From 18e8a77398ff7a7b2b963956bb236ea8f6472a31 Mon Sep 17 00:00:00 2001 From: Radek Zikmund Date: Fri, 20 May 2022 12:43:26 +0200 Subject: [PATCH 1/4] Support optional client certificates for MsQuicConnection --- .../Interop/SafeMsQuicConfigurationHandle.cs | 4 ++-- .../tests/FunctionalTests/MsQuicTests.cs | 15 ++++++--------- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs b/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs index a04f1310f1fb1c..f1159b5bd175ad 100644 --- a/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs +++ b/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs @@ -51,7 +51,7 @@ public static SafeMsQuicConfigurationHandle Create(QuicClientConnectionOptions o } } - return Create(options, QUIC_CREDENTIAL_FLAGS.CLIENT, certificate: certificate, certificateContext: null, options.ClientAuthenticationOptions?.ApplicationProtocols, options.ClientAuthenticationOptions?.CipherSuitesPolicy); + return Create(options, QUIC_CREDENTIAL_FLAGS.CLIENT | QUIC_CREDENTIAL_FLAGS.USE_SUPPLIED_CREDENTIALS, certificate: certificate, certificateContext: null, options.ClientAuthenticationOptions?.ApplicationProtocols, options.ClientAuthenticationOptions?.CipherSuitesPolicy); } public static SafeMsQuicConfigurationHandle Create(QuicOptions options, SslServerAuthenticationOptions? serverAuthenticationOptions, string? targetHost = null) @@ -70,7 +70,7 @@ public static SafeMsQuicConfigurationHandle Create(QuicOptions options, SslServe if (serverAuthenticationOptions.ClientCertificateRequired) { - flags |= QUIC_CREDENTIAL_FLAGS.REQUIRE_CLIENT_AUTHENTICATION | QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION; + flags |= QUIC_CREDENTIAL_FLAGS.REQUIRE_CLIENT_AUTHENTICATION | QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION | QUIC_CREDENTIAL_FLAGS.DEFER_CERTIFICATE_VALIDATION; } if (certificate == null && serverAuthenticationOptions?.ServerCertificateSelectionCallback != null && targetHost != null) diff --git a/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs b/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs index 0559db532dcf03..a36592b09dd090 100644 --- a/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs +++ b/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs @@ -60,7 +60,6 @@ public async Task UnidirectionalAndBidirectionalChangeValues() } [Fact] - [ActiveIssue("https://github.com/dotnet/runtime/issues/46837", TestPlatforms.OSX)] public async Task ConnectWithCertificateChain() { (X509Certificate2 certificate, X509Certificate2Collection chain) = System.Net.Security.Tests.TestHelper.GenerateCertificates("localhost", longChain: true); @@ -107,7 +106,6 @@ public async Task ConnectWithCertificateChain() } [Fact] - [ActiveIssue("https://github.com/dotnet/runtime/issues/64944", TestPlatforms.Windows)] public async Task UntrustedClientCertificateFails() { var listenerOptions = new QuicListenerOptions(); @@ -337,10 +335,9 @@ public async Task ConnectWithCertificateForLoopbackIP_IndicatesExpectedError(str } [Theory] - [InlineData(true)] - // [InlineData(false)] [ActiveIssue("https://github.com/dotnet/runtime/issues/57308")] - [ActiveIssue("https://github.com/dotnet/runtime/issues/64944", TestPlatforms.Windows)] - public async Task ConnectWithClientCertificate(bool sendCerttificate) + // [InlineData(true)] + [InlineData(false)] + public async Task ConnectWithClientCertificate(bool sendCertificate) { bool clientCertificateOK = false; @@ -350,7 +347,7 @@ public async Task ConnectWithClientCertificate(bool sendCerttificate) listenerOptions.ServerAuthenticationOptions.ClientCertificateRequired = true; listenerOptions.ServerAuthenticationOptions.RemoteCertificateValidationCallback = (sender, cert, chain, errors) => { - if (sendCerttificate) + if (sendCertificate) { _output.WriteLine("client certificate {0}", cert); Assert.NotNull(cert); @@ -363,7 +360,7 @@ public async Task ConnectWithClientCertificate(bool sendCerttificate) using QuicListener listener = new QuicListener(QuicImplementationProviders.MsQuic, listenerOptions); QuicClientConnectionOptions clientOptions = CreateQuicClientOptions(); - if (sendCerttificate) + if (sendCertificate) { clientOptions.ClientAuthenticationOptions.ClientCertificates = new X509CertificateCollection() { ClientCertificate }; } @@ -373,7 +370,7 @@ public async Task ConnectWithClientCertificate(bool sendCerttificate) await PingPong(clientConnection, serverConnection); // check we completed the client certificate verification. Assert.True(clientCertificateOK); - Assert.Equal(ClientCertificate, serverConnection.RemoteCertificate); + Assert.Equal(sendCertificate ? ClientCertificate : null, serverConnection.RemoteCertificate); await serverConnection.CloseAsync(0); clientConnection.Dispose(); From 2195164d55a0190a7a0b599bfc070fec44190f60 Mon Sep 17 00:00:00 2001 From: Radek Zikmund Date: Fri, 20 May 2022 12:45:19 +0200 Subject: [PATCH 2/4] fixup! Support optional client certificates for MsQuicConnection --- .../System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs b/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs index a36592b09dd090..fe8a3eb1d9a2ef 100644 --- a/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs +++ b/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs @@ -335,7 +335,7 @@ public async Task ConnectWithCertificateForLoopbackIP_IndicatesExpectedError(str } [Theory] - // [InlineData(true)] + [InlineData(true)] [InlineData(false)] public async Task ConnectWithClientCertificate(bool sendCertificate) { From 42380831c554573f003da7c61cfa468cc79b9c4e Mon Sep 17 00:00:00 2001 From: Radek Zikmund Date: Tue, 24 May 2022 16:03:08 +0200 Subject: [PATCH 3/4] Update Fedora image --- eng/pipelines/coreclr/templates/helix-queues-setup.yml | 2 +- eng/pipelines/libraries/helix-queues-setup.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/eng/pipelines/coreclr/templates/helix-queues-setup.yml b/eng/pipelines/coreclr/templates/helix-queues-setup.yml index 43b78cee145dc9..342175f3d04e07 100644 --- a/eng/pipelines/coreclr/templates/helix-queues-setup.yml +++ b/eng/pipelines/coreclr/templates/helix-queues-setup.yml @@ -98,7 +98,7 @@ jobs: - (Debian.11.Amd64)Ubuntu.1804.amd64@mcr.microsoft.com/dotnet-buildtools/prereqs:debian-11-helix-amd64-20210304164428-5a7c380 - Ubuntu.1804.Amd64 - (Centos.8.Amd64)Ubuntu.1604.amd64@mcr.microsoft.com/dotnet-buildtools/prereqs:centos-8-helix-20201229003624-c1bf759 - - (Fedora.34.Amd64)Ubuntu.1604.amd64@mcr.microsoft.com/dotnet-buildtools/prereqs:fedora-34-helix-20220331150839-4f64125 + - (Fedora.34.Amd64)Ubuntu.1604.amd64@mcr.microsoft.com/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 - RedHat.7.Amd64 # OSX arm64 diff --git a/eng/pipelines/libraries/helix-queues-setup.yml b/eng/pipelines/libraries/helix-queues-setup.yml index fbc5a746035e16..57396a6dfb268b 100644 --- a/eng/pipelines/libraries/helix-queues-setup.yml +++ b/eng/pipelines/libraries/helix-queues-setup.yml @@ -62,14 +62,14 @@ jobs: - (Centos.8.Amd64.Open)Ubuntu.1804.Amd64.Open@mcr.microsoft.com/dotnet-buildtools/prereqs:centos-8-helix-20201229003624-c1bf759 - RedHat.7.Amd64.Open - SLES.15.Amd64.Open - - (Fedora.34.Amd64.Open)Ubuntu.1804.Amd64.Open@mcr.microsoft.com/dotnet-buildtools/prereqs:fedora-34-helix-20220331150839-4f64125 + - (Fedora.34.Amd64.Open)Ubuntu.1804.Amd64.Open@mcr.microsoft.com/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 - (Ubuntu.2110.Amd64.Open)Ubuntu.1804.Amd64.Open@mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-21.10-helix-amd64-20211116135132-0f8d97e - (Debian.10.Amd64.Open)Ubuntu.1804.Amd64.Open@mcr.microsoft.com/dotnet-buildtools/prereqs:debian-10-helix-amd64-bfcd90a-20200121150006 - ${{ if or(ne(parameters.jobParameters.testScope, 'outerloop'), ne(parameters.jobParameters.runtimeFlavor, 'mono')) }}: - ${{ if or(eq(parameters.jobParameters.isExtraPlatforms, true), eq(parameters.jobParameters.includeAllPlatforms, true)) }}: - (Centos.8.Amd64.Open)Ubuntu.1604.Amd64.Open@mcr.microsoft.com/dotnet-buildtools/prereqs:centos-8-helix-20201229003624-c1bf759 - SLES.15.Amd64.Open - - (Fedora.34.Amd64.Open)ubuntu.1604.amd64.open@mcr.microsoft.com/dotnet-buildtools/prereqs:fedora-34-helix-20220331150839-4f64125 + - (Fedora.34.Amd64.Open)ubuntu.1604.amd64.open@mcr.microsoft.com/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 - (Ubuntu.2110.Amd64.Open)ubuntu.1604.amd64.open@mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-21.04-helix-amd64-20210922170909-34a2d72 - (Debian.11.Amd64.Open)Ubuntu.1804.Amd64.Open@mcr.microsoft.com/dotnet-buildtools/prereqs:debian-11-helix-amd64-20210304164428-5a7c380 - (Mariner.1.0.Amd64.Open)ubuntu.1604.amd64.open@mcr.microsoft.com/dotnet-buildtools/prereqs:cbl-mariner-1.0-helix-20210528192219-92bf620 From 72fb91ccfdc8a697e7fee9b902419d58b3e3d726 Mon Sep 17 00:00:00 2001 From: Radek Zikmund Date: Tue, 24 May 2022 17:21:40 +0200 Subject: [PATCH 4/4] Remove DEFER_CERTIFICATE_VALIDATION flag --- .../MsQuic/Interop/SafeMsQuicConfigurationHandle.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs b/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs index f1159b5bd175ad..8259fb885edf1d 100644 --- a/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs +++ b/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs @@ -70,7 +70,7 @@ public static SafeMsQuicConfigurationHandle Create(QuicOptions options, SslServe if (serverAuthenticationOptions.ClientCertificateRequired) { - flags |= QUIC_CREDENTIAL_FLAGS.REQUIRE_CLIENT_AUTHENTICATION | QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION | QUIC_CREDENTIAL_FLAGS.DEFER_CERTIFICATE_VALIDATION; + flags |= QUIC_CREDENTIAL_FLAGS.REQUIRE_CLIENT_AUTHENTICATION | QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION; } if (certificate == null && serverAuthenticationOptions?.ServerCertificateSelectionCallback != null && targetHost != null)