`388`	`// Certs created (or "upgraded") by .NET 7+.`
`389`	`389`	`// .NET 7+ installs the certificate on disk as well as on the user keychain (for backwards`
`390`	`390`	`// compatibility with pre-.NET 7).`
`391`		`- // Note that the actual certs we populate need to be the ones from the store location, and`
`392`		`- // not the version from disk, since we may do other operations with these certs later (such`
`393`		`- // as exporting) which would fail with crypto errors otherwise.`
`394`		`- var onDiskAndKeychain = certsFromStore.Intersect(certsFromDisk, ThumbprintComparer.Instance);`
	`391`	`+ // Note that if we require exportable certs, the actual certs we populate need to be the ones`
	`392`	`+ // from the store location, and not the version from disk. If we don't require exportability,`
	`393`	`+ // we favor the version of the cert that's on disk (avoiding unnecessary keychain access`
	`394`	`+ // prompts). Intersect compares with the specified comparer and returns the matching elements`
	`395`	`+ // from the first set.`
	`396`	`+ var onDiskAndKeychain = requireExportable ? certsFromStore.Intersect(certsFromDisk, ThumbprintComparer.Instance)`
	`397`	`+ : certsFromDisk.Intersect(certsFromStore, ThumbprintComparer.Instance);`
`395`	`398`
`396`	`399`	`// The only times we can find a certificate on the keychain and a certificate on keychain+disk`
`397`	`400`	`// are when the certificate on disk and keychain has expired and a pre-.NET 7 SDK has been`
`@@ -403,7 +406,7 @@ protected override void PopulateCertificatesFromStore(X509Store store, List<X509`
`403`	`406`	`}`
`404`	`407`	`else`
`405`	`408`	`{`
`406`		`- base.PopulateCertificatesFromStore(store, certificates);`
	`409`	`+ base.PopulateCertificatesFromStore(store, certificates, requireExportable);`
`407`	`410`	`}`
`408`	`411`	`}`
`409`	`412`