MacOS Certificate Generator Fix

azure-pipelines-arcade-PR.yml

@@ -60,6 +60,7 @@ stages:
       helixRepo: dotnet/wcf
       jobs:
       - job: Windows
+        condition: false  # TEMP: macos-cert-issue branch — skip Windows leg for faster iteration on macOS-only changes
         timeoutInMinutes: 90
         pool:
           ${{ if eq(variables._RunAsPublic, True) }}:
@@ -142,6 +143,7 @@ stages:
       # Only build and test Linux in PR and CI builds.
       - ${{ if eq(variables._RunAsPublic, True) }}:
         - job: Linux
+          condition: false  # TEMP: macos-cert-issue branch — skip Linux leg for faster iteration on macOS-only changes
           timeoutInMinutes: 90
           container: ubuntu_2204
           pool:
@@ -210,7 +212,6 @@ stages:
       # Only build and test MacOS in PR and CI builds.
       - ${{ if eq(variables._RunAsPublic, True) }}:
         - job: MacOS
-          condition: ne(variables._RunWithCoreWcfService, True)
           timeoutInMinutes: 90
           pool:
             name: NetCore-Public

eng/SendToHelix.proj

@@ -83,6 +83,21 @@
     <HelixPreCommands>$(HelixPreCommands);export OPENSSL_ENABLE_SHA1_SIGNATURES=1</HelixPreCommands>
   </PropertyGroup>
 
+  <PropertyGroup Condition="'$(TestJob)' == 'MacOS'" >
+    <!-- Helix macOS workers run as the non-interactive 'helix-runner' user. The
+         existing login keychain (if any) has a password we do not know, which leaves
+         it locked and causes X509Store(My, CurrentUser).Open(ReadWrite) to fail with
+         errSecNoSuchKeychain / SecKeychainUnlock errors. Drop any pre-existing login
+         keychain and create a fresh one with an empty password so the test
+         infrastructure can install the client cert (dotnet/wcf#2870). -->
+    <HelixPreCommands>$(HelixPreCommands);security delete-keychain $HOME/Library/Keychains/login.keychain-db 2&gt;/dev/null || true</HelixPreCommands>
+    <HelixPreCommands>$(HelixPreCommands);security create-keychain -p "" $HOME/Library/Keychains/login.keychain-db</HelixPreCommands>
+    <HelixPreCommands>$(HelixPreCommands);security set-keychain-settings -lut 7200 $HOME/Library/Keychains/login.keychain-db</HelixPreCommands>
+    <HelixPreCommands>$(HelixPreCommands);security unlock-keychain -p "" $HOME/Library/Keychains/login.keychain-db</HelixPreCommands>
+    <HelixPreCommands>$(HelixPreCommands);security list-keychains -d user -s $HOME/Library/Keychains/login.keychain-db /Library/Keychains/System.keychain</HelixPreCommands>
+    <HelixPreCommands>$(HelixPreCommands);security default-keychain -d user -s $HOME/Library/Keychains/login.keychain-db</HelixPreCommands>
+  </PropertyGroup>
+
   <PropertyGroup Condition="'$(TestJob)' == 'Windows' AND '$(RunWithCoreWCFService)' == 'true'">
     <HelixPreCommands>$(HelixPreCommands);set PATH=%HELIX_CORRELATION_PAYLOAD%\dotnet-cli%3B%PATH%</HelixPreCommands>
     <!-- %3B is an escaped ; -->

src/System.Private.ServiceModel/tests/Common/Infrastructure/CertificateManager.cs

@@ -3,6 +3,7 @@
 // See the LICENSE file in the project root for more information.
 
 using System;
+using System.Diagnostics;
 using System.IO;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
@@ -233,9 +234,75 @@ public static X509Certificate2 InstallCertificateToRootStore(X509Certificate2 ce
         {
             // See explanation of StoreLocation selection at PlatformSpecificRootStoreLocation
             certificate = AddToStoreIfNeeded(StoreName.Root, PlatformSpecificRootStoreLocation, certificate);
+
+            // On macOS, .NET's X509Store(Root, *) does not establish OS-level trust required by SslStream/SecTrust.
+            // Add an admin trust setting to the System.keychain via the `security` CLI. Passwordless sudo is set up
+            // for the Helix work item via eng/SendToHelix.proj pre-commands.
+            if ((OSHelper.Current & OSID.OSX) == OSHelper.Current)
+            {
+                AddTrustedRootOnMacOS(certificate);
+            }
+
             return certificate;
         }
 
+        private static void AddTrustedRootOnMacOS(X509Certificate2 certificate)
+        {
+            string pemPath = Path.Combine(Path.GetTempPath(), "wcf-root-" + certificate.Thumbprint + ".pem");
+            try
+            {
+                byte[] der = certificate.Export(X509ContentType.Cert);
+                var sb = new StringBuilder();
+                sb.AppendLine("-----BEGIN CERTIFICATE-----");
+                string b64 = Convert.ToBase64String(der);
+                for (int i = 0; i < b64.Length; i += 64)
+                {
+                    sb.AppendLine(b64.Substring(i, Math.Min(64, b64.Length - i)));
+                }
+                sb.AppendLine("-----END CERTIFICATE-----");
+                File.WriteAllText(pemPath, sb.ToString());
+
+                RunSecurity("sudo", "-n security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain \"" + pemPath + "\"");
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[CertificateManager] Failed to add macOS admin trust: " + ex);
+            }
+            finally
+            {
+                try { if (File.Exists(pemPath)) File.Delete(pemPath); } catch { }
+            }
+        }
+
+        private static void RunSecurity(string fileName, string arguments)
+        {
+            try
+            {
+                var psi = new ProcessStartInfo
+                {
+                    FileName = fileName,
+                    Arguments = arguments,
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    UseShellExecute = false,
+                    CreateNoWindow = true,
+                };
+                using (var p = Process.Start(psi))
+                {
+                    string stdout = p.StandardOutput.ReadToEnd();
+                    string stderr = p.StandardError.ReadToEnd();
+                    p.WaitForExit(60000);
+                    Console.WriteLine($"[CertificateManager] {fileName} {arguments} exit={p.ExitCode}");
+                    if (!string.IsNullOrEmpty(stdout)) Console.WriteLine("[CertificateManager] stdout: " + stdout);
+                    if (!string.IsNullOrEmpty(stderr)) Console.WriteLine("[CertificateManager] stderr: " + stderr);
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine($"[CertificateManager] Failed to run '{fileName} {arguments}': {ex}");
+            }
+        }
+
         // Install the certificate into the My store.
         // It will not install the certificate if it is already present in the store.
         // It returns the thumbprint of the certificate, regardless whether it was added or found.

src/System.Private.ServiceModel/tests/Scenarios/Binding/UDS/UDSBindingTests.cs

@@ -1,4 +1,4 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
@@ -93,7 +93,6 @@ public void WindowsAuth()
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(SSL_Available))]
     [OuterLoop]
     private void BasicCertAsTransport()

src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/FederationHttp/WSFederationHttpBindingTests.cs

@@ -1,4 +1,4 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
@@ -14,7 +14,6 @@
 
 public class WSFederationHttpBindingTests : ConditionalWcfTest
 {
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
            nameof(Client_Certificate_Installed),
            nameof(SSL_Available),
@@ -76,7 +75,6 @@ public static void WSFederationHttpBindingTests_Succeeds(MessageSecurityVersion
         }
     }
 
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
        nameof(Client_Certificate_Installed),
        nameof(SSL_Available),
@@ -128,7 +126,6 @@ public static void WSTrustTokeParameters_WSStaticHelper()
         }
     }
 
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
         nameof(Client_Certificate_Installed),
         nameof(SSL_Available),

src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransportWithMessageCredentialSecurity/BasicHttpTransportWithMessageCredentialSecurityTests.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Security.Cryptography.X509Certificates;
 using System.ServiceModel;
 using System.ServiceModel.Channels;
@@ -8,7 +8,6 @@
 public class BasicHttpTransportWithMessageCredentialSecurityTests : ConditionalWcfTest
 {
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
                nameof(SSL_Available))]
@@ -56,7 +55,6 @@ public static void BasicHttps_SecModeTransWithMessCred_CertClientCredential_Succ
     }
 
     [WcfTheory]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(SSL_Available))]
     [OuterLoop]
@@ -107,7 +105,6 @@ public static void BasicHttps_SecModeTransWithMessCred_UserNameClientCredential_
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(SSL_Available))]
     [OuterLoop]
@@ -156,7 +153,6 @@ public static void Https_SecModeTransWithMessCred_UserNameClientCredential_Succe
     }
 
     [WcfTheory]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(SSL_Available))]
     [OuterLoop]

src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransportWithMessageCredentialSecurity/BasicHttpsTransportWithMessageCredentialSecurityTests.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Security.Cryptography.X509Certificates;
 using System.ServiceModel;
 using Infrastructure.Common;
@@ -7,7 +7,6 @@
 public class BasicHttpsTransportWithMessageCredentialSecurityTests : ConditionalWcfTest
 {
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
                nameof(SSL_Available))]

src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransportWithMessageCredentialSecurity/WS2007HttpTransportWithMessageCredentialsSecurityTests.cs

@@ -1,4 +1,4 @@
-// The .NET Foundation licenses this file to you under the MIT license.
+// The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
 using System;
@@ -12,7 +12,6 @@
 public class WS2007HttpTransportWithMessageCredentialsSecurityTests : ConditionalWcfTest
 {
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
        nameof(Client_Certificate_Installed),
        nameof(SSL_Available))]

src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransportWithMessageCredentialSecurity/WSHttpTransportWithMessageCredentialSecurityTests.cs

@@ -1,4 +1,4 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
@@ -13,7 +13,6 @@
 public class WSHttpTransportWithMessageCredentialSecurityTests : ConditionalWcfTest
 {
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
            nameof(Client_Certificate_Installed),
            nameof(SSL_Available))]

src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransportWithMessageCredentialSecurity/WSNetTcpTransportWithMessageCredentialSecurityTests.cs

@@ -1,4 +1,4 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
@@ -15,7 +15,6 @@
 public class WSNetTcpTransportWithMessageCredentialSecurityTests : ConditionalWcfTest
 {
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
            nameof(Client_Certificate_Installed),
            nameof(SSL_Available))]
@@ -63,7 +62,6 @@ public static void NetTcp_SecModeTransWithMessCred_CertClientCredential_Succeeds
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(SSL_Available))]
     [OuterLoop]
@@ -112,7 +110,6 @@ public static void NetTcp_SecModeTransWithMessCred_UserNameClientCredential_Succ
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(SSL_Available))]
     [OuterLoop]

src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Https/HttpsTests.4.1.0.cs

@@ -18,7 +18,6 @@ public partial class HttpsTests : ConditionalWcfTest
     [WcfTheory]
     [InlineData(WSMessageEncoding.Text)]
     [InlineData(WSMessageEncoding.Mtom)]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
            nameof(Client_Certificate_Installed),
            nameof(Server_Accepts_Certificates),
@@ -221,7 +220,6 @@ public static void SameBinding_Soap12_EchoString()
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
                nameof(SSL_Available))]
@@ -269,7 +267,6 @@ public static void ServerCertificateValidation_EchoString()
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(SSL_Available))]
     [OuterLoop]
     public static async Task ServerCertificateValidationUsingIdentity_EchoString()
@@ -310,7 +307,6 @@ public static async Task ServerCertificateValidationUsingIdentity_EchoString()
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Client_Certificate_Installed),
                nameof(SSL_Available))]
     [OuterLoop]
@@ -348,7 +344,6 @@ public static void ServerCertificateValidationUsingIdentity_Throws_EchoString()
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
                nameof(Server_Accepts_Certificates),
@@ -398,7 +393,6 @@ public static void ClientCertificate_EchoString()
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
            nameof(Client_Certificate_Installed),
            nameof(Server_Accepts_Certificates),

src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Https/HttpsTests.4.1.1.cs

@@ -1,9 +1,10 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
 
 using System;
+using System.Security.Cryptography.X509Certificates;
 using System.ServiceModel;
 using System.ServiceModel.Security;
 using Infrastructure.Common;
@@ -171,7 +172,6 @@ public static void Https_SecModeTrans_CertValMode_PeerOrChainTrust_Succeeds_Chai
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
                nameof(SSL_Available))]

src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Tcp/ClientCredentialTypeTests.4.1.0.cs

@@ -13,7 +13,6 @@
 public partial class Tcp_ClientCredentialTypeTests : ConditionalWcfTest
 {
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed), nameof(Client_Certificate_Installed))]
     [OuterLoop]
     public static void TcpClientCredentialType_Certificate_EchoString()
@@ -62,7 +61,6 @@ public static void TcpClientCredentialType_Certificate_EchoString()
     }
 
     [WcfFact]
-    [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed), nameof(Client_Certificate_Installed))]
     [OuterLoop]
     public static void TcpClientCredentialType_Certificate_CustomValidator_EchoString()

src/System.Private.ServiceModel/tools/CertificateGenerator/CertificateGenerator/CertificateGenerator.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net471</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <OutputType>Exe</OutputType>
   </PropertyGroup>
 
@@ -10,7 +10,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <Reference Include="System.Configuration" />
+    <PackageReference Include="System.Configuration.ConfigurationManager" Version="9.0.0" />
   </ItemGroup>
 
 </Project>