Fix race conditions in tests

MichaelGrafnetter · MichaelGrafnetter · commit ed137253e0a3 · 2026-03-28T12:20:24.000-07:00
diff --git a/Src/DSInternals.Common.Test/DnsSigningKeyTester.cs b/Src/DSInternals.Common.Test/DnsSigningKeyTester.cs
@@ -6,6 +6,11 @@ namespace DSInternals.Common.Test;
 [TestClass]
 public class DnsSigningKeyTester
 {
+    // The Windows SID key cache API overwrites the entire L0 key file on each write.
+    // All TFM test processes must serialize their write+decrypt sequences to avoid
+    // a process overwriting another's cache entry between WriteToCache() and Decrypt().
+    private static readonly Mutex CacheMutex = new Mutex(false, @"Local\DSInternals_DnsSigningKeyTest");
+
     [TestMethod]
     public void DnsSigningKey_KSK_RSA()
     {
@@ -30,8 +35,17 @@ public void DnsSigningKey_KSK_RSA()
 
         // Decrypt the key
         var gke = GroupKeyEnvelope.Create(kdsRootKey, signingKey.ProtectedKeyBlob.ProtectionKeyIdentifier, signingKey.ProtectedKeyBlob.TargetSid);
-        gke.WriteToCache();
-        ReadOnlySpan<byte> decryptedKey = signingKey.ProtectedKeyBlob.Decrypt();
+        CacheMutex.WaitOne();
+        ReadOnlySpan<byte> decryptedKey;
+        try
+        {
+            gke.WriteToCache();
+            decryptedKey = signingKey.ProtectedKeyBlob.Decrypt();
+        }
+        finally
+        {
+            CacheMutex.ReleaseMutex();
+        }
 
         // Assert decrypted key magic
         Assert.StartsWith("52534132", decryptedKey.ToHex()); // "RSA2" encoded in HEX (RSAPUBKEY structure magic)
@@ -57,8 +71,17 @@ public void DnsSigningKey_ZSK_RSA()
 
         // Decrypt the key
         var gke = GroupKeyEnvelope.Create(kdsRootKey, signingKey.ProtectedKeyBlob.ProtectionKeyIdentifier, signingKey.ProtectedKeyBlob.TargetSid);
-        gke.WriteToCache();
-        ReadOnlySpan<byte> decryptedKey = signingKey.ProtectedKeyBlob.Decrypt();
+        CacheMutex.WaitOne();
+        ReadOnlySpan<byte> decryptedKey;
+        try
+        {
+            gke.WriteToCache();
+            decryptedKey = signingKey.ProtectedKeyBlob.Decrypt();
+        }
+        finally
+        {
+            CacheMutex.ReleaseMutex();
+        }
 
         // Assert decrypted key magic
         Assert.StartsWith("52534132", decryptedKey.ToHex()); // "RSA2" encoded in HEX (RSAPUBKEY structure magic)
@@ -84,8 +107,17 @@ public void DnsSigningKey_KSK_P256()
 
         // Decrypt the key
         var gke = GroupKeyEnvelope.Create(kdsRootKey, signingKey.ProtectedKeyBlob.ProtectionKeyIdentifier, signingKey.ProtectedKeyBlob.TargetSid);
-        gke.WriteToCache();
-        ReadOnlySpan<byte> decryptedKey = signingKey.ProtectedKeyBlob.Decrypt();
+        CacheMutex.WaitOne();
+        ReadOnlySpan<byte> decryptedKey;
+        try
+        {
+            gke.WriteToCache();
+            decryptedKey = signingKey.ProtectedKeyBlob.Decrypt();
+        }
+        finally
+        {
+            CacheMutex.ReleaseMutex();
+        }
 
         // Assert decrypted key magic
         Assert.StartsWith("45435332", decryptedKey.ToHex()); // "ECK2" encoded in HEX
