From 0be9e404aea44dc2423f61096e99c10192bdd06f Mon Sep 17 00:00:00 2001 From: Hao Kung Date: Wed, 6 Jan 2021 10:44:30 -0800 Subject: [PATCH 1/6] Debug x509 store --- .../Extensions/test/DataProtectionProviderTests.cs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs b/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs index 751b9b5d6206..948881687dfd 100644 --- a/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs +++ b/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs @@ -21,6 +21,16 @@ namespace Microsoft.AspNetCore.DataProtection { public class DataProtectionProviderTests { + [Fact] + public void VerifyX509StoreWorks() + { + using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser)) + { + store.Open(OpenFlags.ReadWrite); + Assert.True(true); + } + } + [Fact] public void System_UsesProvidedDirectory() { From 6f8e2194b913faf44d6df8432cf338b487d8fddb Mon Sep 17 00:00:00 2001 From: Hao Kung Date: Wed, 6 Jan 2021 10:45:45 -0800 Subject: [PATCH 2/6] Update helix-matrix.yml --- .azure/pipelines/helix-matrix.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.azure/pipelines/helix-matrix.yml b/.azure/pipelines/helix-matrix.yml index 33b992363d76..4b0bf575fbb1 100644 --- a/.azure/pipelines/helix-matrix.yml +++ b/.azure/pipelines/helix-matrix.yml @@ -1,6 +1,9 @@ # We only want to run full helix matrix on master -pr: none -trigger: none +pr: + autoCancel: true + branches: + include: + - '*' schedules: # Cron timezone is UTC. - cron: "0 */12 * * *" From 7be65c053c2d609451fa7557b739ca551dc9d67a Mon Sep 17 00:00:00 2001 From: Hao Kung Date: Wed, 6 Jan 2021 14:23:03 -0800 Subject: [PATCH 3/6] Un skip test to see if they work now --- .../Extensions/test/DataProtectionProviderTests.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs b/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs index 948881687dfd..2ebd96c6b8f4 100644 --- a/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs +++ b/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs @@ -125,7 +125,7 @@ public void System_UsesProvidedDirectory_WithConfigurationCallback() [ConditionalFact] [X509StoreIsAvailable(StoreName.My, StoreLocation.CurrentUser)] - [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/6720 and https://github.com/dotnet/aspnetcore/issues/26871", Queues = "All.OSX;Windows.10.Arm64;Windows.10.Arm64.Open;Windows.10.Arm64v8;Windows.10.Arm64v8.Open")] + [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/6720 and https://github.com/dotnet/aspnetcore/issues/26871", Queues = "All.OSX")] public void System_UsesProvidedDirectoryAndCertificate() { var filePath = Path.Combine(GetTestFilesPath(), "TestCert.pfx"); From 0cbf40c2b6e81f4445d34a4eec08281fdb694207 Mon Sep 17 00:00:00 2001 From: Hao Kung Date: Thu, 7 Jan 2021 11:30:23 -0800 Subject: [PATCH 4/6] Add using for cert --- .../test/DataProtectionProviderTests.cs | 89 +++++++++---------- 1 file changed, 41 insertions(+), 48 deletions(-) diff --git a/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs b/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs index 2ebd96c6b8f4..9b6fca998ec6 100644 --- a/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs +++ b/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs @@ -21,16 +21,6 @@ namespace Microsoft.AspNetCore.DataProtection { public class DataProtectionProviderTests { - [Fact] - public void VerifyX509StoreWorks() - { - using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser)) - { - store.Open(OpenFlags.ReadWrite); - Assert.True(true); - } - } - [Fact] public void System_UsesProvidedDirectory() { @@ -129,48 +119,51 @@ public void System_UsesProvidedDirectory_WithConfigurationCallback() public void System_UsesProvidedDirectoryAndCertificate() { var filePath = Path.Combine(GetTestFilesPath(), "TestCert.pfx"); - using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser)) + using (var imported = new X509Certificate2(filePath, "password", X509KeyStorageFlags.Exportable)) { - store.Open(OpenFlags.ReadWrite); - store.Add(new X509Certificate2(filePath, "password", X509KeyStorageFlags.Exportable)); - store.Close(); - } - - WithUniqueTempDirectory(directory => - { - var certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); - certificateStore.Open(OpenFlags.ReadWrite); - var certificate = certificateStore.Certificates.Find(X509FindType.FindBySubjectName, "TestCert", false)[0]; - Assert.True(certificate.HasPrivateKey, "Cert should have a private key"); - try + using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser)) { - // Step 1: directory should be completely empty - directory.Create(); - Assert.Empty(directory.GetFiles()); - - // Step 2: instantiate the system and round-trip a payload - var protector = DataProtectionProvider.Create(directory, certificate).CreateProtector("purpose"); - var data = protector.Protect("payload"); - - // add a cert without the private key to ensure the decryption will still fallback to the cert store - var certWithoutKey = new X509Certificate2(Path.Combine(GetTestFilesPath(), "TestCertWithoutPrivateKey.pfx"), "password"); - var unprotector = DataProtectionProvider.Create(directory, o => o.UnprotectKeysWithAnyCertificate(certWithoutKey)).CreateProtector("purpose"); - Assert.Equal("payload", unprotector.Unprotect(data)); - - // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate - var allFiles = directory.GetFiles(); - Assert.Single(allFiles); - Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase); - string fileText = File.ReadAllText(allFiles[0].FullName); - Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal); - Assert.Contains("X509Certificate", fileText, StringComparison.Ordinal); + store.Open(OpenFlags.ReadWrite); + store.Add(imported); + store.Close(); } - finally + + WithUniqueTempDirectory(directory => { - certificateStore.Remove(certificate); - certificateStore.Close(); - } - }); + var certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); + certificateStore.Open(OpenFlags.ReadWrite); + var certificate = certificateStore.Certificates.Find(X509FindType.FindBySubjectName, "TestCert", false)[0]; + Assert.True(certificate.HasPrivateKey, "Cert should have a private key"); + try + { + // Step 1: directory should be completely empty + directory.Create(); + Assert.Empty(directory.GetFiles()); + + // Step 2: instantiate the system and round-trip a payload + var protector = DataProtectionProvider.Create(directory, certificate).CreateProtector("purpose"); + var data = protector.Protect("payload"); + + // add a cert without the private key to ensure the decryption will still fallback to the cert store + var certWithoutKey = new X509Certificate2(Path.Combine(GetTestFilesPath(), "TestCertWithoutPrivateKey.pfx"), "password"); + var unprotector = DataProtectionProvider.Create(directory, o => o.UnprotectKeysWithAnyCertificate(certWithoutKey)).CreateProtector("purpose"); + Assert.Equal("payload", unprotector.Unprotect(data)); + + // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate + var allFiles = directory.GetFiles(); + Assert.Single(allFiles); + Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase); + string fileText = File.ReadAllText(allFiles[0].FullName); + Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal); + Assert.Contains("X509Certificate", fileText, StringComparison.Ordinal); + } + finally + { + certificateStore.Remove(certificate); + certificateStore.Close(); + } + }); + } } [ConditionalFact] From 2c5ab4e59a5f949c9440da195ceab5e66043de3a Mon Sep 17 00:00:00 2001 From: Hao Kung Date: Thu, 7 Jan 2021 12:35:00 -0800 Subject: [PATCH 5/6] Clean up comment --- .../Extensions/test/DataProtectionProviderTests.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs b/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs index 9b6fca998ec6..e2431a2fa8bf 100644 --- a/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs +++ b/src/DataProtection/Extensions/test/DataProtectionProviderTests.cs @@ -115,7 +115,7 @@ public void System_UsesProvidedDirectory_WithConfigurationCallback() [ConditionalFact] [X509StoreIsAvailable(StoreName.My, StoreLocation.CurrentUser)] - [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/6720 and https://github.com/dotnet/aspnetcore/issues/26871", Queues = "All.OSX")] + [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/6720", Queues = "All.OSX")] public void System_UsesProvidedDirectoryAndCertificate() { var filePath = Path.Combine(GetTestFilesPath(), "TestCert.pfx"); From caaad47eb08181954432f59f8ea1f89a7bdc2c78 Mon Sep 17 00:00:00 2001 From: Hao Kung Date: Fri, 8 Jan 2021 09:02:55 -0800 Subject: [PATCH 6/6] Update helix-matrix.yml --- .azure/pipelines/helix-matrix.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.azure/pipelines/helix-matrix.yml b/.azure/pipelines/helix-matrix.yml index 4b0bf575fbb1..33b992363d76 100644 --- a/.azure/pipelines/helix-matrix.yml +++ b/.azure/pipelines/helix-matrix.yml @@ -1,9 +1,6 @@ # We only want to run full helix matrix on master -pr: - autoCancel: true - branches: - include: - - '*' +pr: none +trigger: none schedules: # Cron timezone is UTC. - cron: "0 */12 * * *"