Add support for loading certificate chains from configuration.

davidfowl · davidfowl · commit e00b3e39ebbb · 2020-08-28T01:12:29.000-07:00
- Adds a ServerCertificateIntermediates property to HttpsConnectionAdapterOptions
- Adds a Chain property to configuration. This only supports PEM certificates.
- Import intermediates if chain path specified
diff --git a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
@@ -39,6 +39,11 @@ public HttpsConnectionAdapterOptions()
         /// </summary>
         public X509Certificate2 ServerCertificate { get; set; }
 
+        /// <summary>
+        /// Specifies the intermediate certificates in the chain.
+        /// </summary>
+        public X509Certificate2Collection ServerCertificateIntermediates { get; set; }
+
         /// <summary>
         /// <para>
         /// A callback that will be invoked to dynamically select a server certificate. This is higher priority than ServerCertificate.
diff --git a/src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs b/src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs
@@ -23,13 +23,11 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel
         public IHostEnvironment HostEnvironment { get; }
         public ILogger<KestrelServer> Logger { get; }
 
-        public bool IsTestMock => false;
-
-        public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
+        public (X509Certificate2, X509Certificate2Collection) LoadCertificate(CertificateConfig certInfo, string endpointName)
         {
             if (certInfo is null)
             {
-                return null;
+                return (null, null);
             }
 
             if (certInfo.IsFileCert && certInfo.IsStoreCert)
@@ -39,9 +37,21 @@ public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpo
             else if (certInfo.IsFileCert)
             {
                 var certificatePath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path);
+
+                X509Certificate2Collection intermediates = null;
+
+                if (certInfo.ChainPath != null)
+                {
+                    var certificateChainPath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.ChainPath);
+
+                    intermediates = new X509Certificate2Collection();
+                    intermediates.ImportFromPemFile(certificateChainPath);
+                }
+
                 if (certInfo.KeyPath != null)
                 {
                     var certificateKeyPath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.KeyPath);
+
                     var certificate = GetCertificate(certificatePath);
 
                     if (certificate != null)
@@ -57,10 +67,10 @@ public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpo
                     {
                         if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
                         {
-                            return PersistKey(certificate);
+                            return (PersistKey(certificate), intermediates);
                         }
 
-                        return certificate;
+                        return (certificate, intermediates);
                     }
                     else
                     {
@@ -70,14 +80,14 @@ public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpo
                     throw new InvalidOperationException(CoreStrings.InvalidPemKey);
                 }
 
-                return new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path), certInfo.Password);
+                return (new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path), certInfo.Password), intermediates);
             }
             else if (certInfo.IsStoreCert)
             {
-                return LoadFromStoreCert(certInfo);
+                return (LoadFromStoreCert(certInfo), null);
             }
 
-            return null;
+            return (null, null);
         }
 
         private static X509Certificate2 PersistKey(X509Certificate2 fullCertificate)
diff --git a/src/Servers/Kestrel/Core/src/Internal/Certificates/ICertificateConfigLoader.cs b/src/Servers/Kestrel/Core/src/Internal/Certificates/ICertificateConfigLoader.cs
@@ -7,8 +7,6 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates
 {
     internal interface ICertificateConfigLoader
     {
-        bool IsTestMock { get; }
-
-        X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName);
+        (X509Certificate2, X509Certificate2Collection) LoadCertificate(CertificateConfig certInfo, string endpointName);
     }
 }
diff --git a/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs b/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs
@@ -346,6 +346,8 @@ public override int GetHashCode() => HashCode.Combine(
 
     // "CertificateName": {
     //     "Path": "testCert.pfx",
+    //     "KeyPath": "",
+    //     "ChainPath": "",
     //     "Password": "testPassword"
     // }
     internal class CertificateConfig
@@ -368,6 +370,8 @@ internal CertificateConfig()
 
         public string Path { get; set; }
 
+        public string ChainPath { get; set; }
+
         public string KeyPath { get; set; }
 
         public string Password { get; set; }
diff --git a/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs b/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs
@@ -49,12 +49,13 @@ public SniOptionsSelector(
             {
                 var sslOptions = new SslServerAuthenticationOptions
                 {
-                    ServerCertificate = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}"),
                     EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackHttpsOptions.SslProtocols,
                     CertificateRevocationCheckMode = fallbackHttpsOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
                 };
 
-                if (sslOptions.ServerCertificate is null)
+                var (serverCert, intermediates) = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}");
+
+                if (serverCert is null)
                 {
                     if (fallbackHttpsOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)
                     {
@@ -63,21 +64,18 @@ public SniOptionsSelector(
 
                     if (_fallbackServerCertificateSelector is null)
                     {
-                        // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence. 
-                        sslOptions.ServerCertificate = fallbackHttpsOptions.ServerCertificate;
+                        // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence.
+                        serverCert = fallbackHttpsOptions.ServerCertificate;
+                        intermediates = fallbackHttpsOptions.ServerCertificateIntermediates;
                     }
                 }
 
-                if (sslOptions.ServerCertificate != null)
+                if (serverCert != null)
                 {
                     // This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
                     // made to the server
-                    sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);
-                }
-
-                if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)
-                {
-                    HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);
+                    sslOptions.ServerCertificate = serverCert;
+                    sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create(serverCert, intermediates);
                 }
 
                 var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackHttpsOptions.ClientCertificateMode;
diff --git a/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs b/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
@@ -342,8 +342,10 @@ public void Load()
                     }
 
                     // A cert specified directly on the endpoint overrides any defaults.
-                    httpsOptions.ServerCertificate = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name)
-                        ?? httpsOptions.ServerCertificate;
+                    var (serverCert, intermediates) = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name);
+
+                    httpsOptions.ServerCertificate = serverCert ?? httpsOptions.ServerCertificate;
+                    httpsOptions.ServerCertificateIntermediates = intermediates ?? httpsOptions.ServerCertificateIntermediates;
 
                     if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)
                     {
@@ -404,7 +406,7 @@ private void LoadDefaultCert()
         {
             if (ConfigurationReader.Certificates.TryGetValue("Default", out var defaultCertConfig))
             {
-                var defaultCert = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
+                var (defaultCert, intermediates) = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
                 if (defaultCert != null)
                 {
                     DefaultCertificateConfig = defaultCertConfig;
diff --git a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
@@ -93,7 +93,7 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter
 
                 // This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
                 // made to the server
-                _serverCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, additionalCertificates: null);
+                _serverCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, additionalCertificates: options.ServerCertificateIntermediates);
             }
 
             var remoteCertificateValidationCallback = _options.ClientCertificateMode == ClientCertificateMode.NoCertificate ?
diff --git a/src/Servers/Kestrel/Core/test/SniOptionsSelectorTests.cs b/src/Servers/Kestrel/Core/test/SniOptionsSelectorTests.cs
@@ -751,18 +751,16 @@ private class MockCertificateConfigLoader : ICertificateConfigLoader
         {
             public Dictionary<object, string> CertToPathDictionary { get; } = new Dictionary<object, string>(ReferenceEqualityComparer.Instance);
 
-            public bool IsTestMock => true;
-
-            public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
+            public (X509Certificate2, X509Certificate2Collection) LoadCertificate(CertificateConfig certInfo, string endpointName)
             {
                 if (certInfo is null)
                 {
-                    return null;
+                    return (null, null);
                 }
 
                 var cert = TestResources.GetTestCertificate();
                 CertToPathDictionary.Add(cert, certInfo.Path);
-                return cert;
+                return (cert, null);
             }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -23,13 +23,11 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel`
`23`	`23`	`public IHostEnvironment HostEnvironment { get; }`
`24`	`24`	`public ILogger<KestrelServer> Logger { get; }`
`25`	`25`
`26`		`- public bool IsTestMock => false;`
`27`		`-`
`28`		`- public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)`
	`26`	`+ public (X509Certificate2, X509Certificate2Collection) LoadCertificate(CertificateConfig certInfo, string endpointName)`
`29`	`27`	`{`
`30`	`28`	`if (certInfo is null)`
`31`	`29`	`{`
`32`		`- return null;`
	`30`	`+ return (null, null);`
`33`	`31`	`}`
`34`	`32`
`35`	`33`	`if (certInfo.IsFileCert && certInfo.IsStoreCert)`
`@@ -39,9 +37,21 @@ public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpo`
`39`	`37`	`else if (certInfo.IsFileCert)`
`40`	`38`	`{`
`41`	`39`	`var certificatePath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path);`
	`40`	`+`
	`41`	`+ X509Certificate2Collection intermediates = null;`
	`42`	`+`
	`43`	`+ if (certInfo.ChainPath != null)`
	`44`	`+ {`
	`45`	`+ var certificateChainPath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.ChainPath);`
	`46`	`+`
	`47`	`+ intermediates = new X509Certificate2Collection();`
	`48`	`+ intermediates.ImportFromPemFile(certificateChainPath);`
	`49`	`+ }`
	`50`	`+`
`42`	`51`	`if (certInfo.KeyPath != null)`
`43`	`52`	`{`
`44`	`53`	`var certificateKeyPath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.KeyPath);`
	`54`	`+`
`45`	`55`	`var certificate = GetCertificate(certificatePath);`
`46`	`56`
`47`	`57`	`if (certificate != null)`
`@@ -57,10 +67,10 @@ public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpo`
`57`	`67`	`{`
`58`	`68`	`if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))`
`59`	`69`	`{`
`60`		`- return PersistKey(certificate);`
	`70`	`+ return (PersistKey(certificate), intermediates);`
`61`	`71`	`}`
`62`	`72`
`63`		`- return certificate;`
	`73`	`+ return (certificate, intermediates);`
`64`	`74`	`}`
`65`	`75`	`else`
`66`	`76`	`{`
`@@ -70,14 +80,14 @@ public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpo`
`70`	`80`	`throw new InvalidOperationException(CoreStrings.InvalidPemKey);`
`71`	`81`	`}`
`72`	`82`
`73`		`- return new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path), certInfo.Password);`
	`83`	`+ return (new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path), certInfo.Password), intermediates);`
`74`	`84`	`}`
`75`	`85`	`else if (certInfo.IsStoreCert)`
`76`	`86`	`{`
`77`		`- return LoadFromStoreCert(certInfo);`
	`87`	`+ return (LoadFromStoreCert(certInfo), null);`
`78`	`88`	`}`
`79`	`89`
`80`		`- return null;`
	`90`	`+ return (null, null);`
`81`	`91`	`}`
`82`	`92`
`83`	`93`	`private static X509Certificate2 PersistKey(X509Certificate2 fullCertificate)`
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,6 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates`
`7`	`7`	`{`
`8`	`8`	`internal interface ICertificateConfigLoader`
`9`	`9`	`{`
`10`		`- bool IsTestMock { get; }`
`11`		`-`
`12`		`- X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName);`
	`10`	`+ (X509Certificate2, X509Certificate2Collection) LoadCertificate(CertificateConfig certInfo, string endpointName);`
`13`	`11`	`}`
`14`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,12 +49,13 @@ public SniOptionsSelector(`
`49`	`49`	`{`
`50`	`50`	`var sslOptions = new SslServerAuthenticationOptions`
`51`	`51`	`{`
`52`		`- ServerCertificate = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}"),`
`53`	`52`	`EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackHttpsOptions.SslProtocols,`
`54`	`53`	`CertificateRevocationCheckMode = fallbackHttpsOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,`
`55`	`54`	`};`
`56`	`55`
`57`		`- if (sslOptions.ServerCertificate is null)`
	`56`	`+ var (serverCert, intermediates) = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}");`
	`57`	`+`
	`58`	`+ if (serverCert is null)`
`58`	`59`	`{`
`59`	`60`	`if (fallbackHttpsOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)`
`60`	`61`	`{`
`@@ -63,21 +64,18 @@ public SniOptionsSelector(`
`63`	`64`
`64`	`65`	`if (_fallbackServerCertificateSelector is null)`
`65`	`66`	`{`
`66`		`- // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence.`
`67`		`- sslOptions.ServerCertificate = fallbackHttpsOptions.ServerCertificate;`
	`67`	`+ // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence.`
	`68`	`+ serverCert = fallbackHttpsOptions.ServerCertificate;`
	`69`	`+ intermediates = fallbackHttpsOptions.ServerCertificateIntermediates;`
`68`	`70`	`}`
`69`	`71`	`}`
`70`	`72`
`71`		`- if (sslOptions.ServerCertificate != null)`
	`73`	`+ if (serverCert != null)`
`72`	`74`	`{`
`73`	`75`	`// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are`
`74`	`76`	`// made to the server`
`75`		`- sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);`
`76`		`- }`
`77`		`-`
`78`		`- if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)`
`79`		`- {`
`80`		`- HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);`
	`77`	`+ sslOptions.ServerCertificate = serverCert;`
	`78`	`+ sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create(serverCert, intermediates);`
`81`	`79`	`}`
`82`	`80`
`83`	`81`	`var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackHttpsOptions.ClientCertificateMode;`
Original file line number	Diff line number	Diff line change
`@@ -342,8 +342,10 @@ public void Load()`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`// A cert specified directly on the endpoint overrides any defaults.`
`345`		`- httpsOptions.ServerCertificate = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name)`
`346`		`- ?? httpsOptions.ServerCertificate;`
	`345`	`+ var (serverCert, intermediates) = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name);`
	`346`	`+`
	`347`	`+ httpsOptions.ServerCertificate = serverCert ?? httpsOptions.ServerCertificate;`
	`348`	`+ httpsOptions.ServerCertificateIntermediates = intermediates ?? httpsOptions.ServerCertificateIntermediates;`
`347`	`349`
`348`	`350`	`if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)`
`349`	`351`	`{`
`@@ -404,7 +406,7 @@ private void LoadDefaultCert()`
`404`	`406`	`{`
`405`	`407`	`if (ConfigurationReader.Certificates.TryGetValue("Default", out var defaultCertConfig))`
`406`	`408`	`{`
`407`		`- var defaultCert = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");`
	`409`	`+ var (defaultCert, intermediates) = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");`
`408`	`410`	`if (defaultCert != null)`
`409`	`411`	`{`
`410`	`412`	`DefaultCertificateConfig = defaultCertConfig;`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter`
`93`	`93`
`94`	`94`	`// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are`
`95`	`95`	`// made to the server`
`96`		`- _serverCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, additionalCertificates: null);`
	`96`	`+ _serverCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, additionalCertificates: options.ServerCertificateIntermediates);`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`var remoteCertificateValidationCallback = _options.ClientCertificateMode == ClientCertificateMode.NoCertificate ?`
Original file line number	Diff line number	Diff line change
`@@ -751,18 +751,16 @@ private class MockCertificateConfigLoader : ICertificateConfigLoader`
`751`	`751`	`{`
`752`	`752`	`public Dictionary<object, string> CertToPathDictionary { get; } = new Dictionary<object, string>(ReferenceEqualityComparer.Instance);`
`753`	`753`
`754`		`- public bool IsTestMock => true;`
`755`		`-`
`756`		`- public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)`
	`754`	`+ public (X509Certificate2, X509Certificate2Collection) LoadCertificate(CertificateConfig certInfo, string endpointName)`
`757`	`755`	`{`
`758`	`756`	`if (certInfo is null)`
`759`	`757`	`{`
`760`		`- return null;`
	`758`	`+ return (null, null);`
`761`	`759`	`}`
`762`	`760`
`763`	`761`	`var cert = TestResources.GetTestCertificate();`
`764`	`762`	`CertToPathDictionary.Add(cert, certInfo.Path);`
`765`		`- return cert;`
	`763`	`+ return (cert, null);`
`766`	`764`	`}`
`767`	`765`	`}`
`768`	`766`