Cross-platform SqlColumnEncryptionCertificateStoreProvider support (#3014)

* Enabling certificate store provider for Unix platforms

* Initial round of cross-platform test enablement

* Account for exception message changes between .NET Framework and .NET Core

* Initial work to enable Unix support.
* Only allow the use of the CurrentUser location for certificates.
* Changed the PublishTestResults@2 step to ensure that failed tests are also published.

* Moved certificates to external .pfx files, set a password in an effort to fix problems importing these files on MacOS

* Moved certificates to external .pfx files, set a password in an effort to fix problems importing these files on MacOS

* Added extra Unix-specific exceptions

Converting more unusually-embedded PFX files into embedded resources

* macOS issue when handling a certificate without a private key.
Eliminating possibility of a certificate with a private key having been previously added to the user certificate store.

* Correct merge issue - re-remove Unix-specific file

* Address test failures on Windows and Linux

* Always add a certificate's CN as a SAN

* Account for MacOS KeyStorageFlags quirk

MacOS will throw an exception when adding a certificate to the user store if the PersistKeySet key storage flag is set. Instead, use the UserKeySet flag.

Author: edwardneal

eng/pipelines/common/templates/steps/publish-test-results-step.yml

@@ -38,6 +38,7 @@ steps:
         TestResults/*.trx
         TestResults/**/*.coverage
       testRunTitle: 'Linux Tests'
+  condition: succeededOrFailed()
 
 - powershell: |
    cd TestResults

src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj

@@ -561,6 +561,9 @@
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlCollation.cs">
       <Link>Microsoft\Data\SqlClient\SqlCollation.cs</Link>
     </Compile>
+    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlColumnEncryptionCertificateStoreProvider.cs">
+      <Link>Microsoft\Data\SqlClient\SqlColumnEncryptionCertificateStoreProvider.cs</Link>
+    </Compile>
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlColumnEncryptionEnclaveProvider.cs">
       <Link>Microsoft\Data\SqlClient\SqlColumnEncryptionEnclaveProvider.cs</Link>
     </Compile>
@@ -951,9 +954,6 @@
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SSPI\NativeSspiContextProvider.cs">
       <Link>Microsoft\Data\SqlClient\SSPI\NativeSspiContextProvider.cs</Link>
     </Compile>
-    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlColumnEncryptionCertificateStoreProvider.Windows.cs">
-      <Link>Microsoft\Data\SqlClient\SqlColumnEncryptionCertificateStoreProvider.Windows.cs</Link>
-    </Compile>
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\TdsParserSafeHandles.Windows.cs">
       <Link>Microsoft\Data\SqlClient\TdsParserSafeHandles.Windows.cs</Link>
     </Compile>
@@ -995,9 +995,6 @@
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SessionHandle.netcore.Unix.cs">
       <Link>Microsoft\Data\SqlClient\SessionHandle.netcore.Unix.cs</Link>
     </Compile>
-    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlColumnEncryptionCertificateStoreProvider.netcore.Unix.cs">
-      <Link>Microsoft\Data\SqlClinet\SqlColumnEncryptionCertificateStoreProvider.netcore.Unix.cs</Link>
-    </Compile>
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlColumnEncryptionCngProvider.netcore.Unix.cs">
       <Link>Microsoft\Data\SqlClinet\SqlColumnEncryptionCngProvider.netcore.Unix.cs</Link>
     </Compile>

src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj

@@ -669,7 +669,7 @@
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlCollation.cs">
       <Link>Microsoft\Data\SqlClient\SqlCollation.cs</Link>
     </Compile>
-    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlColumnEncryptionCertificateStoreProvider.Windows.cs">
+    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlColumnEncryptionCertificateStoreProvider.cs">
       <Link>Microsoft\Data\SqlClient\SqlColumnEncryptionCertificateStoreProvider.cs</Link>
     </Compile>
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlColumnEncryptionCngProvider.Windows.cs">

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionCertificateStoreProvider.Windows.cs renamed to src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionCertificateStoreProvider.cs

@@ -324,7 +324,9 @@ private void ValidateCertificatePathLength(string masterKeyPath, bool isSystemOp
         /// </summary>
         private string[] GetValidCertificateLocations()
         {
-            return new string[2] { CertLocationLocalMachine, CertLocationCurrentUser };
+            return Environment.OSVersion.Platform == PlatformID.Win32NT
+                ? new string[2] { CertLocationLocalMachine, CertLocationCurrentUser }
+                : new string[1] { CertLocationCurrentUser };
         }
 
         /// <summary>
@@ -372,7 +374,8 @@ private X509Certificate2 GetCertificateByPath(string keyPath, bool isSystemOp)
             // Extract the store location where the cert is stored
             if (certParts.Length > 2)
             {
-                if (string.Equals(certParts[0], CertLocationLocalMachine, StringComparison.OrdinalIgnoreCase) == true)
+                if (string.Equals(certParts[0], CertLocationLocalMachine, StringComparison.OrdinalIgnoreCase) == true
+                    && Environment.OSVersion.Platform == PlatformID.Win32NT)
                 {
                     storeLocation = StoreLocation.LocalMachine;
                 }

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionCertificateStoreProvider.netcore.Unix.cs

@@ -1523,14 +1523,29 @@ internal static Exception LargeCertificatePathLength(int actualLength, int maxLe
 
         internal static Exception NullCertificatePath(string[] validLocations, bool isSystemOp)
         {
-            Debug.Assert(2 == validLocations.Length);
-            if (isSystemOp)
+            if (Environment.OSVersion.Platform == PlatformID.Win32NT)
             {
-                return ADP.ArgumentNull(TdsEnums.TCE_PARAM_MASTERKEY_PATH, StringsHelper.GetString(Strings.TCE_NullCertificatePathSysErr, validLocations[0], validLocations[1], @"/"));
+                Debug.Assert(validLocations.Length == 2);
+                if (isSystemOp)
+                {
+                    return ADP.ArgumentNull(TdsEnums.TCE_PARAM_MASTERKEY_PATH, StringsHelper.GetString(Strings.TCE_NullCertificatePathSysErr, validLocations[0], validLocations[1], @"/"));
+                }
+                else
+                {
+                    return ADP.ArgumentNull(TdsEnums.TCE_PARAM_MASTERKEY_PATH, StringsHelper.GetString(Strings.TCE_NullCertificatePath, validLocations[0], validLocations[1], @"/"));
+                }
             }
             else
             {
-                return ADP.ArgumentNull(TdsEnums.TCE_PARAM_MASTERKEY_PATH, StringsHelper.GetString(Strings.TCE_NullCertificatePath, validLocations[0], validLocations[1], @"/"));
+                Debug.Assert(validLocations.Length == 1);
+                if (isSystemOp)
+                {
+                    return ADP.ArgumentNull(TdsEnums.TCE_PARAM_MASTERKEY_PATH, StringsHelper.GetString(Strings.TCE_NullCertificatePathSysErr_Unix, validLocations[0], @"/"));
+                }
+                else
+                {
+                    return ADP.ArgumentNull(TdsEnums.TCE_PARAM_MASTERKEY_PATH, StringsHelper.GetString(Strings.TCE_NullCertificatePath_Unix, validLocations[0], @"/"));
+                }
             }
         }
 
@@ -1560,14 +1575,29 @@ internal static Exception NullCngKeyPath(bool isSystemOp)
 
         internal static Exception InvalidCertificatePath(string actualCertificatePath, string[] validLocations, bool isSystemOp)
         {
-            Debug.Assert(2 == validLocations.Length);
-            if (isSystemOp)
+            if (Environment.OSVersion.Platform == PlatformID.Win32NT)
             {
-                return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificatePathSysErr, actualCertificatePath, validLocations[0], validLocations[1], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                Debug.Assert(validLocations.Length == 2);
+                if (isSystemOp)
+                {
+                    return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificatePathSysErr, actualCertificatePath, validLocations[0], validLocations[1], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                }
+                else
+                {
+                    return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificatePath, actualCertificatePath, validLocations[0], validLocations[1], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                }
             }
             else
             {
-                return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificatePath, actualCertificatePath, validLocations[0], validLocations[1], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                Debug.Assert(validLocations.Length == 1);
+                if (isSystemOp)
+                {
+                    return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificatePathSysErr_Unix, actualCertificatePath, validLocations[0], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                }
+                else
+                {
+                    return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificatePath_Unix, actualCertificatePath, validLocations[0], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                }
             }
         }
 
@@ -1681,17 +1711,29 @@ internal static Exception InvalidCngKey(string masterKeyPath, string cngProvider
 
         internal static Exception InvalidCertificateLocation(string certificateLocation, string certificatePath, string[] validLocations, bool isSystemOp)
         {
-
-#if NETFRAMEWORK
-            Debug.Assert(2 == validLocations.Length);
-#endif
-            if (isSystemOp)
+            if (Environment.OSVersion.Platform == PlatformID.Win32NT)
             {
-                return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificateLocationSysErr, certificateLocation, certificatePath, validLocations[0], validLocations[1], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                Debug.Assert(validLocations.Length == 2);
+                if (isSystemOp)
+                {
+                    return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificateLocationSysErr, certificateLocation, certificatePath, validLocations[0], validLocations[1], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                }
+                else
+                {
+                    return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificateLocation, certificateLocation, certificatePath, validLocations[0], validLocations[1], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                }
             }
             else
             {
-                return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificateLocation, certificateLocation, certificatePath, validLocations[0], validLocations[1], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                Debug.Assert(validLocations.Length == 1);
+                if (isSystemOp)
+                {
+                    return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificateLocationSysErr_Unix, certificateLocation, certificatePath, validLocations[0], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                }
+                else
+                {
+                    return ADP.Argument(StringsHelper.GetString(Strings.TCE_InvalidCertificateLocation_Unix, certificateLocation, certificatePath, validLocations[0], @"/"), TdsEnums.TCE_PARAM_MASTERKEY_PATH);
+                }
             }
         }