Skip to content

use also SslCertificateTrust when constructing CertificateContext#103372

Merged
wfurt merged 6 commits intodotnet:mainfrom
wfurt:trust
Jun 25, 2024
Merged

use also SslCertificateTrust when constructing CertificateContext#103372
wfurt merged 6 commits intodotnet:mainfrom
wfurt:trust

Conversation

@wfurt
Copy link
Member

@wfurt wfurt commented Jun 12, 2024

there are two parts to this change.

When #54219 added support for SslCertificateTrust it did impact only certificate validation but not SslStreamCertificateContext. Back in the day it was available only for servers so it was not probably big deal. (as the primary focus was on sending trusted CA list in the handshake). #80182 added support also for client (in 8.0) and that opened more options here IMHO. First part of this change will use Trust if provided to construct the chain for consistency.

Second part is specific to Android. It seems like we have difficulties to construct the chain unless the root CA is trusted.
The part above should help, but to make it more consistent with other platforms I also added fall-back attempt to build chain if intermediate certificates are provided. This is not used for avaluating trust so I feel it should be OK to use it to get list of certificates to send.

contributes to #100602
I assume @simonrozsival will follow-up on the android and update tests as needed and he would provide more insight if needed.

@wfurt wfurt added this to the 9.0.0 milestone Jun 12, 2024
@wfurt wfurt self-assigned this Jun 12, 2024
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jun 12, 2024

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@build-analysis build-analysis bot mentioned this pull request Jun 13, 2024
Closed
rzikm
rzikm reviewed Jun 13, 2024
View reviewed changes
Copy link
Member

@rzikm rzikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM modulo comments, but I would prefer @bartonjs to confirm that trusting everything to build a chain is okay.

@simonrozsival
Copy link
Member

simonrozsival commented Jun 20, 2024

@wfurt the SslStream_ClientCertificateContext_SendsChain test will now work on Android and we can remove the ActiveIssue. Do you want to do that in this PR or should I open a follow-up PR and do that separately?

This was referenced Jun 20, 2024
Open
Open
Closed
Closed
Closed
Closed
Closed
rzikm
rzikm approved these changes Jun 21, 2024
View reviewed changes
Copy link
Member

@rzikm rzikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@build-analysis build-analysis bot mentioned this pull request Jun 21, 2024
Closed
3 tasks
This was referenced Jun 24, 2024
Closed
Closed
@wfurt wfurt merged commit 973237d into dotnet:main Jun 25, 2024
@wfurt
Copy link
Member Author

wfurt commented Jun 25, 2024

@wfurt the SslStream_ClientCertificateContext_SendsChain test will now work on Android and we can remove the ActiveIssue. Do you want to do that in this PR or should I open a follow-up PR and do that separately?

why don't you do that as separate PR @simonrozsival . Maybe there will be more changes or more tests to enable...?

@matouskozak matouskozak mentioned this pull request Jun 26, 2024
Closed
This was referenced Jun 26, 2024
Merged
Closed
simonrozsival pushed a commit to simonrozsival/runtime that referenced this pull request Jul 8, 2024
@wfurt @simonrozsival
use also SslCertificateTrust when constructing CertificateContext (do…
9f1b0c4 
…tnet#103372)

* use also SslCertificateTrust when constructing CertificateContext

* 'build

* feedback
@simonrozsival simonrozsival mentioned this pull request Jul 8, 2024
Merged
4 tasks
vitek-karas added a commit that referenced this pull request Jul 15, 2024
@simonrozsival @wfurt @vitek-karas
[release/8.0-staging] use also SslCertificateTrust when constructing …
ce2fdb4 
…CertificateContext (#104541)

Backport of #103372 and #104016 to release/8.0-staging

## Customer Impact

- [X] Customer reported (#100602)
- [ ] Found internally

Customers developing Android apps are currently unable to use mutual TLS authentication in certain cases as the `SslStreamCertificateContext.Create(...)` method will fail to build an X509Chain instance if the certificate isn't trusted by the OS due to the limitations of the Android platform.

## Regression

- [ ] Yes
- [X] No

## Testing

Unit tests and manual testing on Android emulator.

## Risk

Low. The change is mostly limited to Android where this API doesn't currently work in many cases. 

---------

Co-authored-by: Tomas Weinfurt <tweinfurt@yahoo.com>
Co-authored-by: Vitek Karas <10670590+vitek-karas@users.noreply.github.com>
@github-actions github-actions bot locked and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@simonrozsival simonrozsival simonrozsival approved these changes

@rzikm rzikm rzikm approved these changes

@bartonjs bartonjs Awaiting requested review from bartonjs

Assignees

@wfurt wfurt

Labels

area-System.Net.Security

Projects

None yet

Milestone

9.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@wfurt @simonrozsival @rzikm