[release/9.0] Fix copying ephemeral keys to keychains #106993
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Starting on macOS Sequoia, at least in beta, SecKeychainitemCopyKeychain no longer returns errSecNoSuchKeychain for ephemeral keys. Instead, it returns errSecInvalidItemRef. This adds the error code in the handling logic for when we need to add an ephemeral key to the target keychain.
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
|
@vcsjones can you update the description for these backports |
lewing
approved these changes
Aug 27, 2024
jeffhandley
approved these changes
Aug 27, 2024
|
Tagging @artl93 for review (and merge) into release/9.0. This reacts to macOS Sequoia changing behavior; our existing unit tests were failing on the platform so no new tests were needed. Once this is reviewed and merged into release/9.0, we will send [release/8.0-staging] Fix copying ephemeral keys to keychains (#107041) and [release/6.0-staging] Fix copying ephemeral keys to keychains (#107046) to Tactics for servicing consideration. |
artl93
added
Servicing-approved
artl93
approved these changes
Aug 28, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #106973 to release/9.0
/cc @lewing @vcsjones @bartonjs
Customer Impact
Reported by multiple customers in #106775.
Customers that use
X509Certificate2.CopyWithPrivateKeywill get aCryptographicExceptionon macOS Sequoia, which is currently in beta. This breaks some key development scenarios, likeCertificateRequest, which is used by ASP.NET for configuring local development HTTPS certificates.This is due to Apple changing the behavior of one of their APIs to return a different error code. The change is to handle the new error code, in addition to the old one.
Regression
Testing
Existing unit tests failed on the new macOS version. The tests now pass on macOS Sequoia.
Risk
Low. This adds an extra condition to an error handling path that already existed.
IMPORTANT: If this backport is for a servicing release, please verify that:
The PR target branch is
release/X.0-staging, notrelease/X.0.If the change touches code that ships in a NuGet package, you have added the necessary package authoring and gotten it explicitly reviewed.