Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/7.0-staging] Fix exporting certificate keys on macOS 14.4. #99779

Merged

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Mar 14, 2024

Backport of #99768 to release/7.0-staging

/cc @vcsjones @bartonjs

Customer Impact

  • Customer reported
  • Found internally

Reported by customers in #99735. Apple made a changes in macOS 14.4 that prevented private keys from X509Certificate2 from exporting. This affected customers that used APIs to get the exported key from a certificate in the macOS keychain.

Regression

  • Yes
  • No
  • OS Behavior Change

Apple changed the error code returned by one of their APIs. The change caused our error handling logic to not handle a recoverable error and instead treat it as an uncaught error.

Testing

Unit tests were added to prevent the fix from regressing.

Risk

Low. The change only affects macOS specific code and adds another error code to an already existing error handling path. The fix simply ensures we take the same error handling path with the new error code, in addition to the old one.

Apple changed the error code we get back from a failed data-key export. This caused us to not attempt to export the key using the legacy APIs and assume the key export failed. This change adds the additional error code returned from macOS 14.4.
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Mar 18, 2024
@bartonjs
Copy link
Member

Approved via email.

@bartonjs bartonjs added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Mar 19, 2024
@bartonjs
Copy link
Member

All failures look to be known.

@bartonjs bartonjs merged commit b880b97 into dotnet:release/7.0-staging Mar 19, 2024
111 of 120 checks passed
@vcsjones vcsjones deleted the backport-99768-to-release-7.0 branch March 19, 2024 00:54
@github-actions github-actions bot locked and limited conversation to collaborators Apr 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-System.Security Servicing-approved Approved for servicing release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants