Add support for loading certificate chains from configuration.

[davidfowl]

• Adds a ServerCertificateIntermediates property to HttpsConnectionAdapterOptions
• Adds a Chain property to configuration. This only supports PEM certificates.

TODO: Add tests

Fixes #21513
Contributes to #21512

[bartonjs]

Looks good aside from the one confusing line

[davidfowl]

The weird thing about this property is that it should really be set with the ServerCertificate in an atomic manner. If the cert is set, then the intermediates should be set as well (null is valid)

[halter73]

Agreed. The combined type should probably be defined in the runtime.

[halter73]

Should we add a SslStreamCertificateContext property instead of this X509Certificate2Collection?

[davidfowl]

@bartonjs if we wanted to support resolving the chain for PKCS #12 files (pfx) would I call Import on the pfx itself?

[bartonjs]

if we wanted to support resolving the chain for PKCS #12 files (pfx) would I call Import on the pfx itself?

X509Certificate2Collection coll = new X509Certificate2Collection();
coll.Import(pfxPath, pfxPwd, flags);

If there's exactly one cert that returns true for HasPrivateKey, you can hold its reference as the target cert and remove it from the collection (removing it isn't strictly required, I guess...).

[halter73]

This gets called a lot. Maybe we should store this certificate in a static/fixture. We do that in some other test classes that need a lot of valid X509Certificate2s.

[halter73]

Nit: Use fake .pem files to show the expected file type for KeyPath/ChainPath.

[halter73]

It might be more straightforward to just have developers call this themselves by putting a SslStreamCertificateContext on HttpsConnectionAdapterOptions and preferring it to ServerCertificate similar to the way we treat ServerCertificateSelector.

[davidfowl]

Wherever we load the cert, we're going to be using the context. The callback happens to late. It needs to happen at startup.

[halter73]

HttpsConnectionAdapterOptions.ServerCertificateContext or whatever-we-call-it would be set at startup though.

[davidfowl]

What does that have to do with the SNI selector? Kestrel should always resolve this at startup.

[halter73]

It's just a comparison to point out that even though having both SslStreamCertificateContext and ServerCertificate on HttpsConnectionAdapterOptions would be redundant, ServerCertificateSelector and ServerCertificate are already redundant, so this isn't a new problem if we decide to add SslStreamCertificateContext.

[davidfowl]

I don't understand what this has to do with SNI. Exposing SslStreamCertificateContext on HttpsConnectionAdapterOptions is fine and I have no pushback but it has nothing to do with this code path...

[ghost]

Thank you for submitting this for API review. This will be reviewed by @dotnet/aspnet-api-review at the next meeting of the ASP.NET Core API Review group. Please ensure you take a look at the API review process documentation and ensure that:

• The PR contains changes to the reference-assembly that describe the API change. Or, you have included a snippet of reference-assembly-style code that illustrates the API change.
• The PR describes the impact to users, both positive (useful new APIs) and negative (breaking changes).
• Someone is assigned to "champion" this change in the meeting, and they understand the impact and design of the change.

[javiercn]

This looks good!

There's missing tests and stuff, but other than that the changes are fine I think!

[Pilchie]

👀

[dougbu]

@davidfowl this PR is blocking me deleting the old release/5.0-rc2 branch. Could you please close it❔

[davidfowl]

As long as you don't delete it

[dougbu]

As long as you don't delete it

If you need the branch, probably safest to rebase it before I burn the release/5.0-rc2 branch. I don't think GitHub removes branches when left dangling after a PR is closed but the PR does protect the branch a bit.

[dougbu]

🆗 @davidfowl I'll do the rebase to unblock myself. Should this PR target master now❔

[davidfowl]

Yep

[dougbu]

Done