Skip to content

[QUIC] Certificate name validation#56175

Merged
wfurt merged 5 commits intodotnet:mainfrom
ManickaP:mapichov/55193_check_cert_name
Jul 23, 2021
Merged

[QUIC] Certificate name validation#56175
wfurt merged 5 commits intodotnet:mainfrom
ManickaP:mapichov/55193_check_cert_name

Conversation

@ManickaP
Copy link
Member

@ManickaP ManickaP commented Jul 22, 2021

Extracts CertificateValidation for Windows into shared sources and make use of it and the Unix version in S.N.Quic to properly verify the cert the same way SslStream does.

Fixes #55193

For now just manually verified in asp.net core test. I will add specific tests tomorrow.

cc: @wfurt

@ghost ghost added the area-System.Net.Http label Jul 22, 2021
@ghost
Copy link

ghost commented Jul 22, 2021

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Extracts CertificateValidation for Windows into shared sources and make use of it and the Unix version in S.N.Quic to properly verify the cert the same way SslStream does.

Fixes #55193

For now just manually verified in asp.net core test. I will add specific tests tomorrow.

cc: @wfurt

Author: ManickaP
Assignees: -
Labels:

area-System.Net.Http
Milestone: -

@wfurt
Copy link
Member

wfurt commented Jul 22, 2021

with this, validation should be easier in ldap @AnthonyMastrean (#55017)

wfurt
wfurt reviewed Jul 23, 2021
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally looks god to me. We should add some testes.

  • set TargetHost to something else than "loopback" with existing cert and the name error should show up.
  • In ideal case we should check that connection to 127.0.0.1 and ::1 works without getting the name error since they both should be in altName (at least the one we generate)
    I think current tests ignore all the passed info and simple call new chain rebuild without name check.

src/libraries/System.Net.Quic/src/Resources/Strings.resx
<data name="net_quic_writing_notallowed" xml:space="preserve">
<value>Writing is not allowed on stream.</value>
</data>
<data name="net_ssl_app_protocols_invalid" xml:space="preserve">
Copy link
Member

@wfurt wfurt Jul 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need this? looks like extra.

Copy link
Member Author

@ManickaP ManickaP Jul 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we need this, it's used by one of the included interop source files:

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.SslCtx.cs

Line 43 in d148c34

throw new ArgumentException(SR.net_ssl_app_protocols_invalid, nameof(applicationProtocols));

https://github.com/dotnet/runtime/pull/56175/files#diff-1d4ce147edca0ce81f312b96fce76ac52eb02eb6d04e660817e3b47230edc794R64

src/libraries/System.Net.Quic/src/System.Net.Quic.csproj Outdated
</ItemGroup>

<ItemGroup>
<ProjectReference Include="$(LibrariesProjectRoot)System.Security.Cryptography.OpenSsl\src\System.Security.Cryptography.OpenSsl.csproj" />
Copy link
Member

@wfurt wfurt Jul 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we still need this with all the added interop?

Copy link
Member Author

@ManickaP ManickaP Jul 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we do, the interop uses public classes from this project. It doesn't build without it and the same it's referenced in S.N.Http.

@ManickaP
Copy link
Member Author

ManickaP commented Jul 23, 2021

@wfurt tests added as you suggested. If you're happy with it, feel free to merge on my behalf.

@AnthonyMastrean AnthonyMastrean mentioned this pull request Jul 23, 2021
Closed
wfurt
wfurt approved these changes Jul 23, 2021
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wfurt wfurt merged commit 877af80 into dotnet:main Jul 23, 2021
@ManickaP ManickaP deleted the mapichov/55193_check_cert_name branch July 27, 2021 10:57
@karelz karelz mentioned this pull request Jul 28, 2021
Closed
@karelz karelz added this to the 6.0.0 milestone Jul 29, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Aug 28, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@wfurt wfurt wfurt approved these changes

@CarnaViire CarnaViire Awaiting requested review from CarnaViire

@geoffkizer geoffkizer Awaiting requested review from geoffkizer

Assignees

No one assigned

Labels

area-System.Net.Http

Projects

None yet

Milestone

6.0.0

Development

Successfully merging this pull request may close these issues.

[HTTP/3] Certificate name validation different than HTTP/1.1?

3 participants

@ManickaP @wfurt @karelz