Proper fix for compilation issue caused by deprecated API in Mojave (d…

…otnet#30815) * Proper fix for compilation issue caused by deprecated API in macOS Mojave by using dlsym to call available API rather than suppressing deprecation warnings. Fixes: #30599
eerhardt · Jul 10, 2018 · 92b4826 · 92b4826
1 parent 188e174
commit 92b4826
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 6 deletions.
diff --git a/src/Native/Unix/System.Security.Cryptography.Native.Apple/CMakeLists.txt b/src/Native/Unix/System.Security.Cryptography.Native.Apple/CMakeLists.txt
@@ -25,9 +25,6 @@ set(NATIVECRYPTO_SOURCES
     pal_x509chain.c
 )
 
-# Temporary workaround for dotnet/corefx issue #30599
-add_compile_options(-Wno-deprecated-declarations)
-
 add_library(System.Security.Cryptography.Native.Apple
     SHARED
     ${NATIVECRYPTO_SOURCES}

diff --git a/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509.c b/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509.c
@@ -3,9 +3,14 @@
 // See the LICENSE file in the project root for more information.
 
 #include "pal_x509.h"
+#include <dlfcn.h>
+#include <pthread.h>
 
 static const int32_t kErrOutItemsNull = -3;
 static const int32_t kErrOutItemsEmpty = -2;
+static pthread_once_t once = PTHREAD_ONCE_INIT;
+static SecKeyRef (*secCertificateCopyKey)(SecCertificateRef);
+static OSStatus (*secCertificateCopyPublicKey)(SecCertificateRef, SecKeyRef*);
 
 typedef const struct OpaqueSecCertificateRef * ConstSecCertificateRef;
 typedef const struct OpaqueSecIdentityRef * ConstSecIdentityRef;
@@ -41,6 +46,12 @@ AppleCryptoNative_X509DemuxAndRetainHandle(CFTypeRef handle, SecCertificateRef*
     return 1;
 }
 
+static void InitCertificateCopy()
+{
+    secCertificateCopyKey = (SecKeyRef (*)(SecCertificateRef))dlsym(RTLD_DEFAULT, "SecCertificateCopyKey");
+    secCertificateCopyPublicKey = (OSStatus (*)(SecCertificateRef, SecKeyRef*))dlsym(RTLD_DEFAULT, "SecCertificateCopyPublicKey");
+}
+
 int32_t
 AppleCryptoNative_X509GetPublicKey(SecCertificateRef cert, SecKeyRef* pPublicKeyOut, int32_t* pOSStatusOut)
 {
@@ -50,9 +61,23 @@ AppleCryptoNative_X509GetPublicKey(SecCertificateRef cert, SecKeyRef* pPublicKey
         *pOSStatusOut = noErr;
 
     if (cert == NULL || pPublicKeyOut == NULL || pOSStatusOut == NULL)
-        return kErrorBadInput;
+        return kErrorUnknownState;
 
-    *pOSStatusOut = SecCertificateCopyPublicKey(cert, pPublicKeyOut);
+    pthread_once (&once, InitCertificateCopy);
+    // SecCertificateCopyPublicKey was deprecated in 10.14, so use SecCertificateCopyKey on the systems that have it (10.14+),
+    // and SecCertificateCopyPublicKey on the systems that don’t.
+    if (secCertificateCopyKey != NULL)
+    {
+        *pPublicKeyOut = (*secCertificateCopyKey)(cert);
+    }
+    else if (secCertificateCopyPublicKey != NULL)
+    {
+        *pOSStatusOut = (*secCertificateCopyPublicKey)(cert, pPublicKeyOut);
+    }
+    else
+    {
+        return kErrorBadInput;
+    }
     return (*pOSStatusOut == noErr);
 }
 

diff --git a/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509.h b/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509.h
@@ -42,7 +42,7 @@ Returns 1 on success, 0 on failure, any other value on invalid state.
 
 Output:
 pPublicKeyOut: Receives a CFRetain()ed SecKeyRef for the public key
-pOSStatusOut: Receives the result of SecCertificateCopyPublicKey
+pOSStatusOut: Receives the result of SecCertificateCopyKey or SecCertificateCopyPublicKey, depending on the OS version.
 */
 DLLEXPORT int32_t
 AppleCryptoNative_X509GetPublicKey(SecCertificateRef cert, SecKeyRef* pPublicKeyOut, int32_t* pOSStatusOut);

diff --git a/...ystem.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/X509Pal.cs b/...ystem.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/X509Pal.cs
@@ -33,6 +33,11 @@ public AsymmetricAlgorithm DecodePublicKey(Oid oid, byte[] encodedKeyValue, byte
                         case Oids.RsaRsa:
                             return new RSAImplementation.RSASecurityTransforms(key);
                         case Oids.DsaDsa:
+                            if (key.IsInvalid) 
+                            {
+                                // SecCertificateCopyKey returns null for DSA, so fall back to manually building it.
+                                return DecodeDsaPublicKey(encodedKeyValue, encodedParameters);
+                            } 
                             return new DSAImplementation.DSASecurityTransforms(key);
                         case Oids.Ecc:
                             return new ECDsaImplementation.ECDsaSecurityTransforms(key);