|
| 1 | +using System.Runtime.InteropServices; |
| 2 | +using System.Security.Cryptography.X509Certificates; |
| 3 | + |
| 4 | +namespace CertHelper; |
| 5 | + |
| 6 | +/// <summary> |
| 7 | +/// Abstraction over where the local perf certificates live. On Windows and Linux this is |
| 8 | +/// backed by the CurrentUser\My <see cref="X509Store"/>. On macOS the CurrentUser\My store maps |
| 9 | +/// to the login Keychain, which cannot export a private key back out without an interactive |
| 10 | +/// password prompt, so a file-backed store is used instead. |
| 11 | +/// </summary> |
| 12 | +public interface ILocalCertStore |
| 13 | +{ |
| 14 | + /// <summary> |
| 15 | + /// Returns the certificates currently persisted in the local store. |
| 16 | + /// </summary> |
| 17 | + X509Certificate2Collection GetCertificates(); |
| 18 | + |
| 19 | + /// <summary> |
| 20 | + /// Replaces <paramref name="certsToRemove"/> with <paramref name="certsToAdd"/> in the local store. |
| 21 | + /// </summary> |
| 22 | + void Rotate(X509Certificate2Collection certsToRemove, X509Certificate2Collection certsToAdd); |
| 23 | +} |
| 24 | + |
| 25 | +/// <summary> |
| 26 | +/// Picks the appropriate <see cref="ILocalCertStore"/> for the current operating system. |
| 27 | +/// </summary> |
| 28 | +public static class LocalCertStoreFactory |
| 29 | +{ |
| 30 | + public static ILocalCertStore Create() |
| 31 | + { |
| 32 | + if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) |
| 33 | + { |
| 34 | + return new FileLocalCertStore(); |
| 35 | + } |
| 36 | + |
| 37 | + return new X509LocalCertStore(); |
| 38 | + } |
| 39 | +} |
| 40 | + |
| 41 | +/// <summary> |
| 42 | +/// <see cref="ILocalCertStore"/> backed by the CurrentUser\My <see cref="X509Store"/>. |
| 43 | +/// Used on Windows and Linux where the managed store fully supports adding certificates with |
| 44 | +/// private keys and exporting them back out. |
| 45 | +/// </summary> |
| 46 | +public class X509LocalCertStore : ILocalCertStore |
| 47 | +{ |
| 48 | + private readonly IX509Store _store; |
| 49 | + |
| 50 | + public X509LocalCertStore(IX509Store? store = null) |
| 51 | + { |
| 52 | + // Open read-write by default so rotation works. TestableX509Store opens the store in its |
| 53 | + // constructor, so GetCertificates and Rotate both operate on the same already-open handle. |
| 54 | + _store = store ?? new TestableX509Store(OpenFlags.ReadWrite); |
| 55 | + } |
| 56 | + |
| 57 | + public X509Certificate2Collection GetCertificates() |
| 58 | + { |
| 59 | + return _store.Certificates; |
| 60 | + } |
| 61 | + |
| 62 | + public void Rotate(X509Certificate2Collection certsToRemove, X509Certificate2Collection certsToAdd) |
| 63 | + { |
| 64 | + var store = _store.GetX509Store(); |
| 65 | + store.RemoveRange(certsToRemove); |
| 66 | + store.AddRange(certsToAdd); |
| 67 | + } |
| 68 | +} |
| 69 | + |
| 70 | +/// <summary> |
| 71 | +/// <see cref="ILocalCertStore"/> that persists certificates as PFX files in a known directory. |
| 72 | +/// Used on macOS where the OS certificate store (login Keychain) cannot export a private key |
| 73 | +/// without an interactive password prompt. Files are named by thumbprint so that the on-disk |
| 74 | +/// state can be reconciled exactly with the desired set on rotation. |
| 75 | +/// </summary> |
| 76 | +public class FileLocalCertStore : ILocalCertStore |
| 77 | +{ |
| 78 | + // Matches the directory the perf Mac hosts historically used for pre-provisioned certificates. |
| 79 | + public const string DefaultDirectory = "/Users/helix-runner/certs"; |
| 80 | + |
| 81 | + private readonly string _directory; |
| 82 | + |
| 83 | + public FileLocalCertStore(string? directory = null) |
| 84 | + { |
| 85 | + _directory = directory ?? DefaultDirectory; |
| 86 | + } |
| 87 | + |
| 88 | + public X509Certificate2Collection GetCertificates() |
| 89 | + { |
| 90 | + var certificates = new X509Certificate2Collection(); |
| 91 | + if (!Directory.Exists(_directory)) |
| 92 | + { |
| 93 | + return certificates; |
| 94 | + } |
| 95 | + |
| 96 | + foreach (var file in Directory.EnumerateFiles(_directory, "*.pfx")) |
| 97 | + { |
| 98 | + try |
| 99 | + { |
| 100 | + var bytes = File.ReadAllBytes(file); |
| 101 | +#if NET9_0_OR_GREATER |
| 102 | + certificates.Add(X509CertificateLoader.LoadPkcs12(bytes, "", X509KeyStorageFlags.Exportable)); |
| 103 | +#else |
| 104 | + certificates.Add(new X509Certificate2(bytes, "", X509KeyStorageFlags.Exportable)); |
| 105 | +#endif |
| 106 | + } |
| 107 | + catch (Exception ex) |
| 108 | + { |
| 109 | + // Skip files that cannot be loaded; they will be treated as missing and trigger bootstrap/rotation. |
| 110 | + Console.Error.WriteLine($"Failed to load certificate from {file}: {ex.Message}"); |
| 111 | + } |
| 112 | + } |
| 113 | + |
| 114 | + return certificates; |
| 115 | + } |
| 116 | + |
| 117 | + public void Rotate(X509Certificate2Collection certsToRemove, X509Certificate2Collection certsToAdd) |
| 118 | + { |
| 119 | + Directory.CreateDirectory(_directory); |
| 120 | + |
| 121 | + // Clear the existing PFX files so the on-disk state matches the desired set exactly. |
| 122 | + foreach (var file in Directory.EnumerateFiles(_directory, "*.pfx")) |
| 123 | + { |
| 124 | + File.Delete(file); |
| 125 | + } |
| 126 | + |
| 127 | + foreach (var cert in certsToAdd) |
| 128 | + { |
| 129 | + var path = Path.Combine(_directory, $"{cert.Thumbprint}.pfx"); |
| 130 | + File.WriteAllBytes(path, cert.Export(X509ContentType.Pfx)); |
| 131 | + RestrictToOwner(path); |
| 132 | + } |
| 133 | + } |
| 134 | + |
| 135 | + // Private keys are written to disk as unprotected PFX files. On macOS (the only platform that |
| 136 | + // uses this file-backed store) restrict them to owner read/write so the keys are not exposed if |
| 137 | + // the directory permissions or umask are permissive. |
| 138 | + private static void RestrictToOwner(string path) |
| 139 | + { |
| 140 | + if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) |
| 141 | + { |
| 142 | + File.SetUnixFileMode(path, UnixFileMode.UserRead | UnixFileMode.UserWrite); |
| 143 | + } |
| 144 | + } |
| 145 | +} |
0 commit comments