Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix ConnectWithCertificateChain quic test #54026

Merged
merged 1 commit into from
Jun 12, 2021
Merged

fix ConnectWithCertificateChain quic test #54026

merged 1 commit into from
Jun 12, 2021

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Jun 10, 2021

It seems like ordering of the additionalCertificates X509Certificate2Collection is not quite predicable as I assumed.
With that the validation callback can get wrong certificate and/or incomplete chain.

With this change we would always get peer certificate from PlatformCertificateHandle and we would add all extra certificates to ChainPolicy.ExtraStore. That may contain peer certificate it self but it does not matter as that is just hint and chain.Build will create the chain as needed.

I aslo added ITestOutputHelper to the test so it is easier to collect useful information on test failures.

@wfurt wfurt requested review from ManickaP and a team June 10, 2021 20:13
@wfurt wfurt self-assigned this Jun 10, 2021
@ghost
Copy link

ghost commented Jun 10, 2021

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

It seems like ordering of the additionalCertificates X509Certificate2Collection is not quite predicable as I assumed.
With that the validation callback can get wrong certificate and/or incomplete chain.

With this change we would always get peer certificate from PlatformCertificateHandle and we would add all extra certificates to ChainPolicy.ExtraStore. That may contain peer certificate it self but it does not matter as that is just hint and chain.Build will create the chain as needed.

I aslo added ITestOutputHelper to the test so it is easier to collect useful information on test failures.

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Quic
Milestone: -

stephentoub
stephentoub reviewed Jun 10, 2021
View reviewed changes
src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicConnection.cs
@@ -345,27 +345,18 @@ private static uint HandleEventPeerCertificateReceived(State state, ref Connecti
{
unsafe
{
ReadOnlySpan<QuicBuffer> quicBuffer;
ReadOnlySpan<QuicBuffer> quicBuffer = new ReadOnlySpan<QuicBuffer>((void*)connectionEvent.Data.PeerCertificateReceived.PlatformCertificateHandle, sizeof(QuicBuffer));
certificate = new X509Certificate2(new ReadOnlySpan<byte>(quicBuffer[0].Buffer, (int)quicBuffer[0].Length));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're guaranteed quicBuffer.Length > 0?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nevermind, I missed the sizeof(QuicBuffer) as the length above.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW the relevant code is here:
https://github.com/microsoft/msquic/blob/5f9b5482f0fcabb970033cf72dfcde2f472f0262/src/platform/tls_openssl.c#L218-L228

It does not check for length but since certificate exist and i2d_X509 did not fail I assume the length is positive.
Similar for the chain aka pkcs7 blob.

ManickaP
ManickaP approved these changes Jun 11, 2021
View reviewed changes
Copy link
Member

@ManickaP ManickaP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks.

@wfurt wfurt merged commit 4aa29f4 into dotnet:main Jun 12, 2021
@wfurt wfurt deleted the quicChain branch June 12, 2021 14:26
@ghost ghost locked as resolved and limited conversation to collaborators Jul 12, 2021
@karelz karelz added this to the 6.0.0 milestone Jul 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@stephentoub stephentoub stephentoub left review comments

@ManickaP ManickaP ManickaP approved these changes

Assignees

@wfurt wfurt

Labels
area-System.Net.Quic
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@wfurt @stephentoub @ManickaP @karelz