Skip to content

Use forTls parameter to enable TLS-compatible certificate key types while maintaining platform compatibility #119265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Sep 16, 2025
Merged

Use forTls parameter to enable TLS-compatible certificate key types while maintaining platform compatibility #119265

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
d79734c
Initial plan
Copilot Sep 2, 2025
a9f4203
Add CRYPTO_TESTS preprocessor directive and differentiate RSA key sizes
Copilot Sep 2, 2025
b8d36cf
Add comprehensive tests to validate different RSA key sizes in crypto…
Copilot Sep 2, 2025
509ed34
Switch to NETWORKING_TESTS directive and remove test files per feedback
Copilot Sep 3, 2025
d3f9e92
Remove explicit keyFactory parameter to use conditional RSA key sizes
Copilot Sep 3, 2025
45a2b47
Add NETWORKING_TESTS directive to all networking test projects that u…
Copilot Sep 8, 2025
6e7b55b
Implement forTls parameter approach for TLS-compatible certificate ke…
Copilot Sep 8, 2025
c201045
Revert all .csproj changes as they are no longer needed
Copilot Sep 8, 2025
11d2ce2
Add debug
rzikm Sep 10, 2025
5d5209f
Disable SLH-DSA on linux
rzikm Sep 11, 2025
27baccd
Revert "Add debug"
rzikm Sep 11, 2025
0c2b4ea
Force RSA certificates for MsQuic on non-windows platform
rzikm Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions src/libraries/Common/tests/System/Net/Configuration.Certificates.Dynamic.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,9 +162,8 @@ public void Dispose()
}
}

internal static PkiHolder GenerateCertificates(string targetName, [CallerMemberName] string? testName = null, bool longChain = false, bool serverCertificate = true, bool ephemeralKey = false)
internal static PkiHolder GenerateCertificates(string targetName, [CallerMemberName] string? testName = null, bool longChain = false, bool serverCertificate = true, bool ephemeralKey = false, bool forceRsaCertificate = false)
{
const int keySize = 2048;
if (PlatformDetection.IsWindows && testName != null)
{
CleanupCertificates(testName);
Expand All @@ -182,7 +181,9 @@ internal static PkiHolder GenerateCertificates(string targetName, [CallerMemberN
intermediateAuthorityCount: longChain ? 3 : 1,
subjectName: targetName,
testName: testName,
keyFactory: CertificateAuthority.KeyFactory.RSASize(keySize),
forTls: true,
// [ActiveIssue("https://github.com/dotnet/runtime/issues/119641")]
keyFactory: !forceRsaCertificate ? null : CertificateAuthority.KeyFactory.RSASize(2048),
extensions: extensions);

if (!ephemeralKey && PlatformDetection.IsWindows)
Expand Down
32 changes: 30 additions & 2 deletions ...raries/Common/tests/System/Security/Cryptography/X509Certificates/CertificateAuthority.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ internal sealed class CertificateAuthority : IDisposable
private static readonly Asn1Tag s_context1 = new Asn1Tag(TagClass.ContextSpecific, 1);
private static readonly Asn1Tag s_context2 = new Asn1Tag(TagClass.ContextSpecific, 2);
private static readonly KeyFactory[] s_variantKeyFactories = KeyFactory.BuildVariantFactories();
private static readonly KeyFactory[] s_tlsVariantKeyFactories = KeyFactory.BuildTlsVariantFactories();

private static readonly X500DistinguishedName s_nonParticipatingName =
new X500DistinguishedName("CN=The Ghost in the Machine");
Expand Down Expand Up @@ -804,6 +805,7 @@ internal static void BuildPrivatePki(
bool pkiOptionsInSubject = false,
string subjectName = null,
KeyFactory keyFactory = null,
bool forTls = false,
X509ExtensionCollection extensions = null)
{
bool rootDistributionViaHttp = !pkiOptions.HasFlag(PkiOptions.NoRootCertDistributionUri);
Expand Down Expand Up @@ -842,9 +844,10 @@ internal static void BuildPrivatePki(
int written = hasher.GetCurrentHash(hash);
Debug.Assert(written == hash.Length);

// Using mod here will create an imbalance any time s_variantKeyFactories isn't a power of 2,
// Using mod here will create an imbalance any time the key factories array isn't a power of 2,
// but that's OK.
keyFactory = s_variantKeyFactories[hash[0] % s_variantKeyFactories.Length];
KeyFactory[] keyFactories = forTls ? s_tlsVariantKeyFactories : s_variantKeyFactories;
keyFactory = keyFactories[hash[0] % keyFactories.Length];
}
}

Expand Down Expand Up @@ -946,6 +949,7 @@ internal static void BuildPrivatePki(
bool pkiOptionsInSubject = false,
string subjectName = null,
KeyFactory keyFactory = null,
bool forTls = false,
X509ExtensionCollection extensions = null)
{
BuildPrivatePki(
Expand All @@ -960,6 +964,7 @@ internal static void BuildPrivatePki(
pkiOptionsInSubject: pkiOptionsInSubject,
subjectName: subjectName,
keyFactory: keyFactory,
forTls: forTls,
extensions: extensions);

intermediateAuthority = intermediateAuthorities.Single();
Expand Down Expand Up @@ -1052,6 +1057,29 @@ internal static KeyFactory[] BuildVariantFactories()

return factories.ToArray();
}

internal static KeyFactory[] BuildTlsVariantFactories()
{
List<KeyFactory> factories = [RSASize(2048), ECDsa];

if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
if (Cryptography.MLDsa.IsSupported)
{
factories.Add(MLDsa);
}

// OpenSSL default provider does not advertise SLH-DSA in TLS-SIGALG capability,
// causing it to not recognize SLH-DSA certificates for use in TLS connections
// [ActiveIssue("https://github.com/dotnet/runtime/issues/119573")]
if (!PlatformDetection.IsOpenSslSupported && Cryptography.SlhDsa.IsSupported)
{
factories.Add(SlhDsa);
}
}

return factories.ToArray();
}
}

private sealed class KeyHolder : IDisposable
Expand Down
8 changes: 6 additions & 2 deletions src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ public class CertificateSetup : IDisposable

public CertificateSetup()
{
_pkiHolder = Configuration.Certificates.GenerateCertificates("localhost", nameof(MsQuicTests), longChain: true);
_pkiHolder = Configuration.Certificates.GenerateCertificates("localhost", nameof(MsQuicTests), longChain: true,
// [ActiveIssue("https://github.com/dotnet/runtime/issues/119641")]
forceRsaCertificate: !PlatformDetection.IsWindows);
}

public SslStreamCertificateContext CreateSslStreamCertificateContext() => _pkiHolder.CreateSslStreamCertificateContext();
Expand Down Expand Up @@ -572,7 +574,9 @@ public async Task ConnectWithCertificateForLoopbackIP_IndicatesExpectedError(str
throw new SkipTestException("IPv6 is not available on this platform");
}

using Configuration.Certificates.PkiHolder pkiHolder = Configuration.Certificates.GenerateCertificates(expectsError ? "badhost" : "localhost");
using Configuration.Certificates.PkiHolder pkiHolder = Configuration.Certificates.GenerateCertificates(expectsError ? "badhost" : "localhost",
// [ActiveIssue("https://github.com/dotnet/runtime/issues/119641")]
forceRsaCertificate: !PlatformDetection.IsWindows);
X509Certificate2 certificate = pkiHolder.EndEntity;

var listenerOptions = new QuicListenerOptions()
Expand Down
Loading