dotnet · adityamandaleeka · Jul 26, 2022 · Jun 14, 2022 · Jun 16, 2022 · Jun 16, 2022
@@ -285,18 +285,10 @@ private void EnsureDefaultCert()
                         Debug.Assert(status.FailureMessage != null, "Status with a failure result must have a message.");
                         logger.DeveloperCertificateFirstRun(status.FailureMessage);
 
-                        // Now that we've displayed a warning in the logs so that the user gets a notification that a prompt might appear, try
-                        // and access the certificate key, which might trigger a prompt.
-                        status = CertificateManager.Instance.CheckCertificateState(DefaultCertificate, interactive: true);
-                        if (!status.Success)
-                        {
-                            logger.BadDeveloperCertificateState();
-                        }
+                        // Prevent binding to HTTPS if the certificate is not valid (avoid the prompt)
+                        DefaultCertificate = null;
                     }
-
-                    logger.LocatedDevelopmentCertificate(DefaultCertificate);
-
-                    if (!CertificateManager.Instance.IsTrusted(DefaultCertificate))
+                    else if (!CertificateManager.Instance.IsTrusted(DefaultCertificate))
                     {
                         logger.DeveloperCertificateNotTrusted();
                     }

diff --git a/src/Shared/CertificateGeneration/CertificateManager.cs b/src/Shared/CertificateGeneration/CertificateManager.cs
@@ -1,12 +1,9 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using System.Diagnostics.Tracing;
-using System.IO;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
@@ -19,6 +16,8 @@ namespace Microsoft.AspNetCore.Certificates.Generation;
 internal abstract class CertificateManager
 {
     internal const int CurrentAspNetCoreCertificateVersion = 2;
+
+    // OID used for HTTPS certs
     internal const string AspNetHttpsOid = "1.3.6.1.4.1.311.84.1.1";
     internal const string AspNetHttpsOidFriendlyName = "ASP.NET Core HTTPS development certificate";
 
@@ -78,7 +77,7 @@ public IList<X509Certificate2> ListCertificates(
         {
             using var store = new X509Store(storeName, location);
             store.Open(OpenFlags.ReadOnly);
-            certificates.AddRange(store.Certificates.OfType<X509Certificate2>());
+            PopulateCertificatesFromStore(store, certificates);
             IEnumerable<X509Certificate2> matchingCertificates = certificates;
             matchingCertificates = matchingCertificates
                 .Where(c => HasOid(c, AspNetHttpsOid));
@@ -161,6 +160,11 @@ bool IsValidCertificate(X509Certificate2 certificate, DateTimeOffset currentDate
             GetCertificateVersion(certificate) >= AspNetHttpsCertificateVersion;
     }
 
+    protected virtual void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates)
+    {
+        certificates.AddRange(store.Certificates.OfType<X509Certificate2>());
+    }
+
     public IList<X509Certificate2> GetHttpsCertificates() =>
         ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true, requireExportable: true);
 
@@ -340,6 +344,15 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
                 result = EnsureCertificateResult.FailedToTrustTheCertificate;
                 return result;
             }
+
+            if (result == EnsureCertificateResult.ValidCertificatePresent)
+            {
+                result = EnsureCertificateResult.ExistingHttpsCertificateTrusted;
+            }
+            else
+            {
+                result = EnsureCertificateResult.NewHttpsCertificateTrusted;
+            }
 private const int Success = 0; 
 private const int ErrorCreatingTheCertificate = 1; 
 private const int ErrorSavingTheCertificate = 2; 
 private const int ErrorExportingTheCertificate = 3; 
 private const int ErrorTrustingTheCertificate = 4; 
 private const int ErrorUserCancelledTrustPrompt = 5; 
 private const int ErrorNoValidCertificateFound = 6; 
 private const int ErrorCertificateNotTrusted = 7; 
 private const int Success = 0; 
 private const int ErrorCreatingTheCertificate = 1; 
 private const int ErrorSavingTheCertificate = 2; 
 private const int ErrorExportingTheCertificate = 3; 
 private const int ErrorTrustingTheCertificate = 4; 
 private const int ErrorUserCancelledTrustPrompt = 5; 
 private const int ErrorNoValidCertificateFound = 6; 
 private const int ErrorCertificateNotTrusted = 7; 
         }
 
         DisposeCertificates(!isNewCertificate ? certificates : certificates.Append(certificate));
@@ -411,13 +424,6 @@ internal ImportCertificateResult ImportCertificate(string certificatePath, strin
 
     public void CleanupHttpsCertificates()
     {
-        // On OS X we don't have a good way to manage trusted certificates in the system keychain
-        // so we do everything by invoking the native toolchain.
-        // This has some limitations, like for example not being able to identify our custom OID extension. For that
-        // matter, when we are cleaning up certificates on the machine, we start by removing the trusted certificates.
-        // To do this, we list the certificates that we can identify on the current user personal store and we invoke
-        // the native toolchain to remove them from the sytem keychain. Once we have removed the trusted certificates,
-        // we remove the certificates from the local user store to finish up the cleanup.
         var certificates = ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: false);
         var filteredCertificates = certificates.Where(c => c.Subject == Subject);
 
@@ -430,6 +436,8 @@ public void CleanupHttpsCertificates()
 
         foreach (var certificate in filteredCertificates)
         {
+            // RemoveLocations.All will first remove from the trusted roots (e.g. keychain on
+            // macOS) and then from the local user store.
             RemoveCertificate(certificate, RemoveLocations.All);
         }
     }
@@ -745,22 +753,15 @@ internal static void DisposeCertificates(IEnumerable<X509Certificate2> disposabl
         }
     }
 
-    private static void RemoveCertificateFromUserStore(X509Certificate2 certificate)
+    protected virtual void RemoveCertificateFromUserStore(X509Certificate2 certificate)
     {
         try
         {
             if (Log.IsEnabled())
             {
                 Log.RemoveCertificateFromUserStoreStart(GetDescription(certificate));
             }
-            using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
-            store.Open(OpenFlags.ReadWrite);
-            var matching = store.Certificates
-                .OfType<X509Certificate2>()
-                .Single(c => c.SerialNumber == certificate.SerialNumber);
-
-            store.Remove(matching);
-            store.Close();
+            RemoveCertificateFromUserStoreCore(certificate);
             Log.RemoveCertificateFromUserStoreEnd();
         }
         catch (Exception ex) when (Log.IsEnabled())
@@ -770,6 +771,17 @@ private static void RemoveCertificateFromUserStore(X509Certificate2 certificate)
         }
     }
 
+    protected virtual void RemoveCertificateFromUserStoreCore(X509Certificate2 certificate)
+    {
+        using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
+        store.Open(OpenFlags.ReadWrite);
+        var matching = store.Certificates
+            .OfType<X509Certificate2>()
+            .Single(c => c.SerialNumber == certificate.SerialNumber);
+
+        store.Remove(matching);
+    }
+
     internal static string ToCertificateDescription(IEnumerable<X509Certificate2> certificates)
     {
         var list = certificates.ToList();
@@ -944,8 +956,8 @@ public sealed class CertificateManagerEventSource : EventSource
         [Event(55, Level = EventLevel.Verbose, Message = "Finished importing the certificate to the keychain.")]
         internal void MacOSAddCertificateToKeyChainEnd() => WriteEvent(55);
 
-        [Event(56, Level = EventLevel.Error, Message = "An error has occurred while importing the certificate to the keychain: {0}.")]
-        internal void MacOSAddCertificateToKeyChainError(int exitCode) => WriteEvent(56, exitCode);
+        [Event(56, Level = EventLevel.Error, Message = "An error has occurred while importing the certificate to the keychain: {0}, {1}")]
+        internal void MacOSAddCertificateToKeyChainError(int exitCode, string output) => WriteEvent(56, exitCode, output);
 
         [Event(57, Level = EventLevel.Verbose, Message = "Writing the certificate to: {0}.")]
         public void WritePemKeyToDisk(string path) => WriteEvent(57, path);
@@ -970,6 +982,27 @@ public sealed class CertificateManagerEventSource : EventSource
 
         [Event(64, Level = EventLevel.Error, Message = "The provided certificate '{0}' is not a valid ASP.NET Core HTTPS development certificate.")]
         internal void NoHttpsDevelopmentCertificate(string description) => WriteEvent(64, description);
+
+        [Event(65, Level = EventLevel.Verbose, Message = "The certificate is already trusted.")]
+        public void MacOSCertificateAlreadyTrusted() => WriteEvent(65);
+
+        [Event(66, Level = EventLevel.Verbose, Message = "Saving the certificate {1} to the user profile folder '{0}'.")]
+        internal void MacOSAddCertificateToUserProfileDirStart(string directory, string certificate) => WriteEvent(66, directory, certificate);
+
+        [Event(67, Level = EventLevel.Verbose, Message = "Finished saving the certificate to the user profile folder.")]
+        internal void MacOSAddCertificateToUserProfileDirEnd() => WriteEvent(67);
+
+        [Event(68, Level = EventLevel.Error, Message = "An error has occurred while saving certificate '{0}' in the user profile folder: {1}.")]
+        internal void MacOSAddCertificateToUserProfileDirError(string certificateThumbprint, string errorMessage) => WriteEvent(68, certificateThumbprint, errorMessage);
+
+        [Event(69, Level = EventLevel.Error, Message = "An error has occurred while removing certificate '{0}' from the user profile folder: {1}.")]
+        internal void MacOSRemoveCertificateFromUserProfileDirError(string certificateThumbprint, string errorMessage) => WriteEvent(69, certificateThumbprint, errorMessage);
+
+        [Event(70, Level = EventLevel.Error, Message = "The file '{0}' is not a valid certificate.")]
+        internal void MacOSFileIsNotAValidCertificate(string path) => WriteEvent(70, path);
+
+        [Event(71, Level = EventLevel.Warning, Message = "The on-disk store directory was not found.")]
+        internal void MacOSDiskStoreDoesNotExist() => WriteEvent(71);
     }
 
     internal sealed class UserCancelledTrustException : Exception

diff --git a/src/Shared/CertificateGeneration/EnsureCertificateResult.cs b/src/Shared/CertificateGeneration/EnsureCertificateResult.cs
@@ -13,5 +13,7 @@ internal enum EnsureCertificateResult
     FailedToTrustTheCertificate,
     UserCancelledTrustStep,
     FailedToMakeKeyAccessible,
+    ExistingHttpsCertificateTrusted,
+    NewHttpsCertificateTrusted
 }