[Https] Various improvements to the dev-certs tool (#25037)

javiercn · web-flow · commit 3c34c3ab0d32 · 2020-08-20T09:55:56.000-07:00
* Add support for the trust option on Linux on the command-line tool and print a message when it's used pointing to docs.
* Bump the certificate version to 2 to ensure that the certificate gets updated for 5.0 on Mac OS.
* Ensure we always select the certificate with the highest available version to ensure that when we change the certificate in the future older runtimes pick up the new certificate.
* Support exporting the certificate without key on PEM format.
diff --git a/src/Shared/CertificateGeneration/CertificateManager.cs b/src/Shared/CertificateGeneration/CertificateManager.cs
@@ -15,6 +15,7 @@ namespace Microsoft.AspNetCore.Certificates.Generation
 {
     internal abstract class CertificateManager
     {
+        internal const int CurrentAspNetCoreCertificateVersion = 2;
         internal const string AspNetHttpsOid = "1.3.6.1.4.1.311.84.1.1";
         internal const string AspNetHttpsOidFriendlyName = "ASP.NET Core HTTPS development certificate";
 
@@ -45,7 +46,7 @@ public int AspNetHttpsCertificateVersion
 
         public string Subject { get; }
 
-        public CertificateManager() : this(LocalhostHttpsDistinguishedName, 1)
+        public CertificateManager() : this(LocalhostHttpsDistinguishedName, CurrentAspNetCoreCertificateVersion)
         {
         }
 
@@ -86,10 +87,8 @@ public IList<X509Certificate2> ListCertificates(
                     Log.CheckCertificatesValidity();
                     var now = DateTimeOffset.Now;
                     var validCertificates = matchingCertificates
-                        .Where(c => c.NotBefore <= now &&
-                            now <= c.NotAfter &&
-                            (!requireExportable || IsExportable(c))
-                            && MatchesVersion(c))
+                        .Where(c => IsValidCertificate(c, now, requireExportable))
+                        .OrderByDescending(c => GetCertificateVersion(c))
                         .ToArray();
 
                     var invalidCertificates = matchingCertificates.Except(validCertificates);
@@ -123,7 +122,7 @@ bool HasOid(X509Certificate2 certificate, string oid) =>
                 certificate.Extensions.OfType<X509Extension>()
                     .Any(e => string.Equals(oid, e.Oid.Value, StringComparison.Ordinal));
 
-            bool MatchesVersion(X509Certificate2 c)
+            static byte GetCertificateVersion(X509Certificate2 c)
             {
                 var byteArray = c.Extensions.OfType<X509Extension>()
                     .Where(e => string.Equals(AspNetHttpsOid, e.Oid.Value, StringComparison.Ordinal))
@@ -133,14 +132,20 @@ bool MatchesVersion(X509Certificate2 c)
                 if ((byteArray.Length == AspNetHttpsOidFriendlyName.Length && byteArray[0] == (byte)'A') || byteArray.Length == 0)
                 {
                     // No Version set, default to 0
-                    return 0 >= AspNetHttpsCertificateVersion;
+                    return 0b0;
                 }
                 else
                 {
                     // Version is in the only byte of the byte array.
-                    return byteArray[0] >= AspNetHttpsCertificateVersion;
+                    return byteArray[0];
                 }
             }
+
+            bool IsValidCertificate(X509Certificate2 certificate, DateTimeOffset currentDate, bool requireExportable) =>
+                certificate.NotBefore <= currentDate &&
+                currentDate <= certificate.NotAfter &&
+                (!requireExportable || IsExportable(certificate)) &&
+                GetCertificateVersion(certificate) >= AspNetHttpsCertificateVersion;
         }
 
         public IList<X509Certificate2> GetHttpsCertificates() =>
@@ -448,7 +453,14 @@ internal void ExportCertificate(X509Certificate2 certificate, string path, bool
                 }
                 else
                 {
-                    bytes = certificate.Export(X509ContentType.Cert);
+                    if (format == CertificateKeyExportFormat.Pem)
+                    {
+                        bytes = Encoding.ASCII.GetBytes(PemEncoding.Write("CERTIFICATE", certificate.Export(X509ContentType.Cert)));
+                    }
+                    else
+                    {
+                        bytes = certificate.Export(X509ContentType.Cert);
+                    }
                 }
             }
             catch (Exception e)
diff --git a/src/Tools/FirstRunCertGenerator/test/CertificateManagerTests.cs b/src/Tools/FirstRunCertGenerator/test/CertificateManagerTests.cs
@@ -191,6 +191,36 @@ public void EnsureCreateHttpsCertificate_CanExportTheCertInPemFormat()
             Assert.Equal(httpsCertificate.GetCertHashString(), exportedCertificate.GetCertHashString());
         }
 
+        [ConditionalFact]
+        [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/6720", Queues = "OSX.1014.Amd64;OSX.1014.Amd64.Open")]
+        public void EnsureCreateHttpsCertificate_CanExportTheCertInPemFormat_WithoutKey()
+        {
+            // Arrange
+            const string CertificateName = nameof(EnsureCreateHttpsCertificate_DoesNotCreateACertificate_WhenThereIsAnExistingHttpsCertificates) + ".pem";
+
+            _fixture.CleanupCertificates();
+
+            var now = DateTimeOffset.UtcNow;
+            now = new DateTimeOffset(now.Year, now.Month, now.Day, now.Hour, now.Minute, now.Second, 0, now.Offset);
+            var creation = _manager.EnsureAspNetCoreHttpsDevelopmentCertificate(now, now.AddYears(1), path: null, trust: false, isInteractive: false);
+            Output.WriteLine(creation.ToString());
+            ListCertificates();
+
+            var httpsCertificate = _manager.ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: false).Single(c => c.Subject == TestCertificateSubject);
+
+            // Act
+            var result = _manager
+                .EnsureAspNetCoreHttpsDevelopmentCertificate(now, now.AddYears(1), CertificateName, trust: false, includePrivateKey: false, password: null, keyExportFormat: CertificateKeyExportFormat.Pem, isInteractive: false);
+
+            // Assert
+            Assert.Equal(EnsureCertificateResult.ValidCertificatePresent, result);
+            Assert.True(File.Exists(CertificateName));
+
+            var exportedCertificate = new X509Certificate2(CertificateName);
+            Assert.NotNull(exportedCertificate);
+            Assert.False(exportedCertificate.HasPrivateKey);
+        }
+
         [ConditionalFact]
         [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/6720", Queues = "OSX.1014.Amd64;OSX.1014.Amd64.Open")]
         public void EnsureCreateHttpsCertificate_CanImport_ExportedPfx()
@@ -351,6 +381,44 @@ public void EnsureCreateHttpsCertificate_ReturnValidIfCertIsNewer()
             var httpsCertificateList = _manager.ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true);
             Assert.NotEmpty(httpsCertificateList);
         }
+
+        [ConditionalFact]
+        [SkipOnHelix("https://github.com/dotnet/aspnetcore/issues/6720", Queues = "OSX.1014.Amd64;OSX.1014.Amd64.Open")]
+        public void ListCertificates_AlwaysReturnsTheCertificate_WithHighestVersion()
+        {
+            _fixture.CleanupCertificates();
+
+            var now = DateTimeOffset.UtcNow;
+            now = new DateTimeOffset(now.Year, now.Month, now.Day, now.Hour, now.Minute, now.Second, 0, now.Offset);
+            _manager.AspNetHttpsCertificateVersion = 1;
+            var creation = _manager.EnsureAspNetCoreHttpsDevelopmentCertificate(now, now.AddYears(1), path: null, trust: false, isInteractive: false);
+            Output.WriteLine(creation.ToString());
+            ListCertificates();
+
+            _manager.AspNetHttpsCertificateVersion = 2;
+            creation = _manager.EnsureAspNetCoreHttpsDevelopmentCertificate(now, now.AddYears(1), path: null, trust: false, isInteractive: false);
+            Output.WriteLine(creation.ToString());
+            ListCertificates();
+
+            _manager.AspNetHttpsCertificateVersion = 1;
+            var httpsCertificateList = _manager.ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true);
+            Assert.Equal(2, httpsCertificateList.Count);
+
+            var firstCertificate = httpsCertificateList[0];
+            var secondCertificate = httpsCertificateList[1];
+
+            Assert.Contains(
+                firstCertificate.Extensions.OfType<X509Extension>(),
+                e => e.Critical == false &&
+                    e.Oid.Value == "1.3.6.1.4.1.311.84.1.1" &&
+                    e.RawData[0] == 2);
+
+            Assert.Contains(
+                secondCertificate.Extensions.OfType<X509Extension>(),
+                e => e.Critical == false &&
+                    e.Oid.Value == "1.3.6.1.4.1.311.84.1.1" &&
+                    e.RawData[0] == 1);
+        }
     }
 
     public class CertFixture : IDisposable
diff --git a/src/Tools/dotnet-dev-certs/src/Program.cs b/src/Tools/dotnet-dev-certs/src/Program.cs
@@ -98,12 +98,9 @@ public static int Main(string[] args)
                         CommandOptionType.SingleValue);
 
                     CommandOption trust = null;
-                    if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) || RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
-                    {
-                        trust = c.Option("-t|--trust",
-                            "Trust the certificate on the current platform",
-                            CommandOptionType.NoValue);
-                    }
+                    trust = c.Option("-t|--trust",
+                        "Trust the certificate on the current platform",
+                        CommandOptionType.NoValue);
 
                     var verbose = c.Option("-v|--verbose",
                         "Display more debug information.",
@@ -292,24 +289,32 @@ private static int CheckHttpsCertificate(CommandOption trust, IReporter reporter
 
             if (trust != null && trust.HasValue())
             {
-                var store = RuntimeInformation.IsOSPlatform(OSPlatform.OSX) ? StoreName.My : StoreName.Root;
-                var trustedCertificates = certificateManager.ListCertificates(store, StoreLocation.CurrentUser, isValid: true);
-                if (!certificates.Any(c => certificateManager.IsTrusted(c)))
+                if(!RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
                 {
-                    reporter.Output($@"The following certificates were found, but none of them is trusted:
-{string.Join(Environment.NewLine, certificates.Select(c => $"{c.Subject} - {c.Thumbprint}"))}");
-                    return ErrorCertificateNotTrusted;
+                    var store = RuntimeInformation.IsOSPlatform(OSPlatform.OSX) ? StoreName.My : StoreName.Root;
+                    var trustedCertificates = certificateManager.ListCertificates(store, StoreLocation.CurrentUser, isValid: true);
+                    if (!certificates.Any(c => certificateManager.IsTrusted(c)))
+                    {
+                        reporter.Output($@"The following certificates were found, but none of them is trusted:
+    {string.Join(Environment.NewLine, certificates.Select(c => $"{c.Subject} - {c.Thumbprint}"))}");
+                        return ErrorCertificateNotTrusted;
+                    }
+                    else
+                    {
+                        reporter.Output("A trusted certificate was found.");
+                    }
                 }
                 else
                 {
-                    reporter.Output("A trusted certificate was found.");
+                    reporter.Warn("Checking the HTTPS development certificate trust status was requested. Checking whether the certificate is trusted or not is not supported on Linux distributions." +
+                        "For instructions on how to manually validate the certificate is trusted on your Linux distribution, go to https://aka.ms/dev-certs-trust");
                 }
             }
 
             return Success;
         }
 
-        private static int EnsureHttpsCertificate(CommandOption exportPath, CommandOption password, CommandOption noPassword, CommandOption trust, CommandOption keyFormat, IReporter reporter)
+        private static int EnsureHttpsCertificate(CommandOption exportPath, CommandOption password, CommandOption noPassword, CommandOption trust, CommandOption exportFormat, IReporter reporter)
         {
             var now = DateTimeOffset.Now;
             var manager = CertificateManager.Instance;
@@ -332,36 +337,45 @@ private static int EnsureHttpsCertificate(CommandOption exportPath, CommandOptio
                 }
             }
 
-            if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && trust?.HasValue() == true)
+            if (trust?.HasValue() == true)
             {
-                reporter.Warn("Trusting the HTTPS development certificate was requested. If the certificate is not " +
-                    "already trusted we will run the following command:" + Environment.NewLine +
-                    "'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'" +
-                    Environment.NewLine + "This command might prompt you for your password to install the certificate " +
-                    "on the system keychain.");
-            }
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+                {
+                    reporter.Warn("Trusting the HTTPS development certificate was requested. If the certificate is not " +
+                        "already trusted we will run the following command:" + Environment.NewLine +
+                        "'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'" +
+                        Environment.NewLine + "This command might prompt you for your password to install the certificate " +
+                        "on the system keychain.");
+                }
 
-            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && trust?.HasValue() == true)
-            {
-                reporter.Warn("Trusting the HTTPS development certificate was requested. A confirmation prompt will be displayed " +
-                    "if the certificate was not previously trusted. Click yes on the prompt to trust the certificate.");
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+                {
+                    reporter.Warn("Trusting the HTTPS development certificate was requested. A confirmation prompt will be displayed " +
+                        "if the certificate was not previously trusted. Click yes on the prompt to trust the certificate.");
+                }
+
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
+                {
+                    reporter.Warn("Trusting the HTTPS development certificate was requested. Trusting the certificate on Linux distributions automatically is not supported. " +
+                        "For instructions on how to manually trust the certificate on your Linux distribution, go to https://aka.ms/dev-certs-trust");
+                }
             }
 
             var format = CertificateKeyExportFormat.Pfx;
-            if (keyFormat.HasValue() && !Enum.TryParse(keyFormat.Value(), ignoreCase: true, out format))
+            if (exportFormat.HasValue() && !Enum.TryParse(exportFormat.Value(), ignoreCase: true, out format))
             {
-                reporter.Error($"Unknown key format '{keyFormat.Value()}'.");
+                reporter.Error($"Unknown key format '{exportFormat.Value()}'.");
                 return InvalidKeyExportFormat;
             }
 
             var result = manager.EnsureAspNetCoreHttpsDevelopmentCertificate(
                 now,
                 now.Add(HttpsCertificateValidity),
                 exportPath.Value(),
-                trust == null ? false : trust.HasValue(),
+                trust == null ? false : trust.HasValue() && !RuntimeInformation.IsOSPlatform(OSPlatform.Linux),
                 password.HasValue() || (noPassword.HasValue() && format == CertificateKeyExportFormat.Pem),
                 password.Value(),
-                keyFormat.HasValue() ? format : CertificateKeyExportFormat.Pfx);
+                exportFormat.HasValue() ? format : CertificateKeyExportFormat.Pfx);
 
             switch (result)
             {

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ namespace Microsoft.AspNetCore.Certificates.Generation`
`15`	`15`	`{`
`16`	`16`	`internal abstract class CertificateManager`
`17`	`17`	`{`
	`18`	`+ internal const int CurrentAspNetCoreCertificateVersion = 2;`
`18`	`19`	`internal const string AspNetHttpsOid = "1.3.6.1.4.1.311.84.1.1";`
`19`	`20`	`internal const string AspNetHttpsOidFriendlyName = "ASP.NET Core HTTPS development certificate";`
`20`	`21`
`@@ -45,7 +46,7 @@ public int AspNetHttpsCertificateVersion`
`45`	`46`
`46`	`47`	`public string Subject { get; }`
`47`	`48`
`48`		`- public CertificateManager() : this(LocalhostHttpsDistinguishedName, 1)`
	`49`	`+ public CertificateManager() : this(LocalhostHttpsDistinguishedName, CurrentAspNetCoreCertificateVersion)`
`49`	`50`	`{`
`50`	`51`	`}`
`51`	`52`
`@@ -86,10 +87,8 @@ public IList<X509Certificate2> ListCertificates(`
`86`	`87`	`Log.CheckCertificatesValidity();`
`87`	`88`	`var now = DateTimeOffset.Now;`
`88`	`89`	`var validCertificates = matchingCertificates`
`89`		`- .Where(c => c.NotBefore <= now &&`
`90`		`- now <= c.NotAfter &&`
`91`		`- (!requireExportable \|\| IsExportable(c))`
`92`		`- && MatchesVersion(c))`
	`90`	`+ .Where(c => IsValidCertificate(c, now, requireExportable))`
	`91`	`+ .OrderByDescending(c => GetCertificateVersion(c))`
`93`	`92`	`.ToArray();`
`94`	`93`
`95`	`94`	`var invalidCertificates = matchingCertificates.Except(validCertificates);`
`@@ -123,7 +122,7 @@ bool HasOid(X509Certificate2 certificate, string oid) =>`
`123`	`122`	`certificate.Extensions.OfType<X509Extension>()`
`124`	`123`	`.Any(e => string.Equals(oid, e.Oid.Value, StringComparison.Ordinal));`
`125`	`124`
`126`		`- bool MatchesVersion(X509Certificate2 c)`
	`125`	`+ static byte GetCertificateVersion(X509Certificate2 c)`
`127`	`126`	`{`
`128`	`127`	`var byteArray = c.Extensions.OfType<X509Extension>()`
`129`	`128`	`.Where(e => string.Equals(AspNetHttpsOid, e.Oid.Value, StringComparison.Ordinal))`
`@@ -133,14 +132,20 @@ bool MatchesVersion(X509Certificate2 c)`
`133`	`132`	`if ((byteArray.Length == AspNetHttpsOidFriendlyName.Length && byteArray[0] == (byte)'A') \|\| byteArray.Length == 0)`
`134`	`133`	`{`
`135`	`134`	`// No Version set, default to 0`
`136`		`- return 0 >= AspNetHttpsCertificateVersion;`
	`135`	`+ return 0b0;`
`137`	`136`	`}`
`138`	`137`	`else`
`139`	`138`	`{`
`140`	`139`	`// Version is in the only byte of the byte array.`
`141`		`- return byteArray[0] >= AspNetHttpsCertificateVersion;`
	`140`	`+ return byteArray[0];`
`142`	`141`	`}`
`143`	`142`	`}`
	`143`	`+`
	`144`	`+ bool IsValidCertificate(X509Certificate2 certificate, DateTimeOffset currentDate, bool requireExportable) =>`
	`145`	`+ certificate.NotBefore <= currentDate &&`
	`146`	`+ currentDate <= certificate.NotAfter &&`
	`147`	`+ (!requireExportable \|\| IsExportable(certificate)) &&`
	`148`	`+ GetCertificateVersion(certificate) >= AspNetHttpsCertificateVersion;`
`144`	`149`	`}`
`145`	`150`
`146`	`151`	`public IList<X509Certificate2> GetHttpsCertificates() =>`
`@@ -448,7 +453,14 @@ internal void ExportCertificate(X509Certificate2 certificate, string path, bool`
`448`	`453`	`}`
`449`	`454`	`else`
`450`	`455`	`{`
`451`		`- bytes = certificate.Export(X509ContentType.Cert);`
	`456`	`+ if (format == CertificateKeyExportFormat.Pem)`
	`457`	`+ {`
	`458`	`+ bytes = Encoding.ASCII.GetBytes(PemEncoding.Write("CERTIFICATE", certificate.Export(X509ContentType.Cert)));`
	`459`	`+ }`
	`460`	`+ else`
	`461`	`+ {`
	`462`	`+ bytes = certificate.Export(X509ContentType.Cert);`
	`463`	`+ }`
`452`	`464`	`}`
`453`	`465`	`}`
`454`	`466`	`catch (Exception e)`