Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add entire issuer chain to trusted X509_STORE when stapling OCSP_Response #96792

Merged
merged 7 commits into from
Jan 11, 2024
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -29,27 +29,30 @@ private static unsafe partial int CryptoNative_X509DecodeOcspToExpiration(
int len,
SafeOcspRequestHandle req,
IntPtr subject,
IntPtr issuer,
IntPtr* issuers,
int issuersLen,
ref long expiration);

internal static unsafe bool X509DecodeOcspToExpiration(
ReadOnlySpan<byte> buf,
SafeOcspRequestHandle request,
IntPtr x509Subject,
IntPtr x509Issuer,
ReadOnlySpan<IntPtr> x509Issuers,
out DateTimeOffset expiration)
{
long timeT = 0;
int ret;

fixed (byte* pBuf = buf)
fixed (IntPtr* pIssuers = x509Issuers)
{
ret = CryptoNative_X509DecodeOcspToExpiration(
pBuf,
buf.Length,
request,
x509Subject,
x509Issuer,
pIssuers,
x509Issuers.Length,
ref timeT);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,29 @@ public partial class SslStreamCertificateContext
private byte[]? _ocspResponse;
private DateTimeOffset _ocspExpiration;
private DateTimeOffset _nextDownload;
// Private copy of the intermediate certificates, in case the user decides to dispose the
// instances reachable through IntermediateCertificates property.
private X509Certificate2[] _privateIntermediateCertificates;
private Task<byte[]?>? _pendingDownload;
private List<string>? _ocspUrls;
private X509Certificate2? _ca;

private SslStreamCertificateContext(X509Certificate2 target, ReadOnlyCollection<X509Certificate2> intermediates, SslCertificateTrust? trust)
{
IntermediateCertificates = intermediates;
if (intermediates.Length > 0)
{
_privateIntermediateCertificates = new X509Certificate2[intermediates.Length];

for (int i = 0; i < intermediates.Length; i++)
{
_privateIntermediateCertificates[i] = new X509Certificate2(intermediates[i]);
}
}
else
{
_privateIntermediateCertificates = Array.Empty<X509Certificate2>();
}

TargetCertificate = target;
Trust = trust;
SslContexts = new ConcurrentDictionary<SslProtocols, SafeSslContextHandle>();
Expand Down Expand Up @@ -76,15 +92,11 @@ partial void SetNoOcspFetch(bool noOcspFetch)

partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool transferredOwnership)
{
if (IntermediateCertificates.Count == 0)
if (_privateIntermediateCertificates.Length == 0 && rootCertificate != null)
{
_ca = rootCertificate;
_privateIntermediateCertificates = new[] { rootCertificate };
transferredOwnership = true;
}
else
{
_ca = IntermediateCertificates[0];
}

if (!_staplingForbidden)
{
Expand Down Expand Up @@ -149,7 +161,7 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
return new ValueTask<byte[]?>(pending);
}

if (_ocspUrls is null && _ca is not null)
if (_ocspUrls is null && _privateIntermediateCertificates.Length > 0)
{
foreach (X509Extension ext in TargetCertificate.Extensions)
{
Expand Down Expand Up @@ -192,7 +204,9 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran

private async Task<byte[]?> FetchOcspAsync()
{
X509Certificate2? caCert = _ca;
Debug.Assert(_privateIntermediateCertificates.Length > 0);
X509Certificate2? caCert = _privateIntermediateCertificates[0];

Debug.Assert(_ocspUrls is not null);
Debug.Assert(_ocspUrls.Count > 0);
Debug.Assert(caCert is not null);
Expand All @@ -211,6 +225,12 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
return null;
}

IntPtr[] issuerHandles = ArrayPool<IntPtr>.Shared.Rent(_privateIntermediateCertificates.Length);
rzikm marked this conversation as resolved.
Show resolved Hide resolved
for (int i = 0; i < _privateIntermediateCertificates.Length; i++)
{
issuerHandles[i] = _privateIntermediateCertificates[i].Handle;
}

using (SafeOcspRequestHandle ocspRequest = Interop.Crypto.X509BuildOcspRequest(subject, issuer))
{
byte[] rentedBytes = ArrayPool<byte>.Shared.Rent(Interop.Crypto.GetOcspRequestDerSize(ocspRequest));
Expand All @@ -227,7 +247,7 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran

if (ret is not null)
{
if (!Interop.Crypto.X509DecodeOcspToExpiration(ret, ocspRequest, subject, issuer, out DateTimeOffset expiration))
if (!Interop.Crypto.X509DecodeOcspToExpiration(ret, ocspRequest, subject, issuerHandles.AsSpan(0, _privateIntermediateCertificates.Length), out DateTimeOffset expiration))
{
ret = null;
continue;
Expand All @@ -252,9 +272,12 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
}
}

issuerHandles.AsSpan().Clear();
ArrayPool<IntPtr>.Shared.Return(issuerHandles);
ArrayPool<byte>.Shared.Return(rentedBytes);
ArrayPool<char>.Shared.Return(rentedChars.Array!);
GC.KeepAlive(TargetCertificate);
bartonjs marked this conversation as resolved.
Show resolved Hide resolved
GC.KeepAlive(_privateIntermediateCertificates);
GC.KeepAlive(caCert);
return ret;
}
Expand Down
17 changes: 13 additions & 4 deletions src/native/libs/System.Security.Cryptography.Native/pal_x509.c
Original file line number Diff line number Diff line change
Expand Up @@ -1302,11 +1302,11 @@ CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx, OCSP_REQUEST* req, OC
return X509ChainVerifyOcsp(storeCtx, subject, issuer, req, resp, cachePath);
}

int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len, OCSP_REQUEST* req, X509* subject, X509* issuer, int64_t* expiration)
int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len, OCSP_REQUEST* req, X509* subject, X509** issuers, int issuersLen, int64_t* expiration)
{
ERR_clear_error();

if (buf == NULL || len == 0)
if (buf == NULL || len == 0 || issuersLen == 0)
{
return 0;
}
Expand All @@ -1329,7 +1329,16 @@ int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len,

if (bag != NULL)
{
if (X509_STORE_add_cert(store, issuer) && sk_X509_push(bag, issuer))
int i;
for (i = 0; i < issuersLen; i++)
{
if (!X509_STORE_add_cert(store, issuers[i]) || !sk_X509_push(bag, issuers[i]))
{
break;
}
}

if (i == issuersLen)
{
ctx = X509_STORE_CTX_new();
}
Expand All @@ -1343,7 +1352,7 @@ int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len,
{
int canCache = 0;
time_t expiration_t = 0;
X509VerifyStatusCode code = CheckOcspGetExpiry(req, resp, subject, issuer, ctx, &canCache, &expiration_t);
X509VerifyStatusCode code = CheckOcspGetExpiry(req, resp, subject, issuers[0], ctx, &canCache, &expiration_t);

if (sizeof(time_t) == sizeof(int64_t))
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -412,4 +412,4 @@ PALEXPORT int32_t CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx,
Decode len bytes of buf into an OCSP response, process it against the OCSP request, and return if the bytes were valid.
If the bytes were valid, and the OCSP response had a nextUpdate value, assign it to expiration.
*/
PALEXPORT int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len, OCSP_REQUEST* req, X509* subject, X509* issuer, int64_t* expiration);
PALEXPORT int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len, OCSP_REQUEST* req, X509* subject, X509** issuers, int issuersLen, int64_t* expiration);
Loading