search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
14.56k stars 4.54k forks source link

Cannot reading certificates from MAUI App on Mac OS #100133

Open MassimoTC opened 3 months ago

MassimoTC commented 3 months ago

Description

Hi, I created a MAUI App with visual studio 2022 (version 17.6.10) on Mac OS version 13.6.3. The scope is read the certificates stored on the machine, but I have no result.

The code used on the MAUI app is this:

foreach (StoreLocation storeLocation in (StoreLocation[])
            Enum.GetValues(typeof(StoreLocation)))
            {
foreach (StoreName storeName in (StoreName[])
                    Enum.GetValues(typeof(StoreName)))
                {
                    X509Store store = new X509Store(storeName, storeLocation);

                    try
                    {

       store.Open(OpenFlags.OpenExistingOnly);

                        Console.WriteLine("Yes    {0,4}  {1}, {2}",
                            store.Certificates.Count, store.Name, store.Location);

                        s += $"Yes    {store.Certificates.Count}  {store.Name}, {store.Location}"+Environment.NewLine;

                        foreach (var c in store.Certificates)
                        {
                            Console.WriteLine($"name {c.Subject}");
                            s += $"name {c.Subject}"+Environment.NewLine;
                        }
                    }
                    catch (CryptographicException)
                    {
                        Console.WriteLine("No           {0}, {1}",
                            store.Name, store.Location);
                        s += $"No {store.Name} {store.Location}"+Environment.NewLine;
                    }
                }
             }

The output is this:

No AddressBook CurrentUser No AuthRoot CurrentUser No CA CurrentUser Yes 0 Disallowed, CurrentUser Yes 0 My, CurrentUser No Root CurrentUser No TrustedPeople CurrentUser No TrustedPublisher CurrentUser No AddressBook LocalMachine No AuthRoot LocalMachine No CA LocalMachine No Disallowed LocalMachine No My LocalMachine No Root LocalMachine No TrustedPeople LocalMachine No TrustedPublisher LocalMachine

The same code used on a console application runs correctly with this output:

No AddressBook, CurrentUser No AuthRoot, CurrentUser No CA, CurrentUser Yes 0 Disallowed, CurrentUser Yes 50 My, CurrentUser Yes 0 Root, CurrentUser No TrustedPeople, CurrentUser No TrustedPublisher, CurrentUser No AddressBook, LocalMachine No AuthRoot, LocalMachine No CA, LocalMachine Yes 0 Disallowed, LocalMachine Yes 4 My, LocalMachine Yes 158 Root, LocalMachine No TrustedPeople, LocalMachine No TrustedPublisher, LocalMachine

Why the MAUI app doesn't show the certificates correctly ?

Thanks

Steps to Reproduce

No response

Link to public reproduction project repository

No response

Version with bug

8.0.7 SR2

Is this a regression from previous behavior?

Not sure, did not test other versions

Last version that worked well

Unknown/Other

Affected platforms

macOS

Affected platform versions

Mac OS 13.6.3

Did you find any workaround?

No response

Relevant log output

No response

jfversluis commented 3 months ago

Moving to runtime, this is not something specific to .NET MAUI, rather the underlaying runtime implementation.

filipnavara commented 3 months ago

I am going to assume that it's a Mac Catalyst build. In Mac Catalyst we are restricted to iOS KeyChain APIs where the keychains are private to the app, and system ones are not exposed.

filipnavara commented 3 months ago

To further expand on the previous statement, the necessary APIs are not available to Mac Catalyst apps. In fact, they are deprecated on macOS as well: https://developer.apple.com/documentation/security/1396431-seckeychainopen?language=objc

MassimoTC commented 3 months ago

Thank you for the reply. Yes it's a Mac Catalyst build. My goal is to write an app that can run both on windows and macos to read the user certificates. Do you have any advice on how to do it ?

Thanks

vcsjones commented 3 months ago

read the user certificates

In the Catalyst, and iOS security model, there really is no such thing as a “user” certificate. Certificates and Identities are partitioned by your application’s access group. macOS has such a concept, but they are hidden from the sandbox behavior of Catalyst.

This technical article from Apple has some background: https://developer.apple.com/library/archive/qa/qa1745/_index.html

To use digital identities in your own apps, you will need to write code to import them. This typically means reading in a PKCS#12-formatted blob and then importing the contents of the blob into the app's keychain

In .NET, that means your application needs to import the Identity with X509Chain in read+write mode and add the certificate and key to your application’s certificate store.