New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NSUrlSessionHandler: Adds support for X509 client certificates #20434
base: main
Are you sure you want to change the base?
Conversation
We don't have access to that class, so please just copy it over (and add a comment explaining where it came from).
I think it's fine to not mark it as supported (an alternative approach would be to mark it as supported, but throw some sort of "not supported exception" if someone tries to set it to Automatic). |
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@dotMorten it fails to build:
|
@rolfbjarne Fixed. Could you retry? |
|
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This is turning rather obnoxious to figure out, there seems to be platform differences between macOS and the other platforms that are unnecessary, so I've filed to issues:
I've also found a problem with Fortunately there seems to be a different Apple API we can use to import an identity without needing a keychain, so I'm looking into this at the moment. |
OK, this turned into a rabbit hole... The new code in this PR calls
Apple's documentation for StackOverflow also suggests using
In this Apple forum thread a user gripes about this exact problem:
Quinn answers:
So I've given up about the idea of not using the keychain in tests, and instead trying to make the keychain work somehow. FWIW Quinn “The Eskimo!” wrote a document explaining how to find and fix problems with regards to the keychain on CI machines (https://developer.apple.com/forums/thread/712005). The last sentence is a gem: "Resetting trust settings is more of a challenge. It’s probably possible to do this with the security tool but, honestly, if you think that your CI system has messed up trust settings it’s easiest to throw it away and start again from scratch." - in other words if something goes wrong, the easiest is to wipe the machine and start over again. "some pain points" is somewhat of an understatement... |
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
❌ [PR Build] Tests on macOS X64 - Mac Sonoma (14) failed ❌Failed tests are:
Pipeline on Agent |
❌ [PR Build] Tests on macOS M1 - Mac Big Sur (11) failed ❌Failed tests are:
Pipeline on Agent |
❌ [PR Build] Tests on macOS M1 - Mac Ventura (13) failed ❌Failed tests are:
Pipeline on Agent |
❌ [PR Build] Tests on macOS M1 - Mac Monterey (12) failed ❌Failed tests are:
Pipeline on Agent |
📚 [PR Build] Artifacts 📚Packages generatedView packagesPipeline on Agent |
✅ API diff for current PR / commitLegacy Xamarin (No breaking changes)
NET (empty diffs)
✅ API diff vs stableLegacy Xamarin (No breaking changes).NET (No breaking changes)ℹ️ Generator diffGenerator Diff: vsdrops (html) vsdrops (raw diff) gist (raw diff) - Please review changes) Pipeline on Agent |
🔥 [CI Build] Test results 🔥Test results❌ Tests failed on VSTS: test results 1 tests crashed, 1 tests failed, 161 tests passed. Failures❌ cecil tests
Html Report (VSDrops) Download ❌ monotouch tests (macOS)🔥 Failed catastrophically on VSTS: test results - monotouch_macos (no summary found). Html Report (VSDrops) Download Successes✅ dotnettests (iOS): All 1 tests passed. Html Report (VSDrops) Download Pipeline on Agent |
Addresses #13856
There's a couple of outstanding questions for this PR, so keeping it in draft for now:
This relies on System.Net.Security.CertificateHelper which is internal. I'm not sure if xamarinios has access to this. If not, should I just copy the file over? It is for instance used here to pick the correct certificate in SocketsHttpHandler and HttpClientHandler.. Update: Imported a copy.I also toyed with having a public callback for users to do more native certificate handling, and modeled around the
ServerCertificateCustomValidationCallback
callback:This isn't in the PR, but more than happy to also add that. My thinking was that might enable some scenarios where you can't use the .NET X509 certificates but need to pull native certificate types in