[release/9.0-staging] Ensure proper cleanup of key files when not persisting them (#109844)

github-actions[bot] · bartonjs · web-flow · commit 2c860a73136a · 2024-11-25T23:50:07.000-08:00
* Ensure proper cleanup of key files when not persisting them

Code inspection suggested that keys imported into the CNG MachineKey store
from PFXImportCertStore were not getting properly cleaned up.  This change
adds tests that prove that supposition, and then fixes the bug so they pass.

* Support systems that have never had CAPI-DSS

* Review feedback

* Bump keysize to 2048
  * This caused the tests to be too slow, so reuse 6 random keys for all of them
* Remove the random ordering in machine-or-user for defaultkeyset (try both ways)
* Remove incorrect copy/paste comment
* Remove bad nullable annotation

---------

Co-authored-by: Jeremy Barton &lt;jbarton@microsoft.com&gt;
diff --git a/src/libraries/Common/src/Microsoft/Win32/SafeHandles/SafeCertContextHandleWithKeyContainerDeletion.cs b/src/libraries/Common/src/Microsoft/Win32/SafeHandles/SafeCertContextHandleWithKeyContainerDeletion.cs
@@ -50,10 +50,16 @@ internal static void DeleteKeyContainer(SafeCertContextHandle pCertContext)
 
                         string providerName = Marshal.PtrToStringUni((IntPtr)(pProvInfo->pwszProvName))!;
                         string keyContainerName = Marshal.PtrToStringUni((IntPtr)(pProvInfo->pwszContainerName))!;
+                        CngKeyOpenOptions openOpts = CngKeyOpenOptions.None;
+
+                        if ((pProvInfo->dwFlags & Interop.Crypt32.CryptAcquireContextFlags.CRYPT_MACHINE_KEYSET) != 0)
+                        {
+                            openOpts = CngKeyOpenOptions.MachineKey;
+                        }
 
                         try
                         {
-                            using (CngKey cngKey = CngKey.Open(keyContainerName, new CngProvider(providerName)))
+                            using (CngKey cngKey = CngKey.Open(keyContainerName, new CngProvider(providerName), openOpts))
                             {
                                 cngKey.Delete();
                             }
diff --git a/src/libraries/System.Security.Cryptography/tests/System.Security.Cryptography.Tests.csproj b/src/libraries/System.Security.Cryptography/tests/System.Security.Cryptography.Tests.csproj
@@ -513,7 +513,8 @@
              Link="Common\Interop\Windows\Crypt32\Interop.MsgEncodingType.cs" />
     <Compile Include="$(CommonPath)Interop\Windows\Interop.Libraries.cs"
              Link="Common\Interop\Windows\Interop.Libraries.cs" />
-  <Compile Include="X509Certificates\InteropTests.Windows.cs" />
+    <Compile Include="X509Certificates\InteropTests.Windows.cs" />
+    <Compile Include="X509Certificates\X509FilesystemTests.Windows.cs" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="$(CommonTestPath)StreamConformanceTests\StreamConformanceTests.csproj" />
diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/X509FilesystemTests.Windows.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/X509FilesystemTests.Windows.cs

Original file line number	Diff line number	Diff line change
`@@ -50,10 +50,16 @@ internal static void DeleteKeyContainer(SafeCertContextHandle pCertContext)`
`50`	`50`
`51`	`51`	`string providerName = Marshal.PtrToStringUni((IntPtr)(pProvInfo->pwszProvName))!;`
`52`	`52`	`string keyContainerName = Marshal.PtrToStringUni((IntPtr)(pProvInfo->pwszContainerName))!;`
	`53`	`+ CngKeyOpenOptions openOpts = CngKeyOpenOptions.None;`
	`54`	`+`
	`55`	`+ if ((pProvInfo->dwFlags & Interop.Crypt32.CryptAcquireContextFlags.CRYPT_MACHINE_KEYSET) != 0)`
	`56`	`+ {`
	`57`	`+ openOpts = CngKeyOpenOptions.MachineKey;`
	`58`	`+ }`
`53`	`59`
`54`	`60`	`try`
`55`	`61`	`{`
`56`		`- using (CngKey cngKey = CngKey.Open(keyContainerName, new CngProvider(providerName)))`
	`62`	`+ using (CngKey cngKey = CngKey.Open(keyContainerName, new CngProvider(providerName), openOpts))`
`57`	`63`	`{`
`58`	`64`	`cngKey.Delete();`
`59`	`65`	`}`