Log if a server certificate lacks the subjectAlternativeName extensions (#47678)

amcasey · web-flow · commit 0c42c03d54d7 · 2023-04-20T16:11:05.000-07:00
* Log if a server certificate lacks the subjectAlternativeName extensions

CommonName was deprecated in favor of subjectAlternativeName so there's a good chance of getting a browser security warning if it's missing.

* Address minor PR feedback
diff --git a/src/Servers/Kestrel/Core/src/CertificateLoader.cs b/src/Servers/Kestrel/Core/src/CertificateLoader.cs
@@ -106,6 +106,9 @@ internal static bool IsCertificateAllowedForServerAuth(X509Certificate2 certific
     internal static bool DoesCertificateHaveAnAccessiblePrivateKey(X509Certificate2 certificate)
         => certificate.HasPrivateKey;
 
+    internal static bool DoesCertificateHaveASubjectAlternativeName(X509Certificate2 certificate)
+        => certificate.Extensions.OfType<X509SubjectAlternativeNameExtension>().Any();
+
     private static void DisposeCertificates(X509Certificate2Collection? certificates, X509Certificate2? except)
     {
         if (certificates != null)
diff --git a/src/Servers/Kestrel/Core/src/HttpsConfigurationService.cs b/src/Servers/Kestrel/Core/src/HttpsConfigurationService.cs
@@ -24,9 +24,11 @@ internal sealed class HttpsConfigurationService : IHttpsConfigurationService
     private bool _isInitialized;
 
     private TlsConfigurationLoader? _tlsConfigurationLoader;
-    private Action<FeatureCollection, ListenOptions>? _populateMultiplexedTransportFeatures;
+    private Action<FeatureCollection, ListenOptions, ILogger<HttpsConnectionMiddleware>>? _populateMultiplexedTransportFeatures;
     private Func<ListenOptions, ListenOptions>? _useHttpsWithDefaults;
 
+    private ILogger<HttpsConnectionMiddleware>? _httpsLogger;
+
     /// <summary>
     /// Create an uninitialized <see cref="HttpsConfigurationService"/>.
     /// To initialize it later, call <see cref="Initialize"/>.
@@ -67,6 +69,7 @@ public void Initialize(
         _tlsConfigurationLoader = new TlsConfigurationLoader(hostEnvironment, serverLogger, httpsLogger);
         _populateMultiplexedTransportFeatures = PopulateMultiplexedTransportFeaturesWorker;
         _useHttpsWithDefaults = UseHttpsWithDefaultsWorker;
+        _httpsLogger = httpsLogger;
     }
 
     /// <inheritdoc/>
@@ -100,7 +103,7 @@ public ListenOptions UseHttpsWithSni(ListenOptions listenOptions, HttpsConnectio
     public void PopulateMultiplexedTransportFeatures(FeatureCollection features, ListenOptions listenOptions)
     {
         EnsureInitialized(CoreStrings.NeedHttpsConfigurationToUseHttp3);
-        _populateMultiplexedTransportFeatures.Invoke(features, listenOptions);
+        _populateMultiplexedTransportFeatures.Invoke(features, listenOptions, _httpsLogger);
     }
 
     /// <inheritdoc/>
@@ -114,7 +117,7 @@ public ListenOptions UseHttpsWithDefaults(ListenOptions listenOptions)
     /// If this instance has not been initialized, initialize it if possible and throw otherwise.
     /// </summary>
     /// <exception cref="InvalidOperationException">If initialization is not possible.</exception>
-    [MemberNotNull(nameof(_useHttpsWithDefaults), nameof(_tlsConfigurationLoader), nameof(_populateMultiplexedTransportFeatures))]
+    [MemberNotNull(nameof(_useHttpsWithDefaults), nameof(_tlsConfigurationLoader), nameof(_populateMultiplexedTransportFeatures), nameof(_httpsLogger))]
     private void EnsureInitialized(string uninitializedError)
     {
         if (!_isInitialized)
@@ -132,18 +135,19 @@ private void EnsureInitialized(string uninitializedError)
         Debug.Assert(_useHttpsWithDefaults is not null);
         Debug.Assert(_tlsConfigurationLoader is not null);
         Debug.Assert(_populateMultiplexedTransportFeatures is not null);
+        Debug.Assert(_httpsLogger is not null);
     }
 
     /// <summary>
     /// The initialized implementation of <see cref="PopulateMultiplexedTransportFeatures"/>.
     /// </summary>
-    internal static void PopulateMultiplexedTransportFeaturesWorker(FeatureCollection features, ListenOptions listenOptions)
+    internal static void PopulateMultiplexedTransportFeaturesWorker(FeatureCollection features, ListenOptions listenOptions, ILogger<HttpsConnectionMiddleware> logger)
     {
         // HttpsOptions or HttpsCallbackOptions should always be set in production, but it's not set for InMemory tests.
         // The QUIC transport will check if TlsConnectionCallbackOptions is missing.
         if (listenOptions.HttpsOptions != null)
         {
-            var sslServerAuthenticationOptions = HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions);
+            var sslServerAuthenticationOptions = HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions, logger);
             features.Set(new TlsConnectionCallbackOptions
             {
                 ApplicationProtocols = sslServerAuthenticationOptions.ApplicationProtocols ?? new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
diff --git a/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs b/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs
@@ -20,6 +20,7 @@ internal sealed class SniOptionsSelector
     private const string WildcardPrefix = "*.";
 
     private readonly string _endpointName;
+    private readonly ILogger<HttpsConnectionMiddleware> _logger;
 
     private readonly Func<ConnectionContext, string?, X509Certificate2?>? _fallbackServerCertificateSelector;
     private readonly Action<ConnectionContext, SslServerAuthenticationOptions>? _onAuthenticateCallback;
@@ -37,6 +38,7 @@ public SniOptionsSelector(
         ILogger<HttpsConnectionMiddleware> logger)
     {
         _endpointName = endpointName;
+        _logger = logger;
 
         _fallbackServerCertificateSelector = fallbackHttpsOptions.ServerCertificateSelector;
         _onAuthenticateCallback = fallbackHttpsOptions.OnAuthenticate;
@@ -75,7 +77,7 @@ public SniOptionsSelector(
 
             if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)
             {
-                HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);
+                HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2, logger);
             }
 
             var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackHttpsOptions.ClientCertificateMode;
@@ -158,7 +160,7 @@ public SniOptionsSelector(
 
             if (fallbackCertificate != null)
             {
-                HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(fallbackCertificate);
+                HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(fallbackCertificate, _logger);
             }
 
             sslOptions.ServerCertificate = fallbackCertificate;
diff --git a/src/Servers/Kestrel/Core/src/KestrelServer.cs b/src/Servers/Kestrel/Core/src/KestrelServer.cs
@@ -35,7 +35,7 @@ public KestrelServer(IOptions<KestrelServerOptions> options, IConnectionListener
             options,
             new[] { transportFactory ?? throw new ArgumentNullException(nameof(transportFactory)) },
             Array.Empty<IMultiplexedConnectionListenerFactory>(),
-            new SimpleHttpsConfigurationService(),
+            new SimpleHttpsConfigurationService(loggerFactory),
             loggerFactory,
             new KestrelMetrics(new DummyMeterFactory()));
     }
@@ -78,6 +78,13 @@ private sealed class DummyMeterFactory : IMeterFactory
 
     private sealed class SimpleHttpsConfigurationService : IHttpsConfigurationService
     {
+        private readonly ILogger<HttpsConnectionMiddleware> _httpsLogger;
+
+        public SimpleHttpsConfigurationService(ILoggerFactory loggerFactory)
+        {
+            _httpsLogger = loggerFactory.CreateLogger<HttpsConnectionMiddleware>();
+        }
+
         public bool IsInitialized => true;
 
         public void Initialize(IHostEnvironment hostEnvironment, ILogger<KestrelServer> serverLogger, ILogger<HttpsConnectionMiddleware> httpsLogger)
@@ -87,7 +94,7 @@ public void Initialize(IHostEnvironment hostEnvironment, ILogger<KestrelServer>
 
         public void PopulateMultiplexedTransportFeatures(FeatureCollection features, ListenOptions listenOptions)
         {
-            HttpsConfigurationService.PopulateMultiplexedTransportFeaturesWorker(features, listenOptions);
+            HttpsConfigurationService.PopulateMultiplexedTransportFeaturesWorker(features, listenOptions, _httpsLogger);
         }
 
         public ListenOptions UseHttpsWithDefaults(ListenOptions listenOptions)
diff --git a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
@@ -90,7 +90,7 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter
         {
             Debug.Assert(_serverCertificate != null);
 
-            EnsureCertificateIsAllowedForServerAuth(_serverCertificate);
+            EnsureCertificateIsAllowedForServerAuth(_serverCertificate, _logger);
 
             var certificate = _serverCertificate;
             if (!certificate.HasPrivateKey)
@@ -314,7 +314,7 @@ private Task DoOptionsBasedHandshakeAsync(ConnectionContext context, SslStream s
                 var cert = _serverCertificateSelector(context, name);
                 if (cert != null)
                 {
-                    EnsureCertificateIsAllowedForServerAuth(cert);
+                    EnsureCertificateIsAllowedForServerAuth(cert, _logger);
                 }
                 return cert!;
             };
@@ -452,12 +452,16 @@ private static async ValueTask<SslServerAuthenticationOptions> ServerOptionsCall
         return sslOptions;
     }
 
-    internal static void EnsureCertificateIsAllowedForServerAuth(X509Certificate2 certificate)
+    internal static void EnsureCertificateIsAllowedForServerAuth(X509Certificate2 certificate, ILogger<HttpsConnectionMiddleware> logger)
     {
         if (!CertificateLoader.IsCertificateAllowedForServerAuth(certificate))
         {
             throw new InvalidOperationException(CoreStrings.FormatInvalidServerCertificateEku(certificate.Thumbprint));
         }
+        else if (!CertificateLoader.DoesCertificateHaveASubjectAlternativeName(certificate))
+        {
+            logger.NoSubjectAlternativeName(certificate.Thumbprint);
+        }
     }
 
     private static X509Certificate2? ConvertToX509Certificate2(X509Certificate? certificate)
@@ -514,7 +518,7 @@ private static bool IsWindowsVersionIncompatibleWithHttp2()
         return false;
     }
 
-    internal static SslServerAuthenticationOptions CreateHttp3Options(HttpsConnectionAdapterOptions httpsOptions)
+    internal static SslServerAuthenticationOptions CreateHttp3Options(HttpsConnectionAdapterOptions httpsOptions, ILogger<HttpsConnectionMiddleware> logger)
     {
         if (httpsOptions.OnAuthenticate != null)
         {
@@ -539,7 +543,7 @@ internal static SslServerAuthenticationOptions CreateHttp3Options(HttpsConnectio
                 var cert = httpsOptions.ServerCertificateSelector(null, host);
                 if (cert != null)
                 {
-                    EnsureCertificateIsAllowedForServerAuth(cert);
+                    EnsureCertificateIsAllowedForServerAuth(cert, logger);
                 }
                 return cert!;
             };
@@ -596,6 +600,9 @@ public static void FoundCertWithPrivateKey(this ILogger<HttpsConnectionMiddlewar
     [LoggerMessage(8, LogLevel.Debug, "Failed to open certificate store {StoreName}.", EventName = "FailToOpenStore")]
     public static partial void FailedToOpenStore(this ILogger<HttpsConnectionMiddleware> logger, string? storeName, Exception exception);
 
+    [LoggerMessage(9, LogLevel.Information, "Certificate with thumbprint {Thumbprint} lacks the subjectAlternativeName (SAN) extension and may not be accepted by browsers.", EventName = "NoSubjectAlternativeName")]
+    public static partial void NoSubjectAlternativeName(this ILogger<HttpsConnectionMiddleware> logger, string thumbprint);
+
     public static void FailedToOpenStore(this ILogger<HttpsConnectionMiddleware> logger, StoreLocation storeLocation, Exception exception)
     {
         var storeLocationString = storeLocation == StoreLocation.LocalMachine ? nameof(StoreLocation.LocalMachine) : nameof(StoreLocation.CurrentUser);
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/CertificateLoaderTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/CertificateLoaderTests.cs
@@ -53,4 +53,15 @@ public void IsCertificateAllowedForServerAuth_RejectsCertificatesMissingServerEk
 
         Assert.False(CertificateLoader.IsCertificateAllowedForServerAuth(cert));
     }
+
+    [Theory]
+    [InlineData("aspnetdevcert.pfx", true)]
+    [InlineData("no_extensions.pfx", false)]
+    public void DoesCertificateHaveASubjectAlternativeName(string testCertName, bool hasSan)
+    {
+        var certPath = TestResources.GetCertPath(testCertName);
+        TestOutputHelper.WriteLine("Loading " + certPath);
+        var cert = new X509Certificate2(certPath, "testPassword");
+        Assert.Equal(hasSan, CertificateLoader.DoesCertificateHaveASubjectAlternativeName(cert));
+    }
 }
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
@@ -23,6 +23,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Metrics;
 using Moq;
 
@@ -1341,6 +1342,26 @@ public void ThrowsForCertificatesMissingServerEku(string testCertName)
         Assert.Equal(CoreStrings.FormatInvalidServerCertificateEku(cert.Thumbprint), ex.Message);
     }
 
+    [Theory]
+    [InlineData("no_extensions.pfx")]
+    public void LogsForCertificateMissingSubjectAlternativeName(string testCertName)
+    {
+        var certPath = TestResources.GetCertPath(testCertName);
+        TestOutputHelper.WriteLine("Loading " + certPath);
+        var cert = new X509Certificate2(certPath, "testPassword");
+        Assert.False(CertificateLoader.DoesCertificateHaveASubjectAlternativeName(cert));
+
+        var testLogger = new TestApplicationErrorLogger();
+        CreateMiddleware(
+            new HttpsConnectionAdapterOptions
+            {
+                ServerCertificate = cert,
+            },
+            testLogger);
+
+        Assert.Single(testLogger.Messages.Where(log => log.EventId == 9));
+    }
+
     [ConditionalTheory]
     [InlineData(HttpProtocols.Http1)]
     [InlineData(HttpProtocols.Http2)]
@@ -1442,6 +1463,12 @@ private static HttpsConnectionMiddleware CreateMiddleware(X509Certificate2 serve
         });
     }
 
+    private static HttpsConnectionMiddleware CreateMiddleware(HttpsConnectionAdapterOptions options, TestApplicationErrorLogger testLogger = null)
+    {
+        var loggerFactory = testLogger is null ? (ILoggerFactory)NullLoggerFactory.Instance : new LoggerFactory(new[] { new KestrelTestLoggerProvider(testLogger) });
+        return new HttpsConnectionMiddleware(context => Task.CompletedTask, options, loggerFactory, new KestrelMetrics(new TestMeterFactory()));
+    }
+
     private static HttpsConnectionMiddleware CreateMiddleware(HttpsConnectionAdapterOptions options)
     {
         return new HttpsConnectionMiddleware(context => Task.CompletedTask, options, new KestrelMetrics(new TestMeterFactory()));

Original file line number	Diff line number	Diff line change
`@@ -106,6 +106,9 @@ internal static bool IsCertificateAllowedForServerAuth(X509Certificate2 certific`
`106`	`106`	`internal static bool DoesCertificateHaveAnAccessiblePrivateKey(X509Certificate2 certificate)`
`107`	`107`	`=> certificate.HasPrivateKey;`
`108`	`108`
	`109`	`+ internal static bool DoesCertificateHaveASubjectAlternativeName(X509Certificate2 certificate)`
	`110`	`+ => certificate.Extensions.OfType<X509SubjectAlternativeNameExtension>().Any();`
	`111`	`+`
`109`	`112`	`private static void DisposeCertificates(X509Certificate2Collection? certificates, X509Certificate2? except)`
`110`	`113`	`{`
`111`	`114`	`if (certificates != null)`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ internal sealed class SniOptionsSelector`
`20`	`20`	`private const string WildcardPrefix = "*.";`
`21`	`21`
`22`	`22`	`private readonly string _endpointName;`
	`23`	`+ private readonly ILogger<HttpsConnectionMiddleware> _logger;`
`23`	`24`
`24`	`25`	`private readonly Func<ConnectionContext, string?, X509Certificate2?>? _fallbackServerCertificateSelector;`
`25`	`26`	`private readonly Action<ConnectionContext, SslServerAuthenticationOptions>? _onAuthenticateCallback;`
`@@ -37,6 +38,7 @@ public SniOptionsSelector(`
`37`	`38`	`ILogger<HttpsConnectionMiddleware> logger)`
`38`	`39`	`{`
`39`	`40`	`_endpointName = endpointName;`
	`41`	`+ _logger = logger;`
`40`	`42`
`41`	`43`	`_fallbackServerCertificateSelector = fallbackHttpsOptions.ServerCertificateSelector;`
`42`	`44`	`_onAuthenticateCallback = fallbackHttpsOptions.OnAuthenticate;`
`@@ -75,7 +77,7 @@ public SniOptionsSelector(`
`75`	`77`
`76`	`78`	`if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)`
`77`	`79`	`{`
`78`		`- HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);`
	`80`	`+ HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2, logger);`
`79`	`81`	`}`
`80`	`82`
`81`	`83`	`var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackHttpsOptions.ClientCertificateMode;`
`@@ -158,7 +160,7 @@ public SniOptionsSelector(`
`158`	`160`
`159`	`161`	`if (fallbackCertificate != null)`
`160`	`162`	`{`
`161`		`- HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(fallbackCertificate);`
	`163`	`+ HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(fallbackCertificate, _logger);`
`162`	`164`	`}`
`163`	`165`
`164`	`166`	`sslOptions.ServerCertificate = fallbackCertificate;`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter`
`90`	`90`	`{`
`91`	`91`	`Debug.Assert(_serverCertificate != null);`
`92`	`92`
`93`		`- EnsureCertificateIsAllowedForServerAuth(_serverCertificate);`
	`93`	`+ EnsureCertificateIsAllowedForServerAuth(_serverCertificate, _logger);`
`94`	`94`
`95`	`95`	`var certificate = _serverCertificate;`
`96`	`96`	`if (!certificate.HasPrivateKey)`
`@@ -314,7 +314,7 @@ private Task DoOptionsBasedHandshakeAsync(ConnectionContext context, SslStream s`
`314`	`314`	`var cert = _serverCertificateSelector(context, name);`
`315`	`315`	`if (cert != null)`
`316`	`316`	`{`
`317`		`- EnsureCertificateIsAllowedForServerAuth(cert);`
	`317`	`+ EnsureCertificateIsAllowedForServerAuth(cert, _logger);`
`318`	`318`	`}`
`319`	`319`	`return cert!;`
`320`	`320`	`};`
`@@ -452,12 +452,16 @@ private static async ValueTask<SslServerAuthenticationOptions> ServerOptionsCall`
`452`	`452`	`return sslOptions;`
`453`	`453`	`}`
`454`	`454`
`455`		`- internal static void EnsureCertificateIsAllowedForServerAuth(X509Certificate2 certificate)`
	`455`	`+ internal static void EnsureCertificateIsAllowedForServerAuth(X509Certificate2 certificate, ILogger<HttpsConnectionMiddleware> logger)`
`456`	`456`	`{`
`457`	`457`	`if (!CertificateLoader.IsCertificateAllowedForServerAuth(certificate))`
`458`	`458`	`{`
`459`	`459`	`throw new InvalidOperationException(CoreStrings.FormatInvalidServerCertificateEku(certificate.Thumbprint));`
`460`	`460`	`}`
	`461`	`+ else if (!CertificateLoader.DoesCertificateHaveASubjectAlternativeName(certificate))`
	`462`	`+ {`
	`463`	`+ logger.NoSubjectAlternativeName(certificate.Thumbprint);`
	`464`	`+ }`
`461`	`465`	`}`
`462`	`466`
`463`	`467`	`private static X509Certificate2? ConvertToX509Certificate2(X509Certificate? certificate)`
`@@ -514,7 +518,7 @@ private static bool IsWindowsVersionIncompatibleWithHttp2()`
`514`	`518`	`return false;`
`515`	`519`	`}`
`516`	`520`
`517`		`- internal static SslServerAuthenticationOptions CreateHttp3Options(HttpsConnectionAdapterOptions httpsOptions)`
	`521`	`+ internal static SslServerAuthenticationOptions CreateHttp3Options(HttpsConnectionAdapterOptions httpsOptions, ILogger<HttpsConnectionMiddleware> logger)`
`518`	`522`	`{`
`519`	`523`	`if (httpsOptions.OnAuthenticate != null)`
`520`	`524`	`{`
`@@ -539,7 +543,7 @@ internal static SslServerAuthenticationOptions CreateHttp3Options(HttpsConnectio`
`539`	`543`	`var cert = httpsOptions.ServerCertificateSelector(null, host);`
`540`	`544`	`if (cert != null)`
`541`	`545`	`{`
`542`		`- EnsureCertificateIsAllowedForServerAuth(cert);`
	`546`	`+ EnsureCertificateIsAllowedForServerAuth(cert, logger);`
`543`	`547`	`}`
`544`	`548`	`return cert!;`
`545`	`549`	`};`
`@@ -596,6 +600,9 @@ public static void FoundCertWithPrivateKey(this ILogger<HttpsConnectionMiddlewar`
`596`	`600`	`[LoggerMessage(8, LogLevel.Debug, "Failed to open certificate store {StoreName}.", EventName = "FailToOpenStore")]`
`597`	`601`	`public static partial void FailedToOpenStore(this ILogger<HttpsConnectionMiddleware> logger, string? storeName, Exception exception);`
`598`	`602`
	`603`	`+ [LoggerMessage(9, LogLevel.Information, "Certificate with thumbprint {Thumbprint} lacks the subjectAlternativeName (SAN) extension and may not be accepted by browsers.", EventName = "NoSubjectAlternativeName")]`
	`604`	`+ public static partial void NoSubjectAlternativeName(this ILogger<HttpsConnectionMiddleware> logger, string thumbprint);`
	`605`	`+`
`599`	`606`	`public static void FailedToOpenStore(this ILogger<HttpsConnectionMiddleware> logger, StoreLocation storeLocation, Exception exception)`
`600`	`607`	`{`
`601`	`608`	`var storeLocationString = storeLocation == StoreLocation.LocalMachine ? nameof(StoreLocation.LocalMachine) : nameof(StoreLocation.CurrentUser);`