Outline SNI APIs #2357

Author: Tratcher

samples/SampleApp/Startup.cs

@@ -12,6 +12,7 @@
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
+using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
 using Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.Internal;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging;
@@ -104,7 +105,24 @@ public static Task Main(string[] args)
                     {
                         listenOptions.UseHttps(StoreName.My, "localhost", allowInvalid: true);
                     });
-
+#if NETCOREAPP2_1
+                    options.ListenAnyIP(basePort + 5, listenOptions =>
+                    {
+                        listenOptions.UseHttps(httpsOptions =>
+                        {
+                            var localhostCert = CertificateLoader.LoadFromStoreCert("localhost", "My", StoreLocation.CurrentUser, allowInvalid: true);
+                            httpsOptions.ServerCertificateSelector = name =>
+                            {
+                                if (string.Equals(name, "localhost", StringComparison.OrdinalIgnoreCase))
+                                {
+                                    return localhostCert;
+                                }
+                                // else fail?
+                                return null;
+                            };
+                        });
+                    });
+#endif
                     options
                         .Configure()
                         .Endpoint(IPAddress.Loopback, basePort + 5)

src/Kestrel.Core/CoreStrings.resx

@@ -477,7 +477,7 @@
   <data name="PositiveTimeSpanRequired1" xml:space="preserve">
     <value>Value must be a positive TimeSpan.</value>
   </data>
-  <data name="ServiceCertificateRequired" xml:space="preserve">
+  <data name="ServerCertificateRequired" xml:space="preserve">
     <value>The server certificate parameter is required.</value>
   </data>
   <data name="BindingToDefaultAddresses" xml:space="preserve">

src/Kestrel.Core/HttpsConnectionAdapterOptions.cs

@@ -29,14 +29,26 @@ public HttpsConnectionAdapterOptions()
 
         /// <summary>
         /// <para>
-        /// Specifies the server certificate used to authenticate HTTPS connections.
+        /// Specifies the server certificate used to authenticate HTTPS connections. This is ignored if ServerCertificateSelector is set.
         /// </para>
         /// <para>
         /// If the server certificate has an Extended Key Usage extension, the usages must include Server Authentication (OID 1.3.6.1.5.5.7.3.1).
         /// </para>
         /// </summary>
         public X509Certificate2 ServerCertificate { get; set; }
 
+        /// <summary>
+        /// A callback that will be invoked to dynamically select a server certificate. This is higher priority than ServerCertificate.
+        /// </summary>
+        public Func<string, X509Certificate2> ServerCertificateSelector
+#if NETCOREAPP2_1
+        { get; set; }
+#else
+        {
+            get => null;
+            set => throw new PlatformNotSupportedException("This API requires targeting netcoreapp2.1");
+        }
+#endif
         /// <summary>
         /// Specifies the client certificate requirements for a HTTPS connection. Defaults to <see cref="ClientCertificateMode.NoCertificate"/>.
         /// </summary>

src/Kestrel.Core/Internal/HttpsConnectionAdapter.cs

@@ -22,6 +22,8 @@ public class HttpsConnectionAdapter : IConnectionAdapter
 
         private readonly HttpsConnectionAdapterOptions _options;
         private readonly X509Certificate2 _serverCertificate;
+        private readonly Func<object, string, X509Certificate2> _serverCertificateSelector;
+
         private readonly ILogger _logger;
 
         public HttpsConnectionAdapter(HttpsConnectionAdapterOptions options)
@@ -36,15 +38,34 @@ public HttpsConnectionAdapter(HttpsConnectionAdapterOptions options, ILoggerFact
                 throw new ArgumentNullException(nameof(options));
             }
 
-            if (options.ServerCertificate == null)
+            // capture the certificate now so it can't be switched after validation
+            _serverCertificate = options.ServerCertificate;
+            var selector = options.ServerCertificateSelector;
+            if (_serverCertificate == null && selector == null)
             {
-                throw new ArgumentException(CoreStrings.ServiceCertificateRequired, nameof(options));
+                throw new ArgumentException(CoreStrings.ServerCertificateRequired, nameof(options));
             }
 
-            // capture the certificate now so it can be switched after validation
-            _serverCertificate = options.ServerCertificate;
-
-            EnsureCertificateIsAllowedForServerAuth(_serverCertificate);
+            // If a selector is provided then ignore the cert, it may be a default cert.
+            if (selector != null)
+            {
+                // SslStream doesn't allow both.
+                _serverCertificate = null;
+                // Adapt to the SslStream signature
+                _serverCertificateSelector = (sender, name) =>
+                {
+                    var cert = selector(name);
+                    if (cert != null)
+                    {
+                        EnsureCertificateIsAllowedForServerAuth(cert);
+                    }
+                    return cert;
+                };
+            }
+            else
+            {
+                EnsureCertificateIsAllowedForServerAuth(_serverCertificate);
+            }
 
             _options = options;
             _logger = loggerFactory?.CreateLogger(nameof(HttpsConnectionAdapter));
@@ -118,6 +139,7 @@ private async Task<IAdaptedConnection> InnerOnConnectionAsync(ConnectionAdapterC
                 var sslOptions = new SslServerAuthenticationOptions()
                 {
                     ServerCertificate = _serverCertificate,
+                    // TODO: ServerCertificateSelector = _serverCertificateSelector,
                     ClientCertificateRequired = certificateRequired,
                     EnabledSslProtocols = _options.SslProtocols,
                     CertificateRevocationCheckMode = _options.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,

src/Kestrel.Core/KestrelConfigurationLoader.cs

@@ -236,7 +236,7 @@ public void Load()
                 // EndpointDefaults or configureEndpoint may have added an https adapter.
                 if (https && !listenOptions.ConnectionAdapters.Any(f => f.IsHttps))
                 {
-                    if (httpsOptions.ServerCertificate == null)
+                    if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)
                     {
                         throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
                     }

src/Kestrel.Core/ListenOptionsHttpsExtensions.cs

@@ -179,7 +179,7 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, Action<Ht
             listenOptions.KestrelServerOptions.ApplyHttpsDefaults(options);
             configureOptions(options);
 
-            if (options.ServerCertificate == null)
+            if (options.ServerCertificate == null && options.ServerCertificateSelector == null)
             {
                 throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
             }
@@ -192,7 +192,7 @@ internal static bool TryUseHttps(this ListenOptions listenOptions)
             var options = new HttpsConnectionAdapterOptions();
             listenOptions.KestrelServerOptions.ApplyHttpsDefaults(options);
 
-            if (options.ServerCertificate == null)
+            if (options.ServerCertificate == null && options.ServerCertificateSelector == null)
             {
                 return false;
             }