Fixing X509Certificate2Collection.Export on Unix with multiple certs and private key

[ayende]

See previous discussion of this bug here: https://github.com/dotnet/corefx/issues/26125

This passes tests on Ubuntu 16.04 machine

[ayende]

There are test failures on OSX, see:

   at Interop.AppleCrypto.X509Export(X509ContentType contentType, SafeCreateHandle cfPassphrase, IntPtr[] certHandles) in /Users/dotnet-bot/j/workspace/dotnet_corefx/master/osx-TGroup_netcoreapp+CGroup_Debug+AGroup_x64+TestOuter_false_prtest/src/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.X509.cs:line 410
   at Interop.AppleCrypto.X509ExportPfx(IntPtr[] certHandles, SafePasswordHandle exportPassword) in /Users/dotnet-bot/j/workspace/dotnet_corefx/master/osx-TGroup_netcoreapp+CGroup_Debug+AGroup_x64+TestOuter_false_prtest/src/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.X509.cs:line 443
   at Internal.Cryptography.Pal.StorePal.AppleCertificateExporter.ExportPkcs12(SafePasswordHandle password) in /Users/dotnet-bot/j/workspace/dotnet_corefx/master/osx-TGroup_netcoreapp+CGroup_Debug+AGroup_x64+TestOuter_false_prtest/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/StorePal.ExportPal.cs:line 93
   at Internal.Cryptography.Pal.StorePal.AppleCertificateExporter.Export(X509ContentType contentType, SafePasswordHandle password) in /Users/dotnet-bot/j/workspace/dotnet_corefx/master/osx-TGroup_netcoreapp+CGroup_Debug+AGroup_x64+TestOuter_false_prtest/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/StorePal.ExportPal.cs:line 45
   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Export(X509ContentType contentType, String password) in /Users/dotnet-bot/j/workspace/dotnet_corefx/master/osx-TGroup_netcoreapp+CGroup_Debug+AGroup_x64+TestOuter_false_prtest/src/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/X509Certificate2Collection.cs:line 116
   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Export(X509ContentType contentType) in /Users/dotnet-bot/j/workspace/dotnet_corefx/master/osx-TGroup_netcoreapp+CGroup_Debug+AGroup_x64+TestOuter_false_prtest/src/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/X509Certificate2Collection.cs:line 108
   at System.Security.Cryptography.X509Certificates.Tests.CollectionExportTests.CanAddMultipleCertsWithoutPrivate() in /Users/dotnet-bot/j/workspace/dotnet_corefx/master/osx-TGroup_netcoreapp+CGroup_Debug+AGroup_x64+TestOuter_false_prtest/src/System.Security.Cryptography.X509Certificates/tests/CollectionExportTests.cs:line 37

This is for the test that test the existing (and correct) behavior, so I think that this was the case before my changed, but there was no test to trigger this behavior.
I also don't have an OSX available to test this.

There is also the Centos.73.Amd64.Open-Release-x64 failure, but I'm not sure if this is related, although the error is crypto related, so it might be, but any other Linux run was successful?

[bartonjs]

Improper use of var, please specify the type.

[bartonjs]

Grammar: Something like "ensure cert handles aren't finalized while the raw handles are in use"

[bartonjs]

RSA.Create. Never RSACryptoServiceProvider.

[bartonjs]

When the new test moves to the other file I'd just continue using the test certificates that the rest of the library does, though.

[ayende]

When the new test moves to the other file

I don't follow what you mean here?

[bartonjs]

Improper var (just return the value)

[bartonjs]

Using two different names seems better. Also, this test is redundant to CollectionTests::ExportUnrelatedPfx.

[ayende]

I don't think that it tests the same thing, in particular, this test is testing the actual fix, and if it was duplicating the other, it wouldn't be needed, because ExportUnrelatedPfx would already be breaking on Linux.

In particular, ExportUnrelatedPfx isn't testing certs with private keys.

[bartonjs]

I, personally, prefer reading RawData than calling Export(Cert). They're the same thing, though.

[bartonjs]

All allocated certificates must be explicitly disposed (so that this test library can be run with finalization detection enabled to see if anything in the X509Certificates library is causing finalization)

[bartonjs]

I'd add this in CollectionTests.cs, at around line 867.

[bartonjs]

Improper use of var, please specify the type.

[bartonjs]

Please import via Cert.Import and the ImportedCollection disposable class. (See CollectionTests.ExportUnrelatedPfx for an example)

[bartonjs]

Thanks for jumping on this. Aside from a bad use of var it's just some test hygiene stuff to be changed.

There are test failures on OSX ... but there was no test to trigger this behavior.

Actually, there is 😄.

corefx/src/System.Security.Cryptography.X509Certificates/tests/CollectionTests.cs

Lines 735 to 737 in 71ff5e9

	[Fact]
	[ActiveIssue(16705, TestPlatforms.OSX)]
	public static void ExportUnrelatedPfx()

[ayende]

Okay, updated the PR based on the review, thanks.

[bartonjs]

@dotnet-bot Test OSX x64 Debug Build please
Test Windows x86 Release Build please
Test CROSS Check please

[bartonjs]

@ayende I pulled this down on a mac, and it looks like there's something different making it fail on macOS. If you want to add [ActiveIssue(26397, TestPlatforms.OSX)] to the test (to match the new issue that I just opened for macOS) then we should be able to merge this and at least get Linux fixed.

[ayende]

@bartonjs Done

[bartonjs]

@dotnet-bot Test Linux x64 Release Build please
Test UWP CoreCLR x64 Debug Build please
Test Windows x64 Debug Build please
Test Windows x86 Release Build please

[bartonjs]

@dotnet-bot Test Windows x64 Debug Build please (#26349)
@dotnet-bot Test Linux x64 Release Build please (drawing segfault?)

[bartonjs]

Thanks for taking care of this, @ayende.