Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Allow multiple private key references in Unix PFXes #55425

Merged
merged 3 commits into from
Jul 13, 2021
Merged

Allow multiple private key references in Unix PFXes #55425

merged 3 commits into from
Jul 13, 2021

Conversation

bartonjs
Copy link
Member

@bartonjs bartonjs commented Jul 9, 2021

Fixes #44535.

Windows has a complicated state for when a PFX contains two certificates that link to the same private key:

  • EphemeralKeySet: The PFX load fails.
  • PersistKeySet: Things probably work.
  • (normal): "It's complicated".

When the Unix PFX loader was written it was based on the EphemeralKeySet behavior, because that's what the tests used (to avoid disk penalties and problems).

Trying to maintain a balance between Herculean efforts of bug-for-bug compatibility and OS variability, this change takes a simpler approach:

  • EphemeralKeySet: The PFX load fails, like it will on Windows.
  • Otherwise: Let it work (but always with cloned keys, so some of the subtle Windows undesirable states are lost).

@bartonjs bartonjs added this to the 6.0.0 milestone Jul 9, 2021
@bartonjs bartonjs self-assigned this Jul 9, 2021
@ghost
Copy link

ghost commented Jul 9, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

Fixes #44535.

Windows has a complicated state for when a PFX contains two certificates that link to the same private key:

  • EphemeralKeySet: The PFX load fails.
  • PersistKeySet: Things probably work.
  • (normal): "It's complicated".

When the Unix PFX loader was written it was based on the EphemeralKeySet behavior, because that's what the tests used (to avoid disk penalties and problems).

Trying to maintain a balance between Herculean efforts of bug-for-bug compatibility and OS variability, this change takes a simpler approach:

  • EphemeralKeySet: The PFX load fails, like it will on Windows.
  • Otherwise: Let it work (but always with cloned keys, so some of the subtle Windows undesirable states are lost).
Author: bartonjs
Assignees: bartonjs
Labels:

area-System.Security
Milestone: 6.0.0

@mark-raymond
Copy link

Is there a way I can test this branch myself?

@bartonjs
Copy link
Member Author

bartonjs commented Jul 12, 2021
edited
Loading

Is there a way I can test this branch myself?

@mark-raymond You should be able to checkout pull/55425/head, or do something like the merge command line instructions suggests:

> git checkout -b bartonjs-relax_unix_pfx_multikey main
> git pull https://github.com/bartonjs/runtime.git relax_unix_pfx_multikey

Then the usual build and such

@vcsjones
Copy link
Member

Then the usual build and such

There are docs on using your build here: https://github.com/dotnet/runtime/blob/main/docs/workflow/testing/using-your-build.md.

@bartonjs
Copy link
Member Author

Looks like there's an "Apple is different" case that I missed: In TwoCerts_CrossedKeys I believe the Keychain APIs won't bind the wrong private key to the cert, so we get back a cert where HasPrivateKey is false. Making sure the fix works on a mac before pushing it.

@runfoapp runfoapp bot mentioned this pull request Jul 13, 2021
Closed
@bartonjs bartonjs merged commit 086079a into dotnet:main Jul 13, 2021
@bartonjs bartonjs deleted the relax_unix_pfx_multikey branch July 13, 2021 08:43
@runfoapp runfoapp bot mentioned this pull request Jul 15, 2021
Closed
@bartonjs bartonjs removed their assignment Jul 26, 2021
This was referenced Aug 6, 2021
Closed
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Aug 25, 2021
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@stephentoub stephentoub stephentoub approved these changes

Assignees
No one assigned
Labels
area-System.Security
Projects
None yet
Milestone
6.0.0
4 participants
@bartonjs @mark-raymond @vcsjones @stephentoub