Skip to content

Fix: Inconsistent certificate chain handling between endpoint and default configuration #60710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Mar 4, 2025
Merged

Fix: Inconsistent certificate chain handling between endpoint and default configuration #60710

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
91a3373
Add certificate chain handling for certificate specified in the default
Feb 24, 2025
3ee8b35
Add a unit test to verify default certificate chain is loaded from th…
jnjudge1 Mar 3, 2025
ccecd34
Fix formatting and nits for CertificateAndConfig
jnjudge1 Mar 4, 2025
5cc49f3
Update src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
jnjudge1 Mar 4, 2025
248be2f
Update KestrelConfigurationLoader.cs
jnjudge1 Mar 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/Servers/Kestrel/Core/src/IHttpsConfigurationService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,11 +90,20 @@ void ApplyHttpsConfiguration(
internal readonly struct CertificateAndConfig
{
public readonly X509Certificate2 Certificate;
public readonly X509Certificate2Collection CertificateChain;
public readonly CertificateConfig CertificateConfig;

public CertificateAndConfig(X509Certificate2 certificate, CertificateConfig certificateConfig)
{
Certificate = certificate;
CertificateConfig = certificateConfig;
CertificateChain = [];
}

public CertificateAndConfig(X509Certificate2 certificate, CertificateConfig certificateConfig, X509Certificate2Collection certificateChain)
{
Certificate = certificate;
CertificateConfig = certificateConfig;
CertificateChain = certificateChain;
}
}
3 changes: 3 additions & 0 deletions src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ internal KestrelConfigurationLoader(
private CertificateConfig? DefaultCertificateConfig { get; set; }
internal X509Certificate2? DefaultCertificate { get; set; }

internal X509Certificate2Collection? DefaultCertificateChain { get; set; }
/// <summary>
/// Specifies a configuration Action to run when an endpoint with the given name is loaded from configuration.
/// </summary>
Expand Down Expand Up @@ -345,12 +346,14 @@ internal void ProcessEndpointsToAdd()

DefaultCertificateConfig = null;
DefaultCertificate = null;
DefaultCertificateChain = null;

ConfigurationReader = new ConfigurationReader(Configuration);

if (_httpsConfigurationService.IsInitialized && _httpsConfigurationService.LoadDefaultCertificate(ConfigurationReader) is CertificateAndConfig certPair)
{
DefaultCertificate = certPair.Certificate;
DefaultCertificateChain = certPair.CertificateChain;
DefaultCertificateConfig = certPair.CertificateConfig;
}

Expand Down
4 changes: 4 additions & 0 deletions src/Servers/Kestrel/Core/src/KestrelServerOptions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,10 @@ internal void ApplyDefaultCertificate(HttpsConnectionAdapterOptions httpsOptions
if (ConfigurationLoader?.DefaultCertificate is X509Certificate2 certificateFromLoader)
{
httpsOptions.ServerCertificate = certificateFromLoader;
if (ConfigurationLoader?.DefaultCertificateChain is X509Certificate2Collection certificateChainFromLoader)
{
httpsOptions.ServerCertificateChain = certificateChainFromLoader;
}
return;
}

Expand Down
6 changes: 5 additions & 1 deletion src/Servers/Kestrel/Core/src/TlsConfigurationLoader.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,9 +128,13 @@ public ListenOptions UseHttpsWithSni(
{
if (configurationReader.Certificates.TryGetValue("Default", out var defaultCertConfig))
{
var (defaultCert, _ /* cert chain */) = _certificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
var (defaultCert, defaultCertChain) = _certificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
if (defaultCert != null)
{
if (defaultCertChain != null)
{
return new CertificateAndConfig(defaultCert, defaultCertConfig, defaultCertChain);
}
return new CertificateAndConfig(defaultCert, defaultCertConfig);
}
}
Expand Down
27 changes: 27 additions & 0 deletions src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,33 @@ public void ConfigureDefaultsAppliesToNewConfigureEndpoints()
Assert.False(serverOptions.CodeBackedListenOptions[0].IsTls);
}

[Fact]
public void ConfigureDefaultCertificatePathLoadsChain()
{
var serverOptions = CreateServerOptions();
var testCertPath = TestResources.GetCertPath("leaf.com.crt");
var ran1 = false;
var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
{
new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
new KeyValuePair<string,string>("Certificates:Default:Path",testCertPath)
}).Build();

serverOptions.Configure(config)
.Endpoint("End1", opt =>
{
ran1 = true;
Assert.True(opt.IsHttps);
Assert.NotNull(opt.HttpsOptions.ServerCertificate);
Assert.NotNull(opt.HttpsOptions.ServerCertificateChain);
Assert.Equal(2, opt.HttpsOptions.ServerCertificateChain.Count);
}).Load();

Assert.True(ran1);

Assert.True(serverOptions.ConfigurationBackedListenOptions[0].IsTls);
}

[Fact]
public void ConfigureEndpointDefaultCanEnableHttps()
{
Expand Down
Loading