Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix quic cert validation with OpenSSL #51015

Merged
merged 4 commits into from
Apr 22, 2021
Merged

fix quic cert validation with OpenSSL #51015

merged 4 commits into from
Apr 22, 2021

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Apr 9, 2021

This depends on pending microsoft/msquic#1450.
Adds "normal" certificate validation and validation callback for Linux & macOS e.g. OpenSSL TLS.

Note that support for certificate chains is still pending. e.g. CertificateContext.

fixes #50156

cc: @nibanks @JamesNK

@wfurt wfurt requested a review from a team April 9, 2021 17:35
@ghost
Copy link

ghost commented Apr 9, 2021

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

This depends on pending microsoft/msquic#1450.
Adds "normal" certificate validation and validation callback for Linux & macOS e.g. OpenSSL TLS.

Note that support for certificate chains is still pending. e.g. CertificateContext.

fixes #50156

cc: @nibanks @JamesNK

Author: wfurt
Assignees: -
Labels:

area-System.Net.Quic
Milestone: -

nibanks
nibanks approved these changes Apr 9, 2021
View reviewed changes
Copy link

@nibanks nibanks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@JamesNK
Copy link
Member

JamesNK commented Apr 12, 2021

Tests?

ManickaP
ManickaP reviewed Apr 14, 2021
View reviewed changes
Copy link
Member

@ManickaP ManickaP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just code-styling nits, otherwise LGTM. Disclaimer: IANA SSL expert.

Tests?

And I agree with James, this is worth some coverage,

src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicConnection.cs Outdated Show resolved Hide resolved
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicConnection.cs Outdated Show resolved Hide resolved
@wfurt
Copy link
Member Author

wfurt commented Apr 15, 2021

existing tests will fail when msquic is built without STUB and without the hack to accept all certificates.
There is no special handling for self-signed certificates. The reason why they would work is because standard validation callback is invoked.
So felt I do not need to add more tests. This should be same as the Windows version.

@wfurt
Copy link
Member Author

wfurt commented Apr 21, 2021

I modified the test validation callback to verify that what is passed in is same as what server uses. This should now work on all platforms instead blindly assume it is ok via lambda function.
I will add more interesting tests once we get custom certificate chains working e.g. CertificateContext

ManickaP
ManickaP reviewed Apr 21, 2021
View reviewed changes
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicConnection.cs Outdated
@@ -214,25 +214,26 @@ private static uint HandleEventPeerCertificateReceived(State state, ref Connecti

try
{
if (OperatingSystem.IsWindows())
if (connectionEvent.Data.PeerCertificateReceived.PlatformCertificateChainHandle != IntPtr.Zero)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this right? Is there any relation between PlatformCertificateChainHandle and PlatformCertificateHandle? Like that if the first is not null then the other won't be as well?

Because originally you had different null-check conditions there.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch. In general they should be both set or empty but it is strange to test one filed and then use other. I did yet another attempt to refactor and make that more clear.

For Unix path, the PlatformCertificateHandle points to DER encoded certificate while PlatformCertificateChainHandle points to PKCS7 container containing possibly list of certificates. (the format allows additional parts but that is not generated by msquic)

On Windows the intermediate CA cache is maintained by OS so we don't need to bother.
On Linux is everything is trusted and intermediates present we could simple grab the leaf cert.
But we don't know that so we attempt to get as many certs provided by the peer to improve our chances that X509Chain con construct full chain.

@wfurt wfurt merged commit 827474b into dotnet:main Apr 22, 2021
@wfurt wfurt deleted the validation_50156 branch April 22, 2021 15:59
@ManickaP ManickaP mentioned this pull request May 5, 2021
Merged
@karelz karelz added this to the 6.0.0 milestone May 20, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Jun 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nibanks nibanks nibanks approved these changes

@ManickaP ManickaP ManickaP approved these changes

Assignees
No one assigned
Labels
area-System.Net.Quic
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.

QUIC: Support hosting self-signed certificates
5 participants
@wfurt @JamesNK @ManickaP @nibanks @karelz