Add ExtraStore property to CertificateAuthenticationOptions

[aalsamoht]

When working with the X509Chain directly I have added my custom root certificates to the X509Chain.ChainPolicy.CustomTrustStore and my custom intermediates to the X509Chain.ChainPolicy.ExtraStore. I would like to do the same when using CertificateAuthenticationOptions.

It would also be nice to be able to use just the ExtraStore without needing to use the CustomTrustStore.

Putting the roots and intermediates in the CustomTrustStore works, ref. dotnet/runtime#20302 - I would simply prefer to keep them separate.

Is there a reason for not adding a ExtraStore property to CertificateAuthenticationOptions?

[javiercn]

@aalsamoht thanks for contacting us.

@blowdart do you have any thoughts on this? I'm not 100% sure I understand the ask.

[blowdart]

@bartonjs would be a better person to ask for what this means, and what the differences are. I have no idea of any of the implications, or what we'd need to expose, or whether it's a good idea.

[bartonjs]

@aalsamoht has the gist correct:

• CustomTrustStore has a semantic meaning that depends on the value of the TrustMode property
  • Currently we only have two values
    • System: Throw if anything is in this store, since you said "don't do custom trust".
    • CustomRootTrust: Nothing outside the self-issued certificates in this collection is considered a trust anchor. Non self-issued certificates get treated as if they were in ExtraStore, because we were nice and didn't think it was worth the exception.
• ExtraStore is just "here are some certificates that you might want to look at during chain building so that you don't have to fetch them via AIA or hope they're cached or whatever". No trust is implied, it's just a perf improvement (or for non-AIA-supporting chains, a functional requirement).

When doing custom root trust the canonical caller would add intermediates to ExtraStore (perf improvement) and to CustomTrustStore they would add only the roots they want to trust. So, by that assertion, it seems like there should be a place for them to provide certs that get loaded into ExtraStore. (The name of ExtraStore is terrible, it makes sense from the Win32 perspective, but got lifted to .NET more or less blindly. At your layer I'd call it something like AdditionalChainCertificates or ExtraChainCertificates or ... something. No good names are coming to me at the moment)

[blowdart]

Dear lord that's confusing.

I'm picturing an .AddChainCertificates() or something less badly named during configuration of the middleware, which would take a collection of X509Certificate2 objections, then when we're building the chain, configure an extra store, alongside where we add a customstore if needed. Does that make sense @bartonjs ?

[bartonjs]

I'm picturing an .AddChainCertificates() or something less badly named during configuration of the middleware

Sounds good to me.