Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/6.0-staging] Fix exporting certificate keys on macOS 14.4. #99781

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Mar 14, 2024

Backport of #99768 to release/6.0-staging

/cc @vcsjones @bartonjs

Customer Impact

  • Customer reported
  • Found internally

Reported by customers in #99735. Apple made a changes in macOS 14.4 that prevented private keys from X509Certificate2 from exporting. This affected customers that used APIs to get the exported key from a certificate in the macOS keychain.

Regression

  • Yes
  • No
  • OS Behavior Change

Apple changed the error code returned by one of their APIs. The change caused our error handling logic to not handle a recoverable error and instead treat it as an uncaught error.

Testing

Unit tests were added to prevent the fix from regressing.

Risk

Low. The change only affects macOS specific code and adds another error code to an already existing error handling path. The fix simply ensures we take the same error handling path with the new error code, in addition to the old one.

Apple changed the error code we get back from a failed data-key export. This caused us to not attempt to export the key using the legacy APIs and assume the key export failed. This change adds the additional error code returned from macOS 14.4.
@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Mar 18, 2024
@bartonjs
Copy link
Member

Approved via email.

@bartonjs bartonjs added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Mar 19, 2024
@vseanreesermsft vseanreesermsft changed the base branch from release/6.0-staging to release/6.0 March 19, 2024 21:30
@vseanreesermsft vseanreesermsft changed the base branch from release/6.0 to release/6.0-staging March 19, 2024 21:30
@vcsjones
Copy link
Member Author

@bartonjs is this necessary with #99980 being merged?

@bartonjs
Copy link
Member

Confirmed that we can just close this one out.

@bartonjs bartonjs closed this Mar 25, 2024
@vcsjones vcsjones deleted the backport-99768-to-release-6.0 branch March 27, 2024 04:03
@github-actions github-actions bot locked and limited conversation to collaborators Apr 26, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-System.Security Servicing-approved Approved for servicing release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants