-
Notifications
You must be signed in to change notification settings - Fork 5.2k
Use forTls parameter to enable TLS-compatible certificate key types while maintaining platform compatibility #119265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 3 commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
d79734c
Initial plan
Copilot a9f4203
Add CRYPTO_TESTS preprocessor directive and differentiate RSA key sizes
Copilot b8d36cf
Add comprehensive tests to validate different RSA key sizes in crypto…
Copilot 509ed34
Switch to NETWORKING_TESTS directive and remove test files per feedback
Copilot d3f9e92
Remove explicit keyFactory parameter to use conditional RSA key sizes
Copilot 45a2b47
Add NETWORKING_TESTS directive to all networking test projects that u…
Copilot 6e7b55b
Implement forTls parameter approach for TLS-compatible certificate ke…
Copilot c201045
Revert all .csproj changes as they are no longer needed
Copilot 11d2ce2
Add debug
rzikm 5d5209f
Disable SLH-DSA on linux
rzikm 27baccd
Revert "Add debug"
rzikm 0c2b4ea
Force RSA certificates for MsQuic on non-windows platform
rzikm File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
61 changes: 61 additions & 0 deletions
61
src/libraries/System.Net.Security/tests/FunctionalTests/NetworkingCertificateKeySizeTests.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| // Licensed to the .NET Foundation under one or more agreements. | ||
| // The .NET Foundation licenses this file to you under the MIT license. | ||
|
|
||
| using System.Security.Cryptography; | ||
| using System.Security.Cryptography.X509Certificates; | ||
| using System.Security.Cryptography.X509Certificates.Tests.Common; | ||
| using Xunit; | ||
|
|
||
| namespace System.Net.Security.Tests | ||
| { | ||
| public static class NetworkingCertificateKeySizeTests | ||
| { | ||
| [Fact] | ||
| public static void NetworkingTests_UseAppropriateCertificateKeySize() | ||
| { | ||
| // Test that networking tests use larger key sizes for compatibility | ||
| CertificateAuthority.BuildPrivatePki( | ||
| PkiOptions.EndEntityRevocationViaOcsp, | ||
| out RevocationResponder responder, | ||
| out CertificateAuthority rootAuthority, | ||
| out CertificateAuthority[] intermediateAuthorities, | ||
| out X509Certificate2 endEntityCert, | ||
| intermediateAuthorityCount: 1); | ||
|
|
||
| try | ||
| { | ||
| // Test the end entity certificate | ||
| using (RSA? eeRsa = endEntityCert.GetRSAPrivateKey()) | ||
| { | ||
| if (eeRsa != null) | ||
| { | ||
| // Networking tests should use larger key size for security/compatibility | ||
| Assert.Equal(2048, eeRsa.KeySize); | ||
| } | ||
| } | ||
|
|
||
| // Test the root authority certificate | ||
| using (X509Certificate2 rootCert = rootAuthority.CloneIssuerCert()) | ||
| using (RSA? rootRsa = rootCert.GetRSAPrivateKey()) | ||
| { | ||
| if (rootRsa != null) | ||
| { | ||
| // Root certificate should also use larger key size | ||
| Assert.Equal(2048, rootRsa.KeySize); | ||
| } | ||
| } | ||
| } | ||
| finally | ||
| { | ||
| // Clean up | ||
| endEntityCert?.Dispose(); | ||
| responder?.Dispose(); | ||
| rootAuthority?.Dispose(); | ||
| foreach (var auth in intermediateAuthorities) | ||
| { | ||
| auth?.Dispose(); | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
110 changes: 110 additions & 0 deletions
110
src/libraries/System.Security.Cryptography/tests/CertificateAuthorityKeySizeTests.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,110 @@ | ||
| // Licensed to the .NET Foundation under one or more agreements. | ||
| // The .NET Foundation licenses this file to you under the MIT license. | ||
|
|
||
| using System.Security.Cryptography; | ||
| using System.Security.Cryptography.X509Certificates; | ||
| using System.Security.Cryptography.X509Certificates.Tests.Common; | ||
| using Xunit; | ||
|
|
||
| namespace System.Security.Cryptography.Tests | ||
| { | ||
| public static class CertificateAuthorityKeySizeTests | ||
| { | ||
| [Fact] | ||
| public static void CertificateAuthority_UsesAppropriateKeySize() | ||
| { | ||
| // Test that CertificateAuthority uses the expected key size based on preprocessor directive | ||
| CertificateAuthority.BuildPrivatePki( | ||
| PkiOptions.EndEntityRevocationViaOcsp, | ||
| out RevocationResponder responder, | ||
| out CertificateAuthority rootAuthority, | ||
| out CertificateAuthority[] intermediateAuthorities, | ||
| out X509Certificate2 endEntityCert, | ||
| intermediateAuthorityCount: 1); | ||
|
|
||
| try | ||
| { | ||
| // Test the root authority certificate | ||
| using (X509Certificate2 rootCert = rootAuthority.CloneIssuerCert()) | ||
| using (RSA? rootRsa = rootCert.GetRSAPrivateKey()) | ||
| { | ||
| if (rootRsa != null) | ||
| { | ||
| #if CRYPTO_TESTS | ||
| // In crypto tests, expect smaller key size for speed | ||
| Assert.Equal(1024, rootRsa.KeySize); | ||
| #else | ||
| // In networking tests, expect larger key size for security | ||
| Assert.Equal(2048, rootRsa.KeySize); | ||
| #endif | ||
| } | ||
| } | ||
|
|
||
| // Test the end entity certificate | ||
| using (RSA? eeRsa = endEntityCert.GetRSAPrivateKey()) | ||
| { | ||
| if (eeRsa != null) | ||
| { | ||
| #if CRYPTO_TESTS | ||
| // In crypto tests, expect smaller key size for speed | ||
| Assert.Equal(1024, eeRsa.KeySize); | ||
| #else | ||
| // In networking tests, expect larger key size for security | ||
| Assert.Equal(2048, eeRsa.KeySize); | ||
| #endif | ||
| } | ||
| } | ||
| } | ||
| finally | ||
| { | ||
| // Clean up | ||
| endEntityCert?.Dispose(); | ||
| responder?.Dispose(); | ||
| rootAuthority?.Dispose(); | ||
| foreach (var auth in intermediateAuthorities) | ||
| { | ||
| auth?.Dispose(); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| [Fact] | ||
| public static void CertificateAuthority_WithRSAKeyFactory_UsesSpecifiedKeySize() | ||
| { | ||
| // Test that when an explicit RSA key factory is provided, it uses that size regardless of preprocessor directive | ||
| var customKeyFactory = CertificateAuthority.KeyFactory.RSASize(2048); | ||
|
|
||
| CertificateAuthority.BuildPrivatePki( | ||
| PkiOptions.EndEntityRevocationViaOcsp, | ||
| out RevocationResponder responder, | ||
| out CertificateAuthority rootAuthority, | ||
| out CertificateAuthority[] intermediateAuthorities, | ||
| out X509Certificate2 endEntityCert, | ||
| intermediateAuthorityCount: 1, | ||
| keyFactory: customKeyFactory); | ||
|
|
||
| try | ||
| { | ||
| // Regardless of preprocessor directive, explicit key factory should be used | ||
| using (RSA? eeRsa = endEntityCert.GetRSAPrivateKey()) | ||
| { | ||
| if (eeRsa != null) | ||
| { | ||
| Assert.Equal(2048, eeRsa.KeySize); | ||
| } | ||
| } | ||
| } | ||
| finally | ||
| { | ||
| // Clean up | ||
| endEntityCert?.Dispose(); | ||
| responder?.Dispose(); | ||
| rootAuthority?.Dispose(); | ||
| foreach (var auth in intermediateAuthorities) | ||
| { | ||
| auth?.Dispose(); | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.