Pass Through Disable AIA Flag (#4674) (#4675)

nibanks · web-flow · commit fd8fcf7f18d0 · 2024-12-04T08:10:02.000-05:00
diff --git a/docs/api/QUIC_CREDENTIAL_CONFIG.md b/docs/api/QUIC_CREDENTIAL_CONFIG.md
@@ -161,6 +161,10 @@ Obtain the peer certificate using a faster in-process API call. Only available o
 
 Enable CA certificate file provided in the `CaCertificateFile` member.
 
+`QUIC_CREDENTIAL_FLAG_DISABLE_AIA`
+
+The following flag can be set to explicitly disable AIA retrievals. Only valid on Windows.
+
 #### `CertificateHash`
 
 Must **only** use with `QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH` type.
diff --git a/src/cs/lib/msquic_generated.cs b/src/cs/lib/msquic_generated.cs
@@ -99,6 +99,7 @@ internal enum QUIC_CREDENTIAL_FLAGS
         REVOCATION_CHECK_CACHE_ONLY = 0x00040000,
         INPROC_PEER_CERTIFICATE = 0x00080000,
         SET_CA_CERTIFICATE_FILE = 0x00100000,
+        DISABLE_AIA = 0x00200000,
     }
 
     [System.Flags]
diff --git a/src/inc/msquic.h b/src/inc/msquic.h
@@ -146,6 +146,7 @@ typedef enum QUIC_CREDENTIAL_FLAGS {
     QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY            = 0x00040000, // Windows only currently
     QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE                = 0x00080000, // Schannel only
     QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE                = 0x00100000, // OpenSSL only currently
+    QUIC_CREDENTIAL_FLAG_DISABLE_AIA                            = 0x00200000, // Schannel only currently
 } QUIC_CREDENTIAL_FLAGS;
 
 DEFINE_ENUM_FLAG_OPERATORS(QUIC_CREDENTIAL_FLAGS)
diff --git a/src/platform/certificates_capi.c b/src/platform/certificates_capi.c
@@ -90,6 +90,9 @@ CxPlatCertVerifyRawCertificate(
     if (CredFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
         CertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
     }
+    if (CredFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
+        CertFlags |= CERT_CHAIN_DISABLE_AIA;
+    }
 
     Result =
         CxPlatCertValidateChain(
diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c
@@ -981,7 +981,8 @@ CxPlatTlsSecConfigCreate(
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
-        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
         return QUIC_STATUS_INVALID_PARAMETER;
     }
 
@@ -992,7 +993,8 @@ CxPlatTlsSecConfigCreate(
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
-        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
         return QUIC_STATUS_INVALID_PARAMETER;
     }
 #endif
diff --git a/src/platform/tls_schannel.c b/src/platform/tls_schannel.c
@@ -118,6 +118,7 @@ typedef struct _SecPkgCred_ClientCertPolicy
 #define CERT_CHAIN_REVOCATION_CHECK_CHAIN              0x20000000
 #define CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x40000000
 #define CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY         0x80000000
+#define CERT_CHAIN_DISABLE_AIA                         0x00002000
 
 #define SECPKG_ATTR_REMOTE_CERTIFICATES  0x5F   // returns SecPkgContext_Certificates
 
@@ -754,6 +755,9 @@ CxPlatTlsSetClientCertPolicy(
     if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
         ClientCertPolicy.dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
     }
+    if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
+        ClientCertPolicy.dwCertFlags |= CERT_CHAIN_DISABLE_AIA;
+    }
 
     SecStatus =
         SetCredentialsAttributesW(
diff --git a/src/platform/unittest/TlsTest.cpp b/src/platform/unittest/TlsTest.cpp
@@ -2222,6 +2222,7 @@ TEST_F(TlsTest, PlatformSpecificFlagsSchannel)
         QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_END_CERT, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
         QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK, QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE,
         QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY,
+        QUIC_CREDENTIAL_FLAG_DISABLE_AIA,
 #ifndef __APPLE__
         QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN,
 #endif

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,7 @@ internal enum QUIC_CREDENTIAL_FLAGS`
`99`	`99`	`REVOCATION_CHECK_CACHE_ONLY = 0x00040000,`
`100`	`100`	`INPROC_PEER_CERTIFICATE = 0x00080000,`
`101`	`101`	`SET_CA_CERTIFICATE_FILE = 0x00100000,`
	`102`	`+ DISABLE_AIA = 0x00200000,`
`102`	`103`	`}`
`103`	`104`
`104`	`105`	`[System.Flags]`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,9 @@ CxPlatCertVerifyRawCertificate(`
`90`	`90`	`if (CredFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {`
`91`	`91`	`CertFlags \|= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;`
`92`	`92`	`}`
	`93`	`+ if (CredFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {`
	`94`	`+ CertFlags \|= CERT_CHAIN_DISABLE_AIA;`
	`95`	`+ }`
`93`	`96`
`94`	`97`	`Result =`
`95`	`98`	`CxPlatCertValidateChain(`