Skip to content

Commit

Permalink
Pass Through Disable AIA Flag (#4674)
Browse files Browse the repository at this point in the history
  • Loading branch information
nibanks authored Dec 4, 2024
1 parent 698c028 commit 9c41c71
Show file tree
Hide file tree
Showing 7 changed files with 18 additions and 2 deletions.
4 changes: 4 additions & 0 deletions docs/api/QUIC_CREDENTIAL_CONFIG.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,10 @@ Obtain the peer certificate using a faster in-process API call. Only available o

Enable CA certificate file provided in the `CaCertificateFile` member.

`QUIC_CREDENTIAL_FLAG_DISABLE_AIA`

The following flag can be set to explicitly disable AIA retrievals. Only valid on Windows.

#### `CertificateHash`

Must **only** use with `QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH` type.
Expand Down
1 change: 1 addition & 0 deletions src/cs/lib/msquic_generated.cs
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ internal enum QUIC_CREDENTIAL_FLAGS
REVOCATION_CHECK_CACHE_ONLY = 0x00040000,
INPROC_PEER_CERTIFICATE = 0x00080000,
SET_CA_CERTIFICATE_FILE = 0x00100000,
DISABLE_AIA = 0x00200000,
}

[System.Flags]
Expand Down
1 change: 1 addition & 0 deletions src/inc/msquic.h
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ typedef enum QUIC_CREDENTIAL_FLAGS {
QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY = 0x00040000, // Windows only currently
QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE = 0x00080000, // Schannel only
QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE = 0x00100000, // OpenSSL only currently
QUIC_CREDENTIAL_FLAG_DISABLE_AIA = 0x00200000, // Schannel only currently
} QUIC_CREDENTIAL_FLAGS;

DEFINE_ENUM_FLAG_OPERATORS(QUIC_CREDENTIAL_FLAGS)
Expand Down
3 changes: 3 additions & 0 deletions src/platform/certificates_capi.c
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ CxPlatCertVerifyRawCertificate(
if (CredFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
CertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
}
if (CredFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
CertFlags |= CERT_CHAIN_DISABLE_AIA;
}

Result =
CxPlatCertValidateChain(
Expand Down
6 changes: 4 additions & 2 deletions src/platform/tls_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -981,7 +981,8 @@ CxPlatTlsSecConfigCreate(
CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
return QUIC_STATUS_INVALID_PARAMETER;
}

Expand All @@ -992,7 +993,8 @@ CxPlatTlsSecConfigCreate(
CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
return QUIC_STATUS_INVALID_PARAMETER;
}
#endif
Expand Down
4 changes: 4 additions & 0 deletions src/platform/tls_schannel.c
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ typedef struct _SecPkgCred_ClientCertPolicy
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x20000000
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x40000000
#define CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY 0x80000000
#define CERT_CHAIN_DISABLE_AIA 0x00002000

#define SECPKG_ATTR_REMOTE_CERTIFICATES 0x5F // returns SecPkgContext_Certificates

Expand Down Expand Up @@ -754,6 +755,9 @@ CxPlatTlsSetClientCertPolicy(
if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
ClientCertPolicy.dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
}
if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
ClientCertPolicy.dwCertFlags |= CERT_CHAIN_DISABLE_AIA;
}

SecStatus =
SetCredentialsAttributesW(
Expand Down
1 change: 1 addition & 0 deletions src/platform/unittest/TlsTest.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -2222,6 +2222,7 @@ TEST_F(TlsTest, PlatformSpecificFlagsSchannel)
QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_END_CERT, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK, QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE,
QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY,
QUIC_CREDENTIAL_FLAG_DISABLE_AIA,
#ifndef __APPLE__
QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN,
#endif
Expand Down

0 comments on commit 9c41c71

Please sign in to comment.