Delay loading the dev cert #2422

Author: Tratcher

build/dependencies.props

@@ -7,39 +7,39 @@
     <BenchmarkDotNetPackageVersion>0.10.13</BenchmarkDotNetPackageVersion>
     <InternalAspNetCoreSdkPackageVersion>2.1.0-preview3-17001</InternalAspNetCoreSdkPackageVersion>
     <LibuvPackageVersion>1.10.0</LibuvPackageVersion>
-    <MicrosoftAspNetCoreBenchmarkRunnerSourcesPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreBenchmarkRunnerSourcesPackageVersion>
-    <MicrosoftAspNetCoreCertificatesGenerationSourcesPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreCertificatesGenerationSourcesPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreHttpAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHttpAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHttpFeaturesPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHttpFeaturesPackageVersion>
-    <MicrosoftAspNetCoreHttpPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHttpPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreTestingPackageVersion>
-    <MicrosoftAspNetCoreWebUtilitiesPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreWebUtilitiesPackageVersion>
-    <MicrosoftExtensionsActivatorUtilitiesSourcesPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsActivatorUtilitiesSourcesPackageVersion>
-    <MicrosoftExtensionsBuffersSourcesPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsBuffersSourcesPackageVersion>
-    <MicrosoftExtensionsBuffersTestingSourcesPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsBuffersTestingSourcesPackageVersion>
-    <MicrosoftExtensionsConfigurationBinderPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsConfigurationBinderPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsLoggingTestingPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingTestingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftAspNetCoreBenchmarkRunnerSourcesPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreBenchmarkRunnerSourcesPackageVersion>
+    <MicrosoftAspNetCoreCertificatesGenerationSourcesPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreCertificatesGenerationSourcesPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreHttpAbstractionsPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreHttpAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHttpFeaturesPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreHttpFeaturesPackageVersion>
+    <MicrosoftAspNetCoreHttpPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreHttpPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAspNetCoreWebUtilitiesPackageVersion>2.1.0-preview3-32119</MicrosoftAspNetCoreWebUtilitiesPackageVersion>
+    <MicrosoftExtensionsActivatorUtilitiesSourcesPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsActivatorUtilitiesSourcesPackageVersion>
+    <MicrosoftExtensionsBuffersSourcesPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsBuffersSourcesPackageVersion>
+    <MicrosoftExtensionsBuffersTestingSourcesPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsBuffersTestingSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationBinderPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsConfigurationBinderPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsLoggingTestingPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsLoggingTestingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview3-32119</MicrosoftExtensionsOptionsPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNetHttpHeadersPackageVersion>2.1.0-preview3-32037</MicrosoftNetHttpHeadersPackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview3-26331-01</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNetHttpHeadersPackageVersion>2.1.0-preview3-32119</MicrosoftNetHttpHeadersPackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
+    <NewtonsoftJsonPackageVersion>11.0.2</NewtonsoftJsonPackageVersion>
     <SystemBuffersPackageVersion>4.5.0-preview3-26331-02</SystemBuffersPackageVersion>
     <SystemIOPipelinesPackageVersion>4.5.0-preview3-26331-02</SystemIOPipelinesPackageVersion>
     <SystemMemoryPackageVersion>4.5.0-preview3-26331-02</SystemMemoryPackageVersion>
     <SystemNumericsVectorsPackageVersion>4.5.0-preview3-26331-02</SystemNumericsVectorsPackageVersion>
     <SystemRuntimeCompilerServicesUnsafePackageVersion>4.5.0-preview3-26331-02</SystemRuntimeCompilerServicesUnsafePackageVersion>
     <SystemSecurityCryptographyCngPackageVersion>4.5.0-preview3-26331-02</SystemSecurityCryptographyCngPackageVersion>
     <SystemThreadingTasksExtensionsPackageVersion>4.5.0-preview3-26331-02</SystemThreadingTasksExtensionsPackageVersion>
-    <NewtonsoftJsonPackageVersion>11.0.1</NewtonsoftJsonPackageVersion>
     <XunitAnalyzersPackageVersion>0.8.0</XunitAnalyzersPackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>

src/Kestrel.Core/Internal/KestrelServerOptionsSetup.cs

@@ -2,12 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Linq;
-using System.Security.Cryptography.X509Certificates;
-using Microsoft.AspNetCore.Certificates.Generation;
-using Microsoft.AspNetCore.Server.Kestrel.Internal;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
@@ -24,33 +18,6 @@ public KestrelServerOptionsSetup(IServiceProvider services)
         public void Configure(KestrelServerOptions options)
         {
             options.ApplicationServices = _services;
-            UseDefaultDeveloperCertificate(options);
-        }
-
-        private void UseDefaultDeveloperCertificate(KestrelServerOptions options)
-        {
-            var logger = options.ApplicationServices.GetRequiredService<ILogger<KestrelServer>>();
-            X509Certificate2 certificate = null;
-            try
-            {
-                var certificateManager = new CertificateManager();
-                certificate = certificateManager.ListCertificates(CertificatePurpose.HTTPS, StoreName.My, StoreLocation.CurrentUser, isValid: true)
-                    .FirstOrDefault();
-            }
-            catch
-            {
-                logger.UnableToLocateDevelopmentCertificate();
-            }
-
-            if (certificate != null)
-            {
-                logger.LocatedDevelopmentCertificate(certificate);
-                options.DefaultCertificate = certificate;
-            }
-            else
-            {
-                logger.UnableToLocateDevelopmentCertificate();
-            }
         }
     }
 }

src/Kestrel.Core/KestrelConfigurationLoader.cs

@@ -225,6 +225,9 @@ public void Load()
                     // Specified
                     httpsOptions.ServerCertificate = LoadCertificate(endpoint.Certificate, endpoint.Name)
                         ?? httpsOptions.ServerCertificate;
+
+                    // Fallback
+                    Options.ApplyDefaultCert(httpsOptions);
                 }
 
                 if (EndpointConfigurations.TryGetValue(endpoint.Name, out var configureEndpoint))

src/Kestrel.Core/KestrelServerOptions.cs

@@ -3,12 +3,17 @@
 
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Net;
 using System.Security.Cryptography.X509Certificates;
+using Microsoft.AspNetCore.Certificates.Generation;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
+using Microsoft.AspNetCore.Server.Kestrel.Internal;
 using Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.Internal;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core
 {
@@ -75,10 +80,15 @@ public class KestrelServerOptions
         private Action<HttpsConnectionAdapterOptions> HttpsDefaults { get; set; } = _ => { };
 
         /// <summary>
-        /// The default server certificate for https endpoints. This is applied before HttpsDefaults.
+        /// The default server certificate for https endpoints. This is applied lazily after HttpsDefaults and user options.
         /// </summary>
         internal X509Certificate2 DefaultCertificate { get; set; }
 
+        /// <summary>
+        /// Has the default dev certificate load been attempted?
+        /// </summary>
+        internal bool IsDevCertLoaded { get; set; }
+
         /// <summary>
         /// Specifies a configuration Action to run for each newly created endpoint. Calling this again will replace
         /// the prior action.
@@ -105,10 +115,50 @@ public void ConfigureHttpsDefaults(Action<HttpsConnectionAdapterOptions> configu
 
         internal void ApplyHttpsDefaults(HttpsConnectionAdapterOptions httpsOptions)
         {
-            httpsOptions.ServerCertificate = DefaultCertificate;
             HttpsDefaults(httpsOptions);
         }
 
+        internal void ApplyDefaultCert(HttpsConnectionAdapterOptions httpsOptions)
+        {
+            // TODO SNI: Also check for the server cert selector
+            if (httpsOptions.ServerCertificate != null)
+            {
+                return;
+            }
+
+            EnsureDefaultCert();
+
+            httpsOptions.ServerCertificate = DefaultCertificate;
+        }
+
+        private void EnsureDefaultCert()
+        {
+            if (DefaultCertificate == null && !IsDevCertLoaded)
+            {
+                IsDevCertLoaded = true; // Only try once
+                var logger = ApplicationServices.GetRequiredService<ILogger<KestrelServer>>();
+                try
+                {
+                    var certificateManager = new CertificateManager();
+                    DefaultCertificate = certificateManager.ListCertificates(CertificatePurpose.HTTPS, StoreName.My, StoreLocation.CurrentUser, isValid: true)
+                        .FirstOrDefault();
+
+                    if (DefaultCertificate != null)
+                    {
+                        logger.LocatedDevelopmentCertificate(DefaultCertificate);
+                    }
+                    else
+                    {
+                        logger.UnableToLocateDevelopmentCertificate();
+                    }
+                }
+                catch
+                {
+                    logger.UnableToLocateDevelopmentCertificate();
+                }
+            }
+        }
+
         /// <summary>
         /// Creates a configuration loader for setting up Kestrel.
         /// </summary>

src/Kestrel.Core/ListenOptionsHttpsExtensions.cs

@@ -178,6 +178,7 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, Action<Ht
             var options = new HttpsConnectionAdapterOptions();
             listenOptions.KestrelServerOptions.ApplyHttpsDefaults(options);
             configureOptions(options);
+            listenOptions.KestrelServerOptions.ApplyDefaultCert(options);
 
             if (options.ServerCertificate == null)
             {
@@ -191,6 +192,7 @@ internal static bool TryUseHttps(this ListenOptions listenOptions)
         {
             var options = new HttpsConnectionAdapterOptions();
             listenOptions.KestrelServerOptions.ApplyHttpsDefaults(options);
+            listenOptions.KestrelServerOptions.ApplyDefaultCert(options);
 
             if (options.ServerCertificate == null)
             {

test/Kestrel.Core.Tests/KestrelServerTests.cs

@@ -65,7 +65,9 @@ public void StartWithHttpsAddressConfiguresHttpsEndpoints()
         [Fact]
         public void KestrelServerThrowsUsefulExceptionIfDefaultHttpsProviderNotAdded()
         {
-            using (var server = CreateServer(CreateServerOptions(), throwOnCriticalErrors: false))
+            var options = CreateServerOptions();
+            options.IsDevCertLoaded = true; // Prevent the system default from being loaded
+            using (var server = CreateServer(options, throwOnCriticalErrors: false))
             {
                 server.Features.Get<IServerAddressesFeature>().Addresses.Add("https://127.0.0.1:0");
 

test/Kestrel.FunctionalTests/HttpsTests.cs

@@ -47,38 +47,41 @@ public void UseHttpsDefaultsToDefaultCert()
                 options.UseHttps();
             });
 
+            Assert.False(serverOptions.IsDevCertLoaded);
+
             serverOptions.ListenLocalhost(5001, options =>
             {
                 options.UseHttps(opt =>
                 {
-                    Assert.Equal(defaultCert, opt.ServerCertificate);
+                    // The default cert is applied after UseHttps.
+                    Assert.Null(opt.ServerCertificate);
                 });
             });
+            Assert.False(serverOptions.IsDevCertLoaded);
         }
 
         [Fact]
-        public void ConfigureHttpsDefaultsOverridesDefaultCert()
+        public void ConfigureHttpsDefaultsNeverLoadsDefaultCert()
         {
             var serverOptions = CreateServerOptions();
-            var defaultCert = new X509Certificate2(TestResources.TestCertificatePath, "testPassword");
-            serverOptions.DefaultCertificate = defaultCert;
+            var testCert = new X509Certificate2(TestResources.TestCertificatePath, "testPassword");
             serverOptions.ConfigureHttpsDefaults(options =>
             {
-                Assert.Equal(defaultCert, options.ServerCertificate);
-                options.ServerCertificate = null;
+                Assert.Null(options.ServerCertificate);
+                options.ServerCertificate = testCert;
                 options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
             });
             serverOptions.ListenLocalhost(5000, options =>
             {
                 options.UseHttps(opt =>
                 {
-                    Assert.Null(opt.ServerCertificate);
+                    Assert.Equal(testCert, opt.ServerCertificate);
                     Assert.Equal(ClientCertificateMode.RequireCertificate, opt.ClientCertificateMode);
-
-                    // So UseHttps won't throw
-                    opt.ServerCertificate = defaultCert;
                 });
             });
+            // Never lazy loaded
+            Assert.False(serverOptions.IsDevCertLoaded);
+            Assert.Null(serverOptions.DefaultCertificate);
         }
 
         [Fact]