-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create new X509CertificateLoader #102167
Create new X509CertificateLoader #102167
Conversation
The new certificate loader only loads one data type per method, unlike the previous loader mechanism (new X509Certiicate2(bytes, ...)). It also allows for caller configuration to control cost-of-work limits and some common usability gotchas around Windows PFX loading. This change adds the new loader, and changes the X509Certificate2 ctors to use it; a followup will mark the ctors as Obsolete and update usage in the dotnet/runtime codebase.
Note regarding the
|
src/libraries/Common/src/System/IO/MemoryMappedFiles/MemoryMappedFileMemoryManager.cs
Outdated
Show resolved
Hide resolved
set | ||
{ | ||
if (value < 0) | ||
throw new ArgumentOutOfRangeException(nameof(value), SR.ArgumentOutOfRange_NeedNonNegNum); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Earlier an ifdef was used to use ObjectDisposedException.ThrowIf if it's available. I assume we're not doing so here with AOORE just because there are a bunch of them and it'd be abnoxious?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was the reason, yeah; but looking at it now in this file it's just repeating a negative check, so making a helper seems reasonable (it'll get re-used)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How "amusing"... I updated every instance except the one this comment was on. Fixed locally now.
{ | ||
if (!pfxAsn.VerifyMac(password, authSafeContents)) | ||
{ | ||
password = password.ContainsNull() ? "".AsSpan() : default; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not clear on the reasoning here. If it contains null we make it non-null and if it doesn't contain null we make it null?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep. From the API perspective null and empty are the same thing, but from the algorithm perspective they're different. So if we got null, try again with empty, and if we got empty, try again with null.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I have so far. Scrollbar says I have a ways to go still.
src/libraries/Common/src/System/IO/MemoryMappedFiles/MemoryMappedFileMemoryManager.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/System/Security/Cryptography/Helpers.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs
Show resolved
Hide resolved
src/libraries/Microsoft.Bcl.Cryptography/src/System/Security/Cryptography/NetStandardShims.cs
Show resolved
Hide resolved
src/libraries/Microsoft.Bcl.Cryptography/src/System/Security/Cryptography/NetStandardShims.cs
Outdated
Show resolved
Hide resolved
...soft.Bcl.Cryptography/src/System/Security/Cryptography/PbeEncryptionAlgorithm.netstandard.cs
Outdated
Show resolved
Hide resolved
...ies/Microsoft.Bcl.Cryptography/src/System/Security/Cryptography/PbeParameters.netstandard.cs
Outdated
Show resolved
Hide resolved
src/libraries/Microsoft.Bcl.Cryptography/tests/X509Certificates/TestData.cs
Outdated
Show resolved
Hide resolved
...em.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/StorePal.macOS.cs
Show resolved
Hide resolved
...yptography/src/System/Security/Cryptography/X509Certificates/X509Certificate.LegacyLimits.cs
Outdated
Show resolved
Hide resolved
...yptography/src/System/Security/Cryptography/X509Certificates/X509Certificate.LegacyLimits.cs
Outdated
Show resolved
Hide resolved
...ptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.OpenSsl.cs
Outdated
Show resolved
Hide resolved
...ptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.OpenSsl.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/tests/X509Certificates/CertLoaderTests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/tests/X509Certificates/CertLoaderTests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/tests/X509Certificates/CertLoaderTests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/tests/X509Certificates/CollectionImportTests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/tests/X509Certificates/CtorTests.cs
Outdated
Show resolved
Hide resolved
...ies/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderTests.cs
Show resolved
Hide resolved
...ies/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderTests.cs
Outdated
Show resolved
Hide resolved
...ies/Common/tests/System/Security/Cryptography/X509Certificates/X509CertificateLoaderTests.cs
Outdated
Show resolved
Hide resolved
...ryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.macOS.cs
Outdated
Show resolved
Hide resolved
...Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Unix.cs
Outdated
Show resolved
Hide resolved
/azp run runtime-androidemulator |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run runtime-androidemulator |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run runtime-androidemulator |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run runtime-ioslikesimulator |
Azure Pipelines successfully started running 1 pipeline(s). |
this is preventing code flow into azdo internal repo because the security scanner detects credentials.
See also #104021 |
Breaking change docs written. dotnet/docs#42613 |
The new certificate loader only loads one data type per method, unlike the previous loader mechanism (new X509Certiicate2(bytes, ...)). It also allows for caller configuration to control cost-of-work limits and some common usability gotchas around Windows PFX loading.
This change adds the new loader, and changes the X509Certificate2 ctors to use it; a followup will mark the ctors as Obsolete and update usage in the dotnet/runtime codebase.
Contributes to #91763.