Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUIC] Certificate name validation #56175

Merged
merged 5 commits into from
Jul 23, 2021
Merged

[QUIC] Certificate name validation #56175

merged 5 commits into from
Jul 23, 2021

Conversation

ManickaP
Copy link
Member

Extracts CertificateValidation for Windows into shared sources and make use of it and the Unix version in S.N.Quic to properly verify the cert the same way SslStream does.

Fixes #55193

For now just manually verified in asp.net core test. I will add specific tests tomorrow.

cc: @wfurt

@ghost
Copy link

ghost commented Jul 22, 2021

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Extracts CertificateValidation for Windows into shared sources and make use of it and the Unix version in S.N.Quic to properly verify the cert the same way SslStream does.

Fixes #55193

For now just manually verified in asp.net core test. I will add specific tests tomorrow.

cc: @wfurt

Author: ManickaP
Assignees: -
Labels:

area-System.Net.Http
Milestone: -

@wfurt
Copy link
Member

wfurt commented Jul 22, 2021

with this, validation should be easier in ldap @AnthonyMastrean (#55017)

wfurt
wfurt reviewed Jul 23, 2021
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally looks god to me. We should add some testes.

  • set TargetHost to something else than "loopback" with existing cert and the name error should show up.
  • In ideal case we should check that connection to 127.0.0.1 and ::1 works without getting the name error since they both should be in altName (at least the one we generate)
    I think current tests ignore all the passed info and simple call new chain rebuild without name check.

src/libraries/System.Net.Quic/src/Resources/Strings.resx
@@ -150,5 +150,8 @@
<data name="net_quic_writing_notallowed" xml:space="preserve">
<value>Writing is not allowed on stream.</value>
</data>
<data name="net_ssl_app_protocols_invalid" xml:space="preserve">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need this? looks like extra.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we need this, it's used by one of the included interop source files:

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.SslCtx.cs

Line 43 in d148c34

throw new ArgumentException(SR.net_ssl_app_protocols_invalid, nameof(applicationProtocols));

https://github.com/dotnet/runtime/pull/56175/files#diff-1d4ce147edca0ce81f312b96fce76ac52eb02eb6d04e660817e3b47230edc794R64

src/libraries/System.Net.Quic/src/System.Net.Quic.csproj Outdated
@@ -83,6 +121,14 @@
<Reference Include="System.Threading.Channels" />
</ItemGroup>

<ItemGroup>
<ProjectReference Include="$(LibrariesProjectRoot)System.Security.Cryptography.OpenSsl\src\System.Security.Cryptography.OpenSsl.csproj" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we still need this with all the added interop?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we do, the interop uses public classes from this project. It doesn't build without it and the same it's referenced in S.N.Http.

src/libraries/System.Net.Quic/src/System.Net.Quic.csproj Outdated Show resolved Hide resolved
@ManickaP
Copy link
Member Author

@wfurt tests added as you suggested. If you're happy with it, feel free to merge on my behalf.

@AnthonyMastrean AnthonyMastrean mentioned this pull request Jul 23, 2021
Closed
wfurt
wfurt approved these changes Jul 23, 2021
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wfurt wfurt merged commit 877af80 into dotnet:main Jul 23, 2021
@ManickaP ManickaP deleted the mapichov/55193_check_cert_name branch July 27, 2021 10:57
@karelz karelz mentioned this pull request Jul 28, 2021
Closed
@karelz karelz added this to the 6.0.0 milestone Jul 29, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Aug 28, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wfurt wfurt wfurt approved these changes

@CarnaViire CarnaViire Awaiting requested review from CarnaViire

@geoffkizer geoffkizer Awaiting requested review from geoffkizer

Assignees
No one assigned
Labels
area-System.Net.Http
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.

[HTTP/3] Certificate name validation different than HTTP/1.1?
3 participants
@ManickaP @wfurt @karelz