Skip to content

Commit

Permalink
update MacOS cert store
Browse files Browse the repository at this point in the history
  • Loading branch information
afifi-ins committed Aug 26, 2024
1 parent ee19932 commit dd2e1d2
Show file tree
Hide file tree
Showing 8 changed files with 69 additions and 26 deletions.
8 changes: 4 additions & 4 deletions azure-pipelines-arcade-PR.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ variables:
- name: _RunAsInternal
value: false
- name: _RunWithCoreWcfService
value: true
value: false

- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
- name: _RunAsPublic
Expand Down Expand Up @@ -128,6 +128,7 @@ stages:
-projects $(Build.SourcesDirectory)/eng/SendToHelix.proj
$(_TestArgs)
/p:TestJob=Windows
/p:RunWithCoreWcfService=$(_RunWithCoreWcfService)
/bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
displayName: Windows - Run Helix Tests
env:
Expand All @@ -136,7 +137,6 @@ stages:
XUnitWorkItemTimeout: $(_xUnitWorkItemTimeout)
RunAsPublic: $(_RunAsPublic)
RunAsInternal: $(_RunAsInternal)
RunWithCoreWcfService: $(_RunWithCoreWcfService)
IsWindowsBuild: true

# Only build and test Linux in PR and CI builds.
Expand Down Expand Up @@ -190,14 +190,14 @@ stages:
--projects $(Build.SourcesDirectory)/eng/SendToHelix.proj
$(_TestArgs)
/p:TestJob=Linux
/p:RunWithCoreWcfService=$(_RunWithCoreWcfService)
/bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
displayName: Linux - Run Helix Tests
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
ServiceHost: $(_serviceUri)
RunAsPublic: $(_RunAsPublic)
RunAsInternal: $(_RunAsInternal)
RunWithCoreWcfService: $(_RunWithCoreWcfService)
IsWindowsBuild: false

# Only build and test MacOS in PR and CI builds.
Expand Down Expand Up @@ -250,12 +250,12 @@ stages:
-projects $(Build.SourcesDirectory)/eng/SendToHelix.proj
$(_TestArgs)
/p:TestJob=MacOS
/p:RunWithCoreWcfService=$(_RunWithCoreWcfService)
/bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
displayName: MacOS - Run Helix Tests
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
ServiceHost: $(_serviceUri)
RunAsPublic: $(_RunAsPublic)
RunAsInternal: $(_RunAsInternal)
RunWithCoreWcfService: $(_RunWithCoreWcfService)
IsWindowsBuild: false
5 changes: 2 additions & 3 deletions azure-pipelines-arcade.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ variables:
- name: _RunAsInternal
value: true
- name: _RunWithCoreWcfService
value: true
value: false
- group: DotNet-Wcf-SDLValidation-Params
resources:
repositories:
Expand Down Expand Up @@ -97,15 +97,14 @@ extends:
clean: true
- script: eng\common\cibuild.cmd -configuration $(_BuildConfig) -preparemachine $(_InternalBuildArgs) $(_TestArgs) /p:Test=false
displayName: Windows Build / Publish
- powershell: eng\common\build.ps1 -configuration $(_BuildConfig) -preparemachine -ci -test -integrationTest -projects $(Build.SourcesDirectory)/eng/SendToHelix.proj $(_TestArgs) /p:TestJob=Windows /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
- powershell: eng\common\build.ps1 -configuration $(_BuildConfig) -preparemachine -ci -test -integrationTest -projects $(Build.SourcesDirectory)/eng/SendToHelix.proj $(_TestArgs) /p:TestJob=Windows /p:RunWithCoreWcfService=$(_RunWithCoreWcfService) /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
displayName: Windows - Run Helix Tests
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
HelixAccessToken: $(HelixApiAccessToken)
XUnitWorkItemTimeout: $(_xUnitWorkItemTimeout)
RunAsPublic: $(_RunAsPublic)
RunAsInternal: $(_RunAsInternal)
RunWithCoreWcfService: $(_RunWithCoreWcfService)
IsWindowsBuild: true
- ${{ if eq(variables._RunAsInternal, True) }}:
- template: /eng/common/templates-official/post-build/post-build.yml@self
Expand Down
12 changes: 6 additions & 6 deletions eng/SendToHelix.proj
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
<TestRunNamePrefix>$(AGENT_JOBNAME)</TestRunNamePrefix>
<EnableXUnitReporter>true</EnableXUnitReporter>
</PropertyGroup>

<Target Name="InstallDotNet">
<ItemGroup>
<AdditionalDotNetPackage Include="8.0.5">
Expand Down Expand Up @@ -71,15 +71,15 @@
</PropertyGroup>

<PropertyGroup>
<RunWithCoreWcfService>false</RunWithCoreWcfService>
<RunWithCoreWCFService Condition="'$(RunWithCoreWCFService)' == ''">false</RunWithCoreWCFService>
</PropertyGroup>

<PropertyGroup Condition="'$(RunWithCoreWcfService)' == 'false' AND '$(TestJob)' == 'Linux'" >
<PropertyGroup Condition="'$(TestJob)' != 'Windows'" >
<HelixPreCommands>$(HelixPreCommands);chmod a+x $HELIX_CORRELATION_PAYLOAD/InstallRootCertificate.sh</HelixPreCommands>
<HelixPreCommands>$(HelixPreCommands);sudo -E -n $HELIX_CORRELATION_PAYLOAD/InstallRootCertificate.sh --service-host $(ServiceHost) --cert-file /tmp/wcfrootca.crt</HelixPreCommands>
</PropertyGroup>

<PropertyGroup Condition="'$(RunWithCoreWcfService)' == 'true' AND '$(TestJob)' == 'Windows'">
<PropertyGroup Condition="'$(TestJob)' == 'Windows'">
<HelixPreCommands>$(HelixPreCommands);set PATH=%HELIX_CORRELATION_PAYLOAD%\dotnet-cli%3B%PATH%</HelixPreCommands>
<!-- %3B is an escaped ; -->
<HelixPreCommands>$(HelixPreCommands);set DOTNET_ROOT=%HELIX_CORRELATION_PAYLOAD%\dotnet-cli;set DOTNET_CLI_TELEMETRY_OPTOUT=1</HelixPreCommands>
Expand All @@ -89,7 +89,7 @@
<HelixPreCommands>$(HelixPreCommands);%HELIX_CORRELATION_PAYLOAD%\SelfHostedCoreWCFService\$(Configuration)\net8.0\SelfHostedCoreWCFService bootstrap:true</HelixPreCommands>
</PropertyGroup>

<PropertyGroup Condition="'$(RunWithCoreWcfService)' == 'true' AND '$(TestJob)' != 'Windows'">
<PropertyGroup Condition="'$(TestJob)' != 'Windows'">
<HelixPreCommands>$(HelixPreCommands);export PATH=$HELIX_CORRELATION_PAYLOAD/dotnet-cli:$PATH</HelixPreCommands>
<HelixPreCommands>$(HelixPreCommands);export DOTNET_ROOT=$HELIX_CORRELATION_PAYLOAD/dotnet-cli;export DOTNET_CLI_TELEMETRY_OPTOUT=1</HelixPreCommands>
<HelixPreCommands>$(HelixPreCommands);export DOTNET_CLI_HOME=$HELIX_WORKITEM_ROOT/.dotnet</HelixPreCommands>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -452,7 +452,7 @@ private X509CertificateContainer CreateCertificate(bool isAuthority, bool isMach
container.Pfx = stream.ToArray();
}

X509Certificate2 outputCert;
X509Certificate2 outputCert = null;

if (isAuthority)
{
Expand All @@ -463,7 +463,34 @@ private X509CertificateContainer CreateCertificate(bool isAuthority, bool isMach
{
// Otherwise, allow encode with the private key. note that X509Certificate2.RawData will not provide the private key
// you will have to re-export this cert if needed
outputCert = new X509Certificate2(container.Pfx, _password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
if (CertificateHelper.CurrentOperatingSystem.IsMacOS())
{
//string tempKeychainFilePath = Path.GetTempFileName();
string tempKeychainFilePath = Path.Combine(Environment.CurrentDirectory, Path.GetRandomFileName());
System.Security.Cryptography.X509Certificates.X509Store MacOsTempStore = CertificateHelper.GetMacOSX509Store(tempKeychainFilePath);
MacOsTempStore.Certificates.Import(container.Pfx, _password, X509KeyStorageFlags.Exportable);
MacOsTempStore.Close();
MacOsTempStore.Dispose();

MacOsTempStore = CertificateHelper.GetMacOSX509Store(tempKeychainFilePath);

outputCert = ((IEnumerable<X509Certificate2>)MacOsTempStore.Certificates).FirstOrDefault();

if (outputCert == null)
{
Console.WriteLine("Couldn't find Certificate..");
}

MacOsTempStore.Dispose();
if (File.Exists(tempKeychainFilePath))
{
File.Delete(tempKeychainFilePath);
}
}
else
{
outputCert = new X509Certificate2(container.Pfx, _password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
}
}

container.Subject = subject;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,12 @@ public class CertificateGeneratorLibrary
private static void RemoveCertificatesFromStore(StoreName storeName, StoreLocation storeLocation)
{
X509Store store = CertificateHelper.GetX509Store(storeName, storeLocation);
Console.WriteLine(" Checking StoreName '{0}'", storeName);
Console.WriteLine(" Checking StoreName '{0}', StoreLocation '{1}'", storeName, store.Location);
{
store.Open(OpenFlags.ReadWrite | OpenFlags.IncludeArchived);
if (!CertificateHelper.CurrentOperatingSystem.IsMacOS())
{
store.Open(OpenFlags.ReadWrite | OpenFlags.IncludeArchived);
}

foreach (var cert in store.Certificates.Find(X509FindType.FindByIssuerName, CertificateIssuer, false))
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ public static X509Store GetX509Store(StoreName storeName, StoreLocation storeLoc
else if (CurrentOperatingSystem.IsMacOS())
{
// MacOS SafeKeychainHandle
GetMacOSX509Store();
store = GetMacOSX509Store();
}
return store;
}
Expand All @@ -62,16 +62,21 @@ public static X509Store GetX509Store(StoreName storeName, StoreLocation storeLoc
internal static string OSXCustomKeychainPassword => "WCFKeychainFilePassword";

[MethodImpl(MethodImplOptions.NoInlining)]
public static X509Store GetMacOSX509Store()
public static X509Store GetMacOSX509Store(string storeFilePath = null)
{
if (storeFilePath == null)
{
storeFilePath = OSXCustomKeychainFilePath;
}

SafeKeychainHandle keychain;
if (!File.Exists(OSXCustomKeychainFilePath))
if (!File.Exists(storeFilePath))
{
keychain = SafeKeychainHandle.Create(OSXCustomKeychainFilePath, OSXCustomKeychainPassword);
keychain = SafeKeychainHandle.Create(storeFilePath, OSXCustomKeychainPassword);
}
else
{
keychain = SafeKeychainHandle.Open(OSXCustomKeychainFilePath, OSXCustomKeychainPassword);
keychain = SafeKeychainHandle.Open(storeFilePath, OSXCustomKeychainPassword);
}

if (keychain.IsInvalid)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,12 @@ public static bool AddToStoreIfNeeded(StoreName storeName, StoreLocation storeLo
try
{
store = CertificateHelper.GetX509Store(storeName, storeLocation);

// We assume Bridge is running elevated
store.Open(OpenFlags.ReadWrite);
if (!CertificateHelper.CurrentOperatingSystem.IsMacOS())
{
store.Open(OpenFlags.ReadWrite);
}
existingCert = CertificateFromThumbprint(store, certificate.Thumbprint);
if (existingCert == null)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,10 @@ public static X509Certificate2 CertificateFromSubject(StoreName name, StoreLocat
try
{
store = CertificateHelper.GetX509Store(name, location);
store.Open(OpenFlags.ReadOnly);
if (!store.IsOpen)
{
store.Open(OpenFlags.ReadOnly);
}
X509Certificate2Collection foundCertificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, validOnly: true);
return foundCertificates.Count == 0 ? null : foundCertificates[0];
}
Expand All @@ -234,7 +237,10 @@ public static X509Certificate2 CertificateFromFriendlyName(StoreName name, Store
try
{
store = CertificateHelper.GetX509Store(name, location);
store.Open(OpenFlags.ReadOnly);
if (!store.IsOpen)
{
store.Open(OpenFlags.ReadOnly);
}

X509Certificate2Collection foundCertificates = store.Certificates.Find(X509FindType.FindByIssuerName, "DO_NOT_TRUST_WcfBridgeRootCA", false);
string friendlyNameHash = CertificateGenerator.HashFriendlyNameToString(friendlyName);
Expand Down

0 comments on commit dd2e1d2

Please sign in to comment.