update MacOS cert store

Author: afifi-ins

azure-pipelines-arcade-PR.yml

@@ -32,7 +32,7 @@ variables:
   - name: _RunAsInternal
     value: false
   - name: _RunWithCoreWcfService
-    value: true
+    value: false
 
   - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
     - name: _RunAsPublic
@@ -128,6 +128,7 @@ stages:
             -projects $(Build.SourcesDirectory)/eng/SendToHelix.proj
             $(_TestArgs)
             /p:TestJob=Windows
+            /p:RunWithCoreWcfService=$(_RunWithCoreWcfService)
             /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
           displayName: Windows - Run Helix Tests
           env:
@@ -136,7 +137,6 @@ stages:
             XUnitWorkItemTimeout: $(_xUnitWorkItemTimeout)
             RunAsPublic: $(_RunAsPublic)
             RunAsInternal: $(_RunAsInternal)
-            RunWithCoreWcfService: $(_RunWithCoreWcfService)
             IsWindowsBuild: true
 
       # Only build and test Linux in PR and CI builds.
@@ -190,14 +190,14 @@ stages:
               --projects $(Build.SourcesDirectory)/eng/SendToHelix.proj
               $(_TestArgs)
               /p:TestJob=Linux
+              /p:RunWithCoreWcfService=$(_RunWithCoreWcfService)
               /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
             displayName: Linux - Run Helix Tests
             env:
               SYSTEM_ACCESSTOKEN: $(System.AccessToken)
               ServiceHost: $(_serviceUri)
               RunAsPublic: $(_RunAsPublic)
               RunAsInternal: $(_RunAsInternal)
-              RunWithCoreWcfService: $(_RunWithCoreWcfService)
               IsWindowsBuild: false
 
       # Only build and test MacOS in PR and CI builds.
@@ -250,12 +250,12 @@ stages:
               -projects $(Build.SourcesDirectory)/eng/SendToHelix.proj
               $(_TestArgs)
               /p:TestJob=MacOS
+              /p:RunWithCoreWcfService=$(_RunWithCoreWcfService)
               /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
             displayName: MacOS - Run Helix Tests
             env:
               SYSTEM_ACCESSTOKEN: $(System.AccessToken)
               ServiceHost: $(_serviceUri)
               RunAsPublic: $(_RunAsPublic)
               RunAsInternal: $(_RunAsInternal)
-              RunWithCoreWcfService: $(_RunWithCoreWcfService)
               IsWindowsBuild: false

azure-pipelines-arcade.yml

@@ -25,7 +25,7 @@ variables:
 - name: _RunAsInternal
   value: true
 - name: _RunWithCoreWcfService
-  value: true
+  value: false
 - group: DotNet-Wcf-SDLValidation-Params
 resources:
   repositories:
@@ -97,15 +97,14 @@ extends:
               clean: true
             - script: eng\common\cibuild.cmd -configuration $(_BuildConfig) -preparemachine $(_InternalBuildArgs) $(_TestArgs) /p:Test=false
               displayName: Windows Build / Publish
-            - powershell: eng\common\build.ps1 -configuration $(_BuildConfig) -preparemachine -ci -test -integrationTest -projects $(Build.SourcesDirectory)/eng/SendToHelix.proj $(_TestArgs) /p:TestJob=Windows /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
+            - powershell: eng\common\build.ps1 -configuration $(_BuildConfig) -preparemachine -ci -test -integrationTest -projects $(Build.SourcesDirectory)/eng/SendToHelix.proj $(_TestArgs) /p:TestJob=Windows  /p:RunWithCoreWcfService=$(_RunWithCoreWcfService) /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/SendToHelix.binlog
               displayName: Windows - Run Helix Tests
               env:
                 SYSTEM_ACCESSTOKEN: $(System.AccessToken)
                 HelixAccessToken: $(HelixApiAccessToken)
                 XUnitWorkItemTimeout: $(_xUnitWorkItemTimeout)
                 RunAsPublic: $(_RunAsPublic)
                 RunAsInternal: $(_RunAsInternal)
-                RunWithCoreWcfService: $(_RunWithCoreWcfService)
                 IsWindowsBuild: true
     - ${{ if eq(variables._RunAsInternal, True) }}:
       - template: /eng/common/templates-official/post-build/post-build.yml@self

eng/SendToHelix.proj

@@ -16,7 +16,7 @@
     <TestRunNamePrefix>$(AGENT_JOBNAME)</TestRunNamePrefix>
     <EnableXUnitReporter>true</EnableXUnitReporter>
   </PropertyGroup>
-
+  
   <Target Name="InstallDotNet">
     <ItemGroup>
       <AdditionalDotNetPackage Include="8.0.5">
@@ -71,15 +71,15 @@
   </PropertyGroup>
 
   <PropertyGroup>
-    <RunWithCoreWcfService>false</RunWithCoreWcfService>
+    <RunWithCoreWCFService Condition="'$(RunWithCoreWCFService)' == ''">false</RunWithCoreWCFService>
   </PropertyGroup>
-
-  <PropertyGroup Condition="'$(RunWithCoreWcfService)' == 'false' AND '$(TestJob)' == 'Linux'" >
+  
+  <PropertyGroup Condition="'$(TestJob)' != 'Windows'" >
     <HelixPreCommands>$(HelixPreCommands);chmod a+x $HELIX_CORRELATION_PAYLOAD/InstallRootCertificate.sh</HelixPreCommands>
     <HelixPreCommands>$(HelixPreCommands);sudo -E -n $HELIX_CORRELATION_PAYLOAD/InstallRootCertificate.sh --service-host $(ServiceHost) --cert-file /tmp/wcfrootca.crt</HelixPreCommands>
   </PropertyGroup>
 
-  <PropertyGroup Condition="'$(RunWithCoreWcfService)' == 'true' AND '$(TestJob)' == 'Windows'">
+  <PropertyGroup Condition="'$(TestJob)' == 'Windows'">
     <HelixPreCommands>$(HelixPreCommands);set PATH=%HELIX_CORRELATION_PAYLOAD%\dotnet-cli%3B%PATH%</HelixPreCommands>
     <!-- %3B is an escaped ; -->
     <HelixPreCommands>$(HelixPreCommands);set DOTNET_ROOT=%HELIX_CORRELATION_PAYLOAD%\dotnet-cli;set DOTNET_CLI_TELEMETRY_OPTOUT=1</HelixPreCommands>
@@ -89,7 +89,7 @@
     <HelixPreCommands>$(HelixPreCommands);%HELIX_CORRELATION_PAYLOAD%\SelfHostedCoreWCFService\$(Configuration)\net8.0\SelfHostedCoreWCFService bootstrap:true</HelixPreCommands>
   </PropertyGroup>
 
-  <PropertyGroup Condition="'$(RunWithCoreWcfService)' == 'true' AND '$(TestJob)' != 'Windows'">
+  <PropertyGroup Condition="'$(TestJob)' != 'Windows'">
     <HelixPreCommands>$(HelixPreCommands);export PATH=$HELIX_CORRELATION_PAYLOAD/dotnet-cli:$PATH</HelixPreCommands>
     <HelixPreCommands>$(HelixPreCommands);export DOTNET_ROOT=$HELIX_CORRELATION_PAYLOAD/dotnet-cli;export DOTNET_CLI_TELEMETRY_OPTOUT=1</HelixPreCommands>
     <HelixPreCommands>$(HelixPreCommands);export DOTNET_CLI_HOME=$HELIX_WORKITEM_ROOT/.dotnet</HelixPreCommands>

src/System.Private.ServiceModel/tools/CertificateGenerator/CertificateGeneratorLibrary/CertificateGenerator.cs

@@ -452,7 +452,7 @@ private X509CertificateContainer CreateCertificate(bool isAuthority, bool isMach
                 container.Pfx = stream.ToArray();
             }
 
-            X509Certificate2 outputCert;
+            X509Certificate2 outputCert = null;
 
             if (isAuthority)
             {
@@ -463,7 +463,34 @@ private X509CertificateContainer CreateCertificate(bool isAuthority, bool isMach
             {
                 // Otherwise, allow encode with the private key. note that X509Certificate2.RawData will not provide the private key
                 // you will have to re-export this cert if needed
-                outputCert = new X509Certificate2(container.Pfx, _password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                if (CertificateHelper.CurrentOperatingSystem.IsMacOS())
+                {
+                    //string tempKeychainFilePath = Path.GetTempFileName();
+                    string tempKeychainFilePath = Path.Combine(Environment.CurrentDirectory, Path.GetRandomFileName());
+                    System.Security.Cryptography.X509Certificates.X509Store MacOsTempStore = CertificateHelper.GetMacOSX509Store(tempKeychainFilePath);
+                    MacOsTempStore.Certificates.Import(container.Pfx, _password, X509KeyStorageFlags.Exportable);
+                    MacOsTempStore.Close();
+                    MacOsTempStore.Dispose();
+
+                    MacOsTempStore = CertificateHelper.GetMacOSX509Store(tempKeychainFilePath);
+
+                    outputCert = ((IEnumerable<X509Certificate2>)MacOsTempStore.Certificates).FirstOrDefault();
+
+                    if (outputCert == null)
+                    {
+                        Console.WriteLine("Couldn't find Certificate..");
+                    }
+
+                    MacOsTempStore.Dispose();
+                    if (File.Exists(tempKeychainFilePath))
+                    {
+                        File.Delete(tempKeychainFilePath);
+                    }
+                }
+                else
+                {
+                    outputCert = new X509Certificate2(container.Pfx, _password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                }
             }
 
             container.Subject = subject;

src/System.Private.ServiceModel/tools/CertificateGenerator/CertificateGeneratorLibrary/CertificateGeneratorLibrary.cs

@@ -23,9 +23,12 @@ public class CertificateGeneratorLibrary
     private static void RemoveCertificatesFromStore(StoreName storeName, StoreLocation storeLocation)
     {
         X509Store store = CertificateHelper.GetX509Store(storeName, storeLocation);
-        Console.WriteLine("  Checking StoreName '{0}'", storeName);
+        Console.WriteLine("  Checking StoreName '{0}', StoreLocation '{1}'", storeName, store.Location);
         {
-            store.Open(OpenFlags.ReadWrite | OpenFlags.IncludeArchived);
+            if (!CertificateHelper.CurrentOperatingSystem.IsMacOS()) 
+            {
+                store.Open(OpenFlags.ReadWrite | OpenFlags.IncludeArchived);
+            }
 
             foreach (var cert in store.Certificates.Find(X509FindType.FindByIssuerName, CertificateIssuer, false))
             {

src/System.Private.ServiceModel/tools/CertificateGenerator/CertificateGeneratorLibrary/CertificateHelper.cs

@@ -52,7 +52,7 @@ public static X509Store GetX509Store(StoreName storeName, StoreLocation storeLoc
             else if (CurrentOperatingSystem.IsMacOS())
             {
                 // MacOS SafeKeychainHandle
-                GetMacOSX509Store();
+                store = GetMacOSX509Store();
             }
             return store;
         }
@@ -62,16 +62,21 @@ public static X509Store GetX509Store(StoreName storeName, StoreLocation storeLoc
         internal static string OSXCustomKeychainPassword => "WCFKeychainFilePassword";
 
         [MethodImpl(MethodImplOptions.NoInlining)]
-        public static X509Store GetMacOSX509Store()
+        public static X509Store GetMacOSX509Store(string storeFilePath = null)
         {
+            if (storeFilePath == null)
+            {
+                storeFilePath = OSXCustomKeychainFilePath;
+            }
+
             SafeKeychainHandle keychain;
-            if (!File.Exists(OSXCustomKeychainFilePath))
+            if (!File.Exists(storeFilePath))
             {
-                keychain = SafeKeychainHandle.Create(OSXCustomKeychainFilePath, OSXCustomKeychainPassword);
+                keychain = SafeKeychainHandle.Create(storeFilePath, OSXCustomKeychainPassword);
             }
             else
             {
-                keychain = SafeKeychainHandle.Open(OSXCustomKeychainFilePath, OSXCustomKeychainPassword);
+                keychain = SafeKeychainHandle.Open(storeFilePath, OSXCustomKeychainPassword);
             }
 
             if (keychain.IsInvalid)

src/System.Private.ServiceModel/tools/CertificateGenerator/CertificateGeneratorLibrary/CertificateManager.cs

@@ -49,9 +49,12 @@ public static bool AddToStoreIfNeeded(StoreName storeName, StoreLocation storeLo
             try
             {
                 store = CertificateHelper.GetX509Store(storeName, storeLocation);
-                
+
                 // We assume Bridge is running elevated
-                store.Open(OpenFlags.ReadWrite);
+                if (!CertificateHelper.CurrentOperatingSystem.IsMacOS())
+                {
+                    store.Open(OpenFlags.ReadWrite);
+                }
                 existingCert = CertificateFromThumbprint(store, certificate.Thumbprint);
                 if (existingCert == null)
                 {

src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/TestHost.cs

@@ -214,7 +214,10 @@ public static X509Certificate2 CertificateFromSubject(StoreName name, StoreLocat
             try
             {
                 store = CertificateHelper.GetX509Store(name, location);
-                store.Open(OpenFlags.ReadOnly);
+                if (!store.IsOpen)
+                {
+                    store.Open(OpenFlags.ReadOnly);
+                }
                 X509Certificate2Collection foundCertificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, validOnly: true);
                 return foundCertificates.Count == 0 ? null : foundCertificates[0];
             }
@@ -234,7 +237,10 @@ public static X509Certificate2 CertificateFromFriendlyName(StoreName name, Store
             try
             {
                 store = CertificateHelper.GetX509Store(name, location);
-                store.Open(OpenFlags.ReadOnly);
+                if (!store.IsOpen)
+                {
+                    store.Open(OpenFlags.ReadOnly);
+                }
 
                 X509Certificate2Collection foundCertificates = store.Certificates.Find(X509FindType.FindByIssuerName, "DO_NOT_TRUST_WcfBridgeRootCA", false);
                 string friendlyNameHash = CertificateGenerator.HashFriendlyNameToString(friendlyName);