Update CertificateLoader.cs

simon-curtis · web-flow · commit e3e3061f2b80 · 2023-09-01T11:44:51.000+01:00
The check for exact match to certificate subject fails as the `forIssuer` flag is set to true. This returns the `issuer` and not the `subject` this means that if two certificates have a partial match, it will just select the first one that has the search value in the name. [https://github.com/dotnet/aspnetcore/issues/49062](https://github.com/dotnet/aspnetcore/issues/49062)
diff --git a/src/Servers/Kestrel/Core/src/CertificateLoader.cs b/src/Servers/Kestrel/Core/src/CertificateLoader.cs
@@ -48,7 +48,7 @@ public static X509Certificate2 LoadFromStoreCert(string subject, string storeNam
                     // Pick the first one if there's no exact match as a fallback to substring default.
                     foundCertificate ??= certificate;
 
-                    if (certificate.GetNameInfo(X509NameType.SimpleName, true).Equals(subject, StringComparison.InvariantCultureIgnoreCase))
+                    if (certificate.GetNameInfo(X509NameType.SimpleName, false).Equals(subject, StringComparison.InvariantCultureIgnoreCase))
                     {
                         foundCertificate = certificate;
                         break;

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ public static X509Certificate2 LoadFromStoreCert(string subject, string storeNam`
`48`	`48`	`// Pick the first one if there's no exact match as a fallback to substring default.`
`49`	`49`	`foundCertificate ??= certificate;`
`50`	`50`
`51`		`- if (certificate.GetNameInfo(X509NameType.SimpleName, true).Equals(subject, StringComparison.InvariantCultureIgnoreCase))`
	`51`	`+ if (certificate.GetNameInfo(X509NameType.SimpleName, false).Equals(subject, StringComparison.InvariantCultureIgnoreCase))`
`52`	`52`	`{`
`53`	`53`	`foundCertificate = certificate;`
`54`	`54`	`break;`