Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tracing to the Linux X509Chain implementation #65860

Merged
merged 5 commits into from
Mar 16, 2022
Merged

Add tracing to the Linux X509Chain implementation #65860

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cdb0e3a
Add tracing to the Linux X509Chain implementation
bartonjs Feb 17, 2022
6c8e762
Fix build / review feedback
bartonjs Feb 25, 2022
9ef33b1
Merge remote-tracking branch 'dotnet/main' into linux_chain_tracing
bartonjs Mar 4, 2022
4c2da07
Merge remote-tracking branch 'dotnet/main' into linux_chain_tracing
bartonjs Mar 8, 2022
ce0b437
Use EventSource.IsEnabled checks as preconditions for trimmer friendl…
bartonjs Mar 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -823,6 +823,7 @@
<Compile Include="System\Security\Cryptography\X509Certificates\OpenSslPkcs12Reader.cs" />
<Compile Include="System\Security\Cryptography\X509Certificates\OpenSslSingleCertLoader.cs" />
<Compile Include="System\Security\Cryptography\X509Certificates\OpenSslX509CertificateReader.cs" />
<Compile Include="System\Security\Cryptography\X509Certificates\OpenSslX509ChainEventSource.cs" />
<Compile Include="System\Security\Cryptography\X509Certificates\OpenSslX509ChainProcessor.cs" />
<Compile Include="System\Security\Cryptography\X509Certificates\OpenSslX509Encoder.cs" />
<Compile Include="System\Security\Cryptography\X509Certificates\StorePal.OpenSsl.cs" />
Expand Down Expand Up @@ -1789,6 +1790,7 @@
<Reference Include="System.Collections" />
<Reference Include="System.Collections.Concurrent" />
<Reference Include="System.Collections.NonGeneric" />
<Reference Include="System.Diagnostics.Tracing" />
<Reference Include="System.Diagnostics.StackTrace" />
<Reference Include="System.Formats.Asn1" />
<Reference Include="System.Memory" />
Expand Down
111 changes: 99 additions & 12 deletions ...curity.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,50 @@ public static void FlushStores()
DateTime verificationTime,
TimeSpan timeout,
bool disableAia)
{
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.ChainStart();
}

try
{
return BuildChainCore(
useMachineContext,
cert,
extraStore,
applicationPolicy,
certificatePolicy,
revocationMode,
revocationFlag,
customTrustStore,
trustMode,
verificationTime,
timeout,
disableAia);
}
finally
{
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.ChainStop();
}
}
}

private static IChainPal? BuildChainCore(
bool useMachineContext,
ICertificatePal cert,
X509Certificate2Collection? extraStore,
OidCollection? applicationPolicy,
OidCollection? certificatePolicy,
X509RevocationMode revocationMode,
X509RevocationFlag revocationFlag,
X509Certificate2Collection? customTrustStore,
X509ChainTrustMode trustMode,
DateTime verificationTime,
TimeSpan timeout,
bool disableAia)
{
if (timeout == TimeSpan.Zero)
{
Expand Down Expand Up @@ -77,32 +121,59 @@ public static void FlushStores()

Interop.Crypto.X509VerifyStatusCode status = chainPal.FindFirstChain(extraStore);

if (!OpenSslX509ChainProcessor.IsCompleteChain(status) && !disableAia)
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
List<X509Certificate2>? tmp = null;
status = chainPal.FindChainViaAia(ref tmp);
OpenSslX509ChainEventSource.Log.FindFirstChainFinished(status);
}

if (tmp != null)
if (!OpenSslX509ChainProcessor.IsCompleteChain(status))
{
if (disableAia)
{
if (status == Interop.Crypto.X509VerifyStatusCode.X509_V_OK)
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.AiaDisabled();
}
}
else
{
List<X509Certificate2>? tmp = null;
status = chainPal.FindChainViaAia(ref tmp);

if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
SaveIntermediateCertificates(tmp);
OpenSslX509ChainEventSource.Log.FindChainViaAiaFinished(status, tmp?.Count ?? 0);
}

foreach (X509Certificate2 downloaded in tmp)
if (tmp != null)
{
downloaded.Dispose();
if (status == Interop.Crypto.X509VerifyStatusCode.X509_V_OK)
{
SaveIntermediateCertificates(tmp);
}

foreach (X509Certificate2 downloaded in tmp)
{
downloaded.Dispose();
}
}
}
}

// In NoCheck+OK then we don't need to build the chain any more, we already
// know it's error-free. So skip straight to finish.
if (status != Interop.Crypto.X509VerifyStatusCode.X509_V_OK ||
revocationMode != X509RevocationMode.NoCheck)
if (revocationMode != X509RevocationMode.NoCheck)
{
if (OpenSslX509ChainProcessor.IsCompleteChain(status))
{
if (status != Interop.Crypto.X509VerifyStatusCode.X509_V_OK)
{
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.UntrustedChainWithRevocation();
}

revocationMode = X509RevocationMode.NoCheck;
}

chainPal.CommitToChain();
chainPal.ProcessRevocation(revocationMode, revocationFlag);
}
Expand Down Expand Up @@ -132,18 +203,34 @@ private static void SaveIntermediateCertificates(List<X509Certificate2> download
catch (CryptographicException)
{
// Saving is opportunistic, just ignore failures

if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.CouldNotOpenCAStore();
}

return;
}

foreach (X509Certificate2 cert in downloadedCerts)
{
try
{
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.CachingIntermediate(cert);
}

userIntermediate.Add(cert);
}
catch
{
// Saving is opportunistic, just ignore failures

if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.CachingIntermediateFailed(cert);
}
}
}
}
Expand Down
76 changes: 68 additions & 8 deletions ...hy/src/System/Security/Cryptography/X509Certificates/OpenSslCertificateAssetDownloader.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ internal static class OpenSslCertificateAssetDownloader
}
catch (CryptographicException)
{
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.InvalidDownloadedCertificate();
}

return null;
}
}
Expand Down Expand Up @@ -70,6 +75,11 @@ internal static class OpenSslCertificateAssetDownloader
}
}

if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.InvalidDownloadedCrl();
}

return null;
}

Expand All @@ -91,26 +101,61 @@ internal static class OpenSslCertificateAssetDownloader
// We're not going to report this error to a user, so clear it
// (to avoid tainting future exceptions)
Interop.Crypto.ErrClearError();

if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.InvalidDownloadedOcsp();
}
}

return resp;
}

private static byte[]? DownloadAsset(string uri, TimeSpan downloadTimeout)
{
if (s_downloadBytes != null && downloadTimeout > TimeSpan.Zero)
if (s_downloadBytes is null)
{
long totalMillis = (long)downloadTimeout.TotalMilliseconds;
CancellationTokenSource? cts = totalMillis > int.MaxValue ? null : new CancellationTokenSource((int)totalMillis);
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.HttpClientNotAvailable();
}

return null;
}

try
if (downloadTimeout <= TimeSpan.Zero)
{
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
return s_downloadBytes(uri, cts?.Token ?? default);
OpenSslX509ChainEventSource.Log.DownloadTimeExceeded();
}
catch { }
finally

return null;
}

long totalMillis = (long)downloadTimeout.TotalMilliseconds;

if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.AssetDownloadStart(totalMillis, uri);
}

CancellationTokenSource? cts = totalMillis > int.MaxValue ? null : new CancellationTokenSource((int)totalMillis);
byte[]? ret = null;

try
{
ret = s_downloadBytes(uri, cts?.Token ?? default);
return ret;
}
catch { }
vcsjones marked this conversation as resolved.
Show resolved Hide resolved
finally
{
cts?.Dispose();

if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
cts?.Dispose();
OpenSslX509ChainEventSource.Log.AssetDownloadStop(ret?.Length ?? 0);
}
}

Expand Down Expand Up @@ -214,9 +259,19 @@ internal static class OpenSslCertificateAssetDownloader
redirections++;
if (redirections > MaxRedirections)
{
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.DownloadRedirectsExceeded();
}

return null;
}

if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.DownloadRedirected(redirectUri);
}

// Equivalent of:
// requestMessage = new HttpRequestMessage() { RequestUri = redirectUri };
// requestMessage.RequestUri = redirectUri;
Expand Down Expand Up @@ -284,6 +339,11 @@ internal static class OpenSslCertificateAssetDownloader

if (!IsAllowedScheme(location.Scheme))
{
if (OpenSslX509ChainEventSource.Log.IsEnabled())
{
OpenSslX509ChainEventSource.Log.DownloadRedirectNotFollowed(location);
}

return null;
}

Expand Down
Loading