-
Notifications
You must be signed in to change notification settings - Fork 10.4k
Make it easier to add certs to the extra store #29828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
eba1965
97828b2
f3e805d
dbc6004
39dad31
42f0e70
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
#nullable enable | ||
Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationOptions.AdditionalChainCertificates.get -> System.Security.Cryptography.X509Certificates.X509Certificate2Collection! | ||
Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationOptions.AdditionalChainCertificates.set -> void |
Original file line number | Diff line number | Diff line change | ||
---|---|---|---|---|
|
@@ -319,6 +319,41 @@ public async Task VerifyValidClientCertWithTrustedChainAuthenticates() | |||
Assert.Equal(HttpStatusCode.OK, response.StatusCode); | ||||
} | ||||
|
||||
[Fact] | ||||
public async Task VerifyValidClientCertWithAdditionalCertificatesAuthenticates() | ||||
{ | ||||
using var host = await CreateHost( | ||||
new CertificateAuthenticationOptions | ||||
{ | ||||
Events = successfulValidationEvents, | ||||
ChainTrustValidationMode = X509ChainTrustMode.CustomRootTrust, | ||||
CustomTrustStore = new X509Certificate2Collection() { Certificates.SelfSignedPrimaryRoot, }, | ||||
AdditionalChainCertificates = new X509Certificate2Collection() { Certificates.SignedSecondaryRoot }, | ||||
RevocationMode = X509RevocationMode.NoCheck | ||||
}, Certificates.SignedClient); | ||||
|
||||
using var server = host.GetTestServer(); | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @bartonjs I added the new ExtraStore property but its not clear to me how exactly do I test that they are working as intended? They are being added to the chain's property now but I'm not sure how to measure the effect externally, is this just additional certs that developers would use themselves? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't know where all the chain can appear, so I'll stick to a high level test concept:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks @bartonjs that's exactly what I was hoping for, a high level overview. The bonus test is actually what this current test is doing, (and it fails). So one thing is we don't actually expose the ChainPolicy that we use to validate externally. So there's no easy way to do anything with the ExtraStore since we don't pass the X509Chain we build to any of our events. See aspnetcore/src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs Line 125 in 39dad31
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Cool updated and added a test for a positive case and a rejected/forbidden one. |
||||
var response = await server.CreateClient().GetAsync("https://example.com/"); | ||||
Assert.Equal(HttpStatusCode.OK, response.StatusCode); | ||||
} | ||||
|
||||
[Fact] | ||||
public async Task VerifyValidClientCertFailsWithoutAdditionalCertificatesAuthenticates() | ||||
{ | ||||
using var host = await CreateHost( | ||||
new CertificateAuthenticationOptions | ||||
{ | ||||
Events = successfulValidationEvents, | ||||
ChainTrustValidationMode = X509ChainTrustMode.CustomRootTrust, | ||||
CustomTrustStore = new X509Certificate2Collection() { Certificates.SelfSignedPrimaryRoot, }, | ||||
RevocationMode = X509RevocationMode.NoCheck | ||||
}, Certificates.SignedClient); | ||||
|
||||
using var server = host.GetTestServer(); | ||||
var response = await server.CreateClient().GetAsync("https://example.com/"); | ||||
Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode); | ||||
} | ||||
|
||||
[Fact] | ||||
public async Task VerifyHeaderIsUsedIfCertIsNotPresent() | ||||
{ | ||||
|
@@ -570,7 +605,7 @@ public async Task VerifyValidationResultCanBeCached(bool cache) | |||
Assert.Equal(Expected, name.First().Value); | ||||
count = responseAsXml.Elements("claim").Where(claim => claim.Attribute("Type").Value == "ValidationCount"); | ||||
Assert.Single(count); | ||||
var expected = cache ? "1" : "2"; | ||||
var expected = cache ? "1" : "2"; | ||||
Assert.Equal(expected, count.First().Value); | ||||
} | ||||
|
||||
|
@@ -693,6 +728,7 @@ private static async Task<IHost> CreateHost( | |||
options.RevocationFlag = configureOptions.RevocationFlag; | ||||
options.RevocationMode = configureOptions.RevocationMode; | ||||
options.ValidateValidityPeriod = configureOptions.ValidateValidityPeriod; | ||||
options.AdditionalChainCertificates = configureOptions.AdditionalChainCertificates; | ||||
}); | ||||
} | ||||
else | ||||
|
Uh oh!
There was an error while loading. Please reload this page.