Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermediate MTLS certificates ignored by certificate authentication #53858

Closed
1 task done
vurhanau opened this issue Feb 6, 2024 · 3 comments
Closed
1 task done

Intermediate MTLS certificates ignored by certificate authentication #53858

vurhanau opened this issue Feb 6, 2024 · 3 comments
Labels
area-security Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. Needs: Repro Indicates that the team needs a repro project to continue the investigation on this issue

Comments

@vurhanau
Copy link

vurhanau commented Feb 6, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

ASP.Net Core server fails to do certificate authentication when a client sends leaf + intermediate MTLS certs.
Error:

warn: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[2]
      Certificate validation failed, subject was OID.2.5.4.45=abc, O=someorg, C=US. PartialChain One or more certificates required to validate this certificate cannot be found.

Server:

builder.WebHost.UseKestrel(kestrel =>
{
    kestrel.Listen(IPAddress.Any, port, listenOptions =>
    {
        listenOptions.UseHttps(new TlsHandshakeCallbackOptions
        {
            OnConnection = ctx => ValueTask.FromResult(
                new SslServerAuthenticationOptions
                {
                    ClientCertificateRequired = true,
                    RemoteCertificateValidationCallback = (_, cert, chain, _) => MyValidationCallback(cert, chain),
                    ServerCertificateContext = SslStreamCertificateContext.Create(leafCert, intermediateCerts, true),
                }),
        });
    });
});

Server authentication:

builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
                .AddCertificate(opts =>
                {
                    opts.RevocationMode = X509RevocationMode.NoCheck;
                    opts.ChainTrustValidationMode = X509ChainTrustMode.CustomRootTrust;
                    opts.CustomTrustStore = GetX509Authorities(); // add root CA, intermediate CA is not available here - client sends it
                });

Client:

using HttpClient http = new(new SocketsHttpHandler()
{
    SslOptions = new SslClientAuthenticationOptions
    {
        RemoteCertificateValidationCallback = (_, cert, chain, _) => MyClientValidationCallback(cert, chain),
        ClientCertificateContext = SslStreamCertificateContext.Create(clientLeafCert, intermediateClientCerts, true),
    },
});

Microsoft.AspNetCore.Authentication.Certificate version is 8.0.1

Expected Behavior

Intermediate X509 client certs should be added to X509 chain to construct a proper CA chain.
Certificate authentication handler should validate client X509 leaf certificate successfully when all CA certs in the chain.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8.0.100

Anything else?

No response
@vurhanau vurhanau mentioned this issue Feb 8, 2024
Draft
@mkArtakMSFT mkArtakMSFT added the Needs: Repro Indicates that the team needs a repro project to continue the investigation on this issue label Apr 9, 2024
@dotnet-policy-service dotnet-policy-service bot added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label Apr 9, 2024
@mkArtakMSFT
Copy link
Member

Thanks for contacting us. Have you tried this: #48099 ?
If that doesn't help, please generate some test certificates and build a minimal repro project utilizing those certs and provide it so that we can investigate this.

@vurhanau
Copy link
Author

vurhanau commented Oct 29, 2024
edited
Loading

Re-opening this issue with a simple project to demonstrate the issue: https://github.com/vurhanau/aspnetcore-certchain

CertificateAuthenticationHandler.BuildChain() method ignores certificate chain sent by the client.
There are cases when intermediate CA certificate is sent by the client and this certificate is not known by the server ahead of time.

@mkArtakMSFT let me know if anything else is needed to fix this.

@Tyrrx
Copy link

Tyrrx commented Nov 12, 2024
edited
Loading

Intermediate certificates should be accessible in general not only during the Kestrel validation callback.
@mkArtakMSFT #48099 is not a viable solution. It is about disabling the chain building.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-security Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. Needs: Repro Indicates that the team needs a repro project to continue the investigation on this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vurhanau @Tyrrx @mkArtakMSFT