Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[macOS] Consider making cert private key access keep a temporary keychain alive #57382

Open
bartonjs opened this issue Aug 13, 2021 · 1 comment
Open

[macOS] Consider making cert private key access keep a temporary keychain alive #57382

bartonjs opened this issue Aug 13, 2021 · 1 comment
Labels
area-System.Security os-mac-os-x macOS aka OSX
Milestone
Future

Comments

@bartonjs
Copy link
Member

bartonjs commented Aug 13, 2021
edited
Loading

  • Create a transient cert+key pair
    • "Perphemeral" PFX
    • cert.CopyWithPrivateKey(key) then dispose the key
      • Includes doing it via CertificateRequest
  • Grab a private key reference (e.g. cert.GetRSAPrivateKey()
  • Dispose the cert without having used the key yet
  • Use the private key

With our current temporary keychain model this fails, because disposing the cert deletes the keychain, and later access of the key goes to the keychain and errors out.

If we can't get off temporary keychains any time soon, then we should use a handle dependency, or other form of keep-alive, to keep the keychain from getting disposed while the key object is still valid in .NET space.

See #57381 for where this came up in practice.
@bartonjs bartonjs added this to the Future milestone Aug 13, 2021
@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Aug 13, 2021
@ghost
Copy link

ghost commented Aug 13, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details
  • Create a transient cert+key pair
    • "Perphemeral" PFX
    • cert.CopyWithPrivateKey(key) then dispose the key
      • Includes doing it via CertificateRequest
  • Grab a private key reference (e.g. cert.GetRSAPrivateKey()
  • Dispose the cert without having used the key yet
  • Use the private key

With our current temporary keychain model this fails, because disposing the cert deletes the keychain, and later access of the key goes to the keychain and errors out.

If we can't get off temporary keychains any time soon, then we should use a handle dependency, or other form of keep-alive, to keep the keychain from getting disposed while the key object is still valid in .NET space.

Author: bartonjs
Assignees: -
Labels:

area-System.Security, os-mac-os-x
Milestone: Future

@jeffschwMSFT jeffschwMSFT removed the untriaged New issue has not been triaged by the area owner label Aug 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Security os-mac-os-x macOS aka OSX
Projects
None yet
Milestone
Future
Development

No branches or pull requests
2 participants
@jeffschwMSFT @bartonjs