Add PEM exports to certificates #59674
Conversation
This implements PEM export on X509Certificate2 and X509Certificate2Collection.
ghost
added
the
community-contribution
|
Note regarding the This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, to please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change. |
|
Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks Issue DetailsThis implements PEM export on X509Certificate2 and X509Certificate2Collection. Contributes to #51630.
|
src/libraries/System.Security.Cryptography.X509Certificates/tests/CollectionTests.cs
Show resolved
Hide resolved
...Certificates/src/System/Security/Cryptography/X509Certificates/X509Certificate2Collection.cs
Show resolved
Hide resolved
| public static void TryExportCertificatePems_Empty() | ||
| { | ||
| X509Certificate2Collection cc = new X509Certificate2Collection(); | ||
| AssertPemExport(cc, string.Empty); |
There was a problem hiding this comment.
Nit: Mis-aligned
| AssertPemExport(cc, string.Empty); | |
| AssertPemExport(cc, string.Empty); |
...Certificates/src/System/Security/Cryptography/X509Certificates/X509Certificate2Collection.cs
Show resolved
Hide resolved
| string pkcs7Pem = collection.ExportPkcs7Pem(); | ||
| AssertPem(collection, pkcs7Pem); | ||
|
|
||
| Span<char> pkcs7Buffer = new char[pkcs7Pem.Length]; |
There was a problem hiding this comment.
Should we give this one the full Goldilocks? (One too short (done), one too long (missing), one just right (done)).
| @@ -1640,6 +1690,71 @@ private static void TestExportStore(X509ContentType ct) | |||
| } | |||
| } | |||
|
|
|||
| private static void AssertPemExport(X509Certificate2Collection collection, string expectedContents) | |||
| { | |||
| Span<char> buffer = new char[expectedContents.Length]; | |||
There was a problem hiding this comment.
Do we think "bigger than needed" is an interesting case here?
There was a problem hiding this comment.
Eh, interesting enough to make you leave a remark, so, let's say yes and add a test case for it.
| "MAoGCCqGSM49BAMCA0cAMEQCIHafyKHQhv+03DaOJpuotD+jNu0Nc9pUI9OA8pUY\n" + | ||
| "3+qJAiBsqKjtc8LuGtUoqGvxLLQJwJ2QNY/qyEGtaImlqTYg5w==\n" + | ||
| "-----END CERTIFICATE-----"; | ||
| using ImportedCollection ic = Cert.ImportFromPem(SinglePem); |
There was a problem hiding this comment.
While the repository, collectively, is OK with braceless usings in test code, I'll make one plea to keep the braces :)
There was a problem hiding this comment.
Your house, your rules 😄.
src/libraries/System.Security.Cryptography.X509Certificates/tests/CollectionTests.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.X509Certificates/tests/CollectionTests.cs
Show resolved
Hide resolved
| pemCount++; | ||
| } | ||
|
|
||
| Assert.Equal(1, pemCount); |
There was a problem hiding this comment.
This test is what inspired me to ask the tighter export elsewhere. Seems like we can simplify the code, and increase the amount of stuff that the test covers, if we just take an existing PEM import it, normalize the newlines to LF, and export+Assert.
[Theory]
[InlineData(true)]
[InlineData(false)]
public static void ExportCertificatePem_ContainsOnlyCertPem(bool yoda)
{
const string Input = ...;
string output;
using (X509Certificate2 cert = new X509Certificate2(Encoding.ASCII.GetBytes(Input)))
{
if (yoda)
{
output = cert.ExportCertificatePem();
}
else
{
Span<char> destination = stackalloc char[Input.Length + 5];
Assert.True(cert.TryExportCertificatePem(destination, out int charsWritten));
Assert.Equal(Input.Length, charsWritten);
output = destination.Slice(0, charsWritten).ToString();
}
}
Assert.Equal(Input, output);
}There was a problem hiding this comment.
Alternatively, we could add the "did I start at the right place?" and "did I end at the right place?" checks to what's already here.
There was a problem hiding this comment.
Hm, I see. Perhaps "ContainsOnlyCertPem" was misleading in name, the test was ensuring that (if by some miracle) a certificate's private key would not be included, or at least a form of documentation "Yes, the 'pem export' does not include CERTIFICATE nor RSA/EC PRIVATE KEY".
But I see what you are suggesting as well. I suppose by "exact string" match, that would pretty much have the same meaning.
There was a problem hiding this comment.
I think we can just get rid of these tests if we tighten the others.
|
Code generally looks good, just a couple of comment requests. Tests generally look good, but since I didn't write the code I have the easy job of just asking for more :) |
ghost
locked as resolved and limited conversation to collaborators
bartonjs
added
the
needs-further-triage
This implements PEM export on X509Certificate2 and X509Certificate2Collection.
Contributes to #51630.