Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow multiple private key references in Unix PFXes #55425

Merged
merged 3 commits into from
Jul 13, 2021

Conversation

bartonjs
Copy link
Member

@bartonjs bartonjs commented Jul 9, 2021

Fixes #44535.

Windows has a complicated state for when a PFX contains two certificates that link to the same private key:

  • EphemeralKeySet: The PFX load fails.
  • PersistKeySet: Things probably work.
  • (normal): "It's complicated".

When the Unix PFX loader was written it was based on the EphemeralKeySet behavior, because that's what the tests used (to avoid disk penalties and problems).

Trying to maintain a balance between Herculean efforts of bug-for-bug compatibility and OS variability, this change takes a simpler approach:

  • EphemeralKeySet: The PFX load fails, like it will on Windows.
  • Otherwise: Let it work (but always with cloned keys, so some of the subtle Windows undesirable states are lost).

@bartonjs bartonjs added this to the 6.0.0 milestone Jul 9, 2021
@bartonjs bartonjs self-assigned this Jul 9, 2021
@ghost
Copy link

ghost commented Jul 9, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

Fixes #44535.

Windows has a complicated state for when a PFX contains two certificates that link to the same private key:

  • EphemeralKeySet: The PFX load fails.
  • PersistKeySet: Things probably work.
  • (normal): "It's complicated".

When the Unix PFX loader was written it was based on the EphemeralKeySet behavior, because that's what the tests used (to avoid disk penalties and problems).

Trying to maintain a balance between Herculean efforts of bug-for-bug compatibility and OS variability, this change takes a simpler approach:

  • EphemeralKeySet: The PFX load fails, like it will on Windows.
  • Otherwise: Let it work (but always with cloned keys, so some of the subtle Windows undesirable states are lost).
Author: bartonjs
Assignees: bartonjs
Labels:

area-System.Security

Milestone: 6.0.0

@mark-raymond
Copy link

Is there a way I can test this branch myself?

@bartonjs
Copy link
Member Author

bartonjs commented Jul 12, 2021

Is there a way I can test this branch myself?

@mark-raymond You should be able to checkout pull/55425/head, or do something like the merge command line instructions suggests:

> git checkout -b bartonjs-relax_unix_pfx_multikey main
> git pull https://github.com/bartonjs/runtime.git relax_unix_pfx_multikey

Then the usual build and such

@vcsjones
Copy link
Member

Then the usual build and such

There are docs on using your build here: https://github.com/dotnet/runtime/blob/main/docs/workflow/testing/using-your-build.md.

@bartonjs
Copy link
Member Author

Looks like there's an "Apple is different" case that I missed: In TwoCerts_CrossedKeys I believe the Keychain APIs won't bind the wrong private key to the cert, so we get back a cert where HasPrivateKey is false. Making sure the fix works on a mac before pushing it.

@bartonjs bartonjs merged commit 086079a into dotnet:main Jul 13, 2021
@bartonjs bartonjs deleted the relax_unix_pfx_multikey branch July 13, 2021 08:43
@bartonjs bartonjs removed their assignment Jul 26, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Aug 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
4 participants