Implement client certificate authentication

.travis.yml

@@ -1,5 +1,10 @@
 language: csharp
-sudo: false
+sudo: required
+dist: trusty
+addons:
+  apt:
+    packages:
+      - libunwind8
 install:
   - curl -sSL https://github.com/libuv/libuv/archive/v1.4.2.tar.gz | tar zxfv - -C /tmp && cd /tmp/libuv-1.4.2/
   - sh autogen.sh
@@ -9,4 +14,5 @@ install:
   - export LD_LIBRARY_PATH="$HOME/libuvinstall/lib"
   - cd $OLDPWD
 script:
-  - ./build.sh --quiet verify
+  - export KOREBUILD_TEST_DNXCORE=1
+  - ./build.sh --quiet verify

samples/SampleApp/project.json

@@ -10,7 +10,7 @@
         },
         "dnxcore50": {
             "dependencies": {
-                "System.Console": "4.0.0-beta-*"
+                "System.Console": "4.0.0-*"
             }
         }
     },

src/Microsoft.AspNet.Server.Kestrel.Https/ClientCertificateMode.cs

@@ -0,0 +1,12 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNet.Server.Kestrel.Https
+{
+    public enum ClientCertificateMode
+    {
+        NoCertificate,
+        AllowCertificate,
+        RequireCertificate
+    }
+}

src/Microsoft.AspNet.Server.Kestrel.Https/ClientCertificateValidationCallback.cs

@@ -0,0 +1,11 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.AspNet.Server.Kestrel.Https
+{
+    public delegate bool ClientCertificateValidationCallback(
+        X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors);
+}

src/Microsoft.AspNet.Server.Kestrel.Https/HttpsApplicationBuilderExtensions.cs

@@ -11,6 +11,11 @@ namespace Microsoft.AspNet.Server.Kestrel.Https
     public static class HttpsApplicationBuilderExtensions
     {
         public static IApplicationBuilder UseKestrelHttps(this IApplicationBuilder app, X509Certificate2 cert)
+        {
+            return app.UseKestrelHttps(new HttpsConnectionFilterOptions { ServerCertificate = cert});
+        }
+
+        public static IApplicationBuilder UseKestrelHttps(this IApplicationBuilder app, HttpsConnectionFilterOptions options)
         {
             var serverInfo = app.ServerFeatures.Get<IKestrelServerInformation>();
 
@@ -21,7 +26,7 @@ public static IApplicationBuilder UseKestrelHttps(this IApplicationBuilder app,
 
             var prevFilter = serverInfo.ConnectionFilter ?? new NoOpConnectionFilter();
 
-            serverInfo.ConnectionFilter = new HttpsConnectionFilter(cert, prevFilter);
+            serverInfo.ConnectionFilter = new HttpsConnectionFilter(options, prevFilter);
 
             return app;
         }

src/Microsoft.AspNet.Server.Kestrel.Https/HttpsConnectionFilter.cs

@@ -3,29 +3,37 @@
 
 using System;
 using System.Net.Security;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
+using Microsoft.AspNet.Http.Features;
+using Microsoft.AspNet.Http.Features.Internal;
 using Microsoft.AspNet.Server.Kestrel.Filter;
 
 namespace Microsoft.AspNet.Server.Kestrel.Https
 {
     public class HttpsConnectionFilter : IConnectionFilter
     {
-        private readonly X509Certificate2 _cert;
+        private readonly X509Certificate2 _serverCert;
+        private readonly ClientCertificateMode _clientCertMode;
+        private readonly ClientCertificateValidationCallback _clientValidationCallback;
         private readonly IConnectionFilter _previous;
+        private X509Certificate2 _clientCert;
 
-        public HttpsConnectionFilter(X509Certificate2 cert, IConnectionFilter previous)
+        public HttpsConnectionFilter(HttpsConnectionFilterOptions options, IConnectionFilter previous)
         {
-            if (cert == null)
+            if (options.ServerCertificate == null)
             {
-                throw new ArgumentNullException(nameof(cert));
+                throw new ArgumentNullException(nameof(options.ServerCertificate));
             }
             if (previous == null)
             {
                 throw new ArgumentNullException(nameof(previous));
             }
 
-            _cert = cert;
+            _serverCert = options.ServerCertificate;
+            _clientCertMode = options.ClientCertificateMode;
+            _clientValidationCallback = options.ClientCertificateValidation;
             _previous = previous;
         }
 
@@ -35,10 +43,68 @@ public async Task OnConnection(ConnectionFilterContext context)
 
             if (string.Equals(context.Address.Scheme, "https", StringComparison.OrdinalIgnoreCase))
             {
-                var sslStream = new SslStream(context.Connection);
-                await sslStream.AuthenticateAsServerAsync(_cert);
+                SslStream sslStream;
+                if (_clientCertMode == ClientCertificateMode.NoCertificate)
+                {
+                    sslStream = new SslStream(context.Connection);
+                    await sslStream.AuthenticateAsServerAsync(_serverCert);
+                }
+                else
+                {
+                    sslStream = new SslStream(context.Connection, leaveInnerStreamOpen: false,
+                        userCertificateValidationCallback: (sender, certificate, chain, sslPolicyErrors) =>
+                        {
+                            if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable))
+                            {
+                                return _clientCertMode != ClientCertificateMode.RequireCertificate;
+                            }
+
+
+                            if (_clientValidationCallback == null)
+                            {
+                                if (sslPolicyErrors != SslPolicyErrors.None)
+                                {
+                                    return false;
+                                }
+                            }
+#if DOTNET5_4
+                            // conversion X509Certificate to X509Certificate2 not supported
+                            // https://github.com/dotnet/corefx/issues/4510
+                            X509Certificate2 certificate2 = null;
+                            return false;
+#else
+                            X509Certificate2 certificate2 = certificate as X509Certificate2 ??
+                                                            new X509Certificate2(certificate);
+
+#endif
+                            if (_clientValidationCallback != null)
+                            {
+                                if (!_clientValidationCallback(certificate2, chain, sslPolicyErrors))
+                                {
+                                    return false;
+                                }
+                            }
+
+                            _clientCert = certificate2;
+                            return true;
+                        });
+                    await sslStream.AuthenticateAsServerAsync(_serverCert, clientCertificateRequired: true,
+                        enabledSslProtocols: SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls,
+                        checkCertificateRevocation: false);
+                }
                 context.Connection = sslStream;
             }
         }
+
+        public void PrepareRequest(IFeatureCollection features)
+        {
+            _previous.PrepareRequest(features);
+
+            if (_clientCert != null)
+            {
+                features.Set<ITlsConnectionFeature>(
+                    new TlsConnectionFeature { ClientCertificate = _clientCert });
+            }
+        }
     }
 }

src/Microsoft.AspNet.Server.Kestrel.Https/HttpsConnectionFilterOptions.cs

@@ -0,0 +1,19 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.AspNet.Server.Kestrel.Https
+{
+    public class HttpsConnectionFilterOptions
+    {
+        public HttpsConnectionFilterOptions()
+        {
+            ClientCertificateMode = ClientCertificateMode.NoCertificate;
+        }
+
+        public X509Certificate2 ServerCertificate { get; set; }
+        public ClientCertificateMode ClientCertificateMode { get; set; }
+        public ClientCertificateValidationCallback ClientCertificateValidation { get; set; }
+    }
+}

src/Microsoft.AspNet.Server.Kestrel.Https/project.json

@@ -15,8 +15,8 @@
     "net451": { },
     "dotnet5.4": {
       "dependencies": {
-        "System.Net.Security": "4.0.0-beta-*"
+        "System.Net.Security": "4.0.0-*"
       }
     }
   }
-}
+}

src/Microsoft.AspNet.Server.Kestrel/Filter/ConnectionFilterContext.cs

@@ -2,12 +2,13 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.IO;
+using Microsoft.AspNet.Http.Features;
 
 namespace Microsoft.AspNet.Server.Kestrel.Filter
 {
     public class ConnectionFilterContext
     {
         public ServerAddress Address { get; set; }
-        public Stream Connection { get; set;  }
+        public Stream Connection { get; set; }
     }
 }

src/Microsoft.AspNet.Server.Kestrel/Filter/IConnectionFilter.cs

@@ -2,11 +2,13 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Threading.Tasks;
+using Microsoft.AspNet.Http.Features;
 
 namespace Microsoft.AspNet.Server.Kestrel.Filter
 {
     public interface IConnectionFilter
     {
         Task OnConnection(ConnectionFilterContext context);
+        void PrepareRequest(IFeatureCollection features);
     }
 }

src/Microsoft.AspNet.Server.Kestrel/Filter/NoOpConnectionFilter.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Threading.Tasks;
+using Microsoft.AspNet.Http.Features;
 using Microsoft.AspNet.Server.Kestrel.Infrastructure;
 
 namespace Microsoft.AspNet.Server.Kestrel.Filter
@@ -12,5 +13,8 @@ public Task OnConnection(ConnectionFilterContext context)
         {
             return TaskUtilities.CompletedTask;
         }
+
+        public void PrepareRequest(IFeatureCollection features)
+        {}
     }
 }

src/Microsoft.AspNet.Server.Kestrel/Http/Connection.cs

@@ -157,7 +157,7 @@ private void OnRead(UvStreamHandle handle, int status)
 
         private Frame CreateFrame()
         {
-            return new Frame(this, _remoteEndPoint, _localEndPoint);
+            return new Frame(this, _remoteEndPoint, _localEndPoint, ConnectionFilter);
         }
 
         void IConnectionControl.Pause()

src/Microsoft.AspNet.Server.Kestrel/Http/Frame.FeatureCollection.cs

@@ -24,7 +24,6 @@ public partial class Frame : IFeatureCollection,
         // then the list of `implementedFeatures` in the generated code project MUST also be updated.
         // See also: tools/Microsoft.AspNet.Server.Kestrel.GeneratedCode/FrameFeatureCollection.cs
 
-        private string _scheme;
         private string _pathBase;
         private int _featureRevision;
 
@@ -90,12 +89,12 @@ string IHttpRequestFeature.Scheme
         {
             get
             {
-                return _scheme ?? "http";
+                return Scheme ?? "http";
             }
 
             set
             {
-                _scheme = value;
+                Scheme = value;
             }
         }
 
@@ -277,7 +276,7 @@ void IHttpResponseFeature.OnCompleted(Func<object, Task> callback, object state)
             OnCompleted(callback, state);
         }
 
-        Task<Stream> IHttpUpgradeFeature.UpgradeAsync()
+        async Task<Stream> IHttpUpgradeFeature.UpgradeAsync()
         {
             StatusCode = 101;
             ReasonPhrase = "Switching Protocols";
@@ -290,8 +289,10 @@ Task<Stream> IHttpUpgradeFeature.UpgradeAsync()
                     ResponseHeaders["Upgrade"] = values;
                 }
             }
-            ProduceStartAndFireOnStarting(immediate: true).GetAwaiter().GetResult();
-            return Task.FromResult(DuplexStream);
+
+            await ProduceStartAndFireOnStarting(immediate: true); 
+
+            return DuplexStream;
         }
 
         IEnumerator<KeyValuePair<Type, object>> IEnumerable<KeyValuePair<Type, object>>.GetEnumerator() => FastEnumerable().GetEnumerator();

src/Microsoft.AspNet.Server.Kestrel/Http/Frame.cs

@@ -11,6 +11,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Http.Features;
+using Microsoft.AspNet.Server.Kestrel.Filter;
 using Microsoft.AspNet.Server.Kestrel.Infrastructure;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Primitives;
@@ -49,24 +50,28 @@ public partial class Frame : FrameContext, IFrameControl
 
         private readonly IPEndPoint _localEndPoint;
         private readonly IPEndPoint _remoteEndPoint;
+        private readonly IConnectionFilter _connectionFilter;
 
         public Frame(ConnectionContext context)
-            : this(context, remoteEndPoint: null, localEndPoint: null)
+            : this(context, remoteEndPoint: null, localEndPoint: null, connectionFilter: null)
         {
         }
 
         public Frame(ConnectionContext context,
                      IPEndPoint remoteEndPoint,
-                     IPEndPoint localEndPoint)
+                     IPEndPoint localEndPoint,
+                     IConnectionFilter connectionFilter)
             : base(context)
         {
             _remoteEndPoint = remoteEndPoint;
             _localEndPoint = localEndPoint;
+            _connectionFilter = connectionFilter;
 
             FrameControl = this;
             Reset();
         }
 
+        public string Scheme { get; set; }
         public string Method { get; set; }
         public string RequestUri { get; set; }
         public string Path { get; set; }
@@ -102,6 +107,7 @@ public void Reset()
             ResetResponseHeaders();
             ResetFeatureCollection();
 
+            Scheme = null;
             Method = null;
             RequestUri = null;
             Path = null;
@@ -131,6 +137,8 @@ public void Reset()
             {
                 httpConnectionFeature.IsLocal = false;
             }
+
+            _connectionFilter?.PrepareRequest(this);
         }
 
         public void ResetResponseHeaders()

src/Microsoft.AspNet.Server.Kestrel/Http/FrameRequestStream.cs

@@ -50,7 +50,7 @@ public override void SetLength(long value)
 
         public override int Read(byte[] buffer, int offset, int count)
         {
-            return ReadAsync(buffer, offset, count).Result;
+            return ReadAsync(buffer, offset, count).GetAwaiter().GetResult();
         }
 
 #if NET451