HTTPS certificate exact match using Issuer's SimpleName instead of Certificate's

[dan-olsen]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I have 2 certificates NAME and NAMEB (actual cert names changed for obvious reasons). I am trying to configure Kestrel to use the NAMEB cert but the NAME cert is always being chosen. These certs are not self-signed.

As part of #34582 the Microsoft.AspNetCore.Server.Kestrel.Https.CertificateLoader was changed to support exact subject name match but it appears the certificate's issuer SimpleName is being used instead of the certificate's SimpleName. The certificate.GetNameInfo(X509NameType.SimpleName, true) should be certificate.GetNameInfo(X509NameType.SimpleName, false)

It should be noted that the NAME cert expires after the NAMEB cert which is why it is being chosen as the the first found cert.

Expected Behavior

I would expect the exact match logic to work and the NAME cert is chosen.

Steps To Reproduce

Kestrel config:

"Kestrel": {
    "Endpoints": {
      "HttpsInlineCertStore": {
        "Url": "https://NAME:7286",
        "Certificate": {
          "Subject": "NAME",
          "Store": "MY",
          "Location": "LocalMachine"
        }
      }
    }
  }

With the following 2 certs in the cert store:

• NAME
  • Expires after NAMEB
• NAMEB

Exceptions (if any)

No response

.NET Version

7.0.304

Anything else?

No response

[simon-curtis]

We've just descovered this issue too. After digging through the code. It appears as though they:

They do a partial string match on all certificates in that store, this will enumerate NAME and NAMEB like you have described.

foreach (var certificate in storeCertificates.Find(X509FindType.FindBySubjectName, subject, !allowInvalid)...)

They order by expiry date and then set the first one as the fallback value, in case an exact subject name is not matched.

[].OrderByDescending(certificate => certificate.NotAfter)

[This is the issue] they then attempt to check an exact match against the subject name, except they have accidentally used the wrong parameter value for certificate.GetNameInfo(...). They have used true for bool forIssuer - This will return the issuer, not the subject. This means that it will never exact match the subject name and return the first in the list as the fallback value.

if (certificate.GetNameInfo(X509NameType.SimpleName, true).Equals(subject, StringComparison.InvariantCultureIgnoreCase))
{
    foundCertificate = certificate;
    break;
}
// Failure 😢👎

Changing the second param to false fixes the issue. I will create a pull request and hopefully they can pull it in quickly.

if (certificate.GetNameInfo(X509NameType.SimpleName, false).Equals(subject, StringComparison.InvariantCultureIgnoreCase))
{
    foundCertificate = certificate; // Success 😁👍
    break;
}

For now:

1. create a copy of https://github.com/dotnet/aspnetcore/blob/main/src/Servers/Kestrel/Core/src/CertificateLoader.cs and change the flag to false.

2. Move the certificate out of the Kestrel section of appsettings.json

3. Create the WebHost extension as below

public static class WebApplicationExtensions 
{
    /// <summary>
    /// This method is designed to replace the default kestrel implementation of binding a certificate to the server.
    /// The reason for this is that there is a bug in the code that means that if the subject name is more then
    /// on certificate it will just match the one with the latest expiry date. This is not the desired behaviour.
    /// </summary>
    /// <remarks>
    /// You will need to make sure that you move the "Certificate" section outside of the Kestrel section
    /// as kestrel will overwrite your changes. We can only set the default certificate, not the final one.
    /// </remarks>
    /// <param name="configuration">This section must be a "Certificate" section and parseable to <see cref="CertificateOptions"/></param>
    public static void BindCertificate(this IWebHostBuilder builder, IConfigurationSection configuration)
    {
        if (configuration.Get<CertificateOptions>() is not { } cert)
            throw new Exception($"The section provided must be convertable to '{nameof(CertificateOptions)}'");

        builder.ConfigureKestrel(options =>
        {
            options.ConfigureHttpsDefaults(httpsOptions => httpsOptions.ServerCertificate = CertificateLoader
                .LoadFromStoreCert(cert.Subject, cert.Store.ToString(), cert.Location, cert.AllowInvalid));
        });
    }
}

[Serializable]
public record CertificateOptions
{
    public string Subject { get; init; } = string.Empty;
    public StoreName Store { get; init; }
    public StoreLocation Location { get; init; }
    public bool AllowInvalid { get; init; }
}

4. Call this code from your program.cs

builder.WebHost.BindCertificate(builder.Configuration.GetSection("Certificate"));