Fixing OID EKU validation.

Author: Lakshmi Priya Sekar

src/Common/src/System/Net/Http/WinHttpException.cs

@@ -23,7 +23,7 @@ public static int ConvertErrorCodeToHR(int error)
             // of HttpClient under the same error conditions. Clients would access
             // HttpRequestException.InnerException.HRESULT to discover what caused
             // the exception.
-            switch ((uint)error)
+            switch (unchecked((uint)error))
             {
                 case Interop.WinHttp.ERROR_WINHTTP_CONNECTION_ERROR:
                     return unchecked((int)Interop.WinHttp.WININET_E_CONNECTION_RESET);

src/Common/tests/System/Net/Capability.Security.cs

@@ -32,6 +32,11 @@ public static bool IsNegotiateServerAvailable()
             return !(Configuration.Security.NegotiateServer == null);
         }
 
+        public static bool AreHostsFileNamesInstalled()
+        {
+            return !(Configuration.Security.HostsFileNamesInstalled == null);
+        }
+
         private static bool InitializeTrustedRootCertificateCapability()
         {
             using (var store = new X509Store(StoreName.Root, StoreLocation.CurrentUser))

src/Common/tests/System/Net/Configuration.Certificates.cs

@@ -25,9 +25,21 @@ public static partial class Certificates
 
             public static X509Certificate2 GetClientCertificate() => GetCertWithPrivateKey(GetClientCertificateCollection());
 
-            public static X509Certificate2Collection GetServerCertificateCollection() => GetCertificateCollection("contoso.com.pfx");
+            public static X509Certificate2 GetNoEKUCertificate() => GetCertWithPrivateKey(GetNoEKUCertificateCollection());
 
-            public static X509Certificate2Collection GetClientCertificateCollection() => GetCertificateCollection("testclient1_at_contoso.com.pfx");
+            public static X509Certificate2 GetSelfSignedServerCertificate() => GetCertWithPrivateKey(GetSelfSignedServerCertificateCollection());
+
+            public static X509Certificate2 GetSelfSignedClientCertificate() => GetCertWithPrivateKey(GetSelfSignedClientCertificateCollection());
+
+            public static X509Certificate2Collection GetServerCertificateCollection() => GetCertificateCollection("testservereku.contoso.com.pfx");
+
+            public static X509Certificate2Collection GetClientCertificateCollection() => GetCertificateCollection("testclienteku.contoso.com.pfx");
+
+            public static X509Certificate2Collection GetNoEKUCertificateCollection() => GetCertificateCollection("testnoeku.contoso.com.pfx");
+
+            public static X509Certificate2Collection GetSelfSignedServerCertificateCollection() => GetCertificateCollection("testselfsignedservereku.contoso.com.pfx");
+
+            public static X509Certificate2Collection GetSelfSignedClientCertificateCollection() => GetCertificateCollection("testselfsignedclienteku.contoso.com.pfx");
 
             private static X509Certificate2Collection GetCertificateCollection(string certificateFileName)
             {

src/Common/tests/System/Net/Configuration.Security.cs

@@ -19,6 +19,14 @@ public static partial class Security
             public static Uri TlsServer => GetUriValue("COREFX_NET_SECURITY_TLSSERVERURI", new Uri("https://" + DefaultAzureServer));
 
             public static Uri NegotiateServer => GetUriValue("COREFX_NET_SECURITY_NEGOSERVERURI");
+
+            // This should be set if hostnames for all certificates within corefx-testdata have been set to point to 127.0.0.1.
+            // Example: 
+            //      127.0.0.1 testservereku.contoso.com
+            //      127.0.0.1 testnoeku.contoso.com
+            //      127.0.0.1 testclienteku.contoso.com
+
+            public static string HostsFileNamesInstalled => GetValue("COREFX_NET_SECURITY_HOSTS_FILE_INSTALLED");
         }
     }
 }

src/Common/tests/System/Net/HttpsTestClient.cs

@@ -0,0 +1,172 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Net.Security;
+using System.Net.Security.Tests;
+using System.Net.Sockets;
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace System.Net.Test.Common
+{
+    public class HttpsTestClient
+    {
+        public class Options
+        {
+            public Options(EndPoint remoteEndPoint)
+            {
+                RemoteEndpoint = remoteEndPoint;
+            }
+
+            public const string DefaultRequestStringTemplate =
+@"GET / HTTP/1.0
+Host: {0}
+User-Agent: Testing application
+
+";
+
+            public string ServerName { get; set; }
+
+            public EndPoint RemoteEndpoint { get; }
+
+            public X509Certificate2 ClientCertificate { get; set; } =
+                Configuration.Certificates.GetClientCertificate();
+
+            public SslProtocols AllowedProtocols { get; set; } = SslProtocols.None;
+
+            public SslPolicyErrors IgnoreSslPolicyErrors { get; set; } = SslPolicyErrors.None;
+        }
+
+        private Options _options;
+        private int _requestCount = 0;
+        private VerboseTestLogging _log = VerboseTestLogging.GetInstance();
+
+        public SslStream Stream { get; private set; }
+
+        public HttpsTestClient(Options options)
+        {
+            _options = options ?? throw new ArgumentNullException(nameof(options));
+        }
+
+        public async Task HttpsRequestAsync(Func<string, Task<string>> httpConversation = null)
+        {
+            _log.WriteLine("[Client] Disabling SslPolicyErrors: {0}", _options.IgnoreSslPolicyErrors.ToString());
+
+            if (httpConversation == null)
+            {
+                httpConversation = DefaultHttpConversation;
+            }
+
+            using (var certValidationPolicy = new SslStreamCertificatePolicy(_options.IgnoreSslPolicyErrors))
+            using (var tcp = new TcpClient())
+            {
+                await ConnectToHostAsync(tcp);
+
+                using (Stream = new SslStream(tcp.GetStream(), false, certValidationPolicy.SslStreamCallback))
+                {
+                    X509CertificateCollection clientCerts = null;
+
+                    if (_options.ClientCertificate != null)
+                    {
+                        clientCerts = new X509CertificateCollection();
+                        clientCerts.Add(_options.ClientCertificate);
+                    }
+
+                    _log.WriteLine(
+                        "[Client] Connected. Authenticating: server={0}; clientCert={1}",
+                        _options.ServerName,
+                        _options.ClientCertificate != null ? _options.ClientCertificate.Subject : "<null>");
+
+                    try
+                    {
+                        await Stream.AuthenticateAsClientAsync(
+                            _options.ServerName,
+                            clientCerts,
+                            _options.AllowedProtocols,
+                            checkCertificateRevocation: false).ConfigureAwait(false);
+                    }
+                    catch (Exception ex)
+                    {
+                        _log.WriteLine("[Client] Exception : {0}", ex);
+                        throw ex;
+                    }
+
+                    _log.WriteLine("[Client] Authenticated protocol {0}", Stream.SslProtocol);
+
+                    int bytesRead = 0;
+                    string responseString = null;
+
+                    while (true)
+                    {
+                        string requestString = await httpConversation(responseString).ConfigureAwait(false);
+                        if (requestString == null)
+                        {
+                            return;
+                        }
+
+                        if (requestString.Length > 0)
+                        {
+                            byte[] requestBuffer = Encoding.UTF8.GetBytes(requestString);
+
+                            _log.WriteLine("[Client] Sending request ({0} Bytes)", requestBuffer.Length);
+                            await Stream.WriteAsync(requestBuffer, 0, requestBuffer.Length).ConfigureAwait(false);
+                        }
+
+                        _log.WriteLine("[Client] Waiting for reply...");
+
+                        byte[] responseBuffer = new byte[2048];
+                        bytesRead = await Stream.ReadAsync(responseBuffer, 0, responseBuffer.Length).ConfigureAwait(false);
+                        responseString = Encoding.UTF8.GetString(responseBuffer, 0, bytesRead);
+                        _log.WriteLine("[Client] {0} Bytes, Response: <{1}>", bytesRead, responseString);
+                    }
+                }
+            }
+        }
+
+        private async Task ConnectToHostAsync(TcpClient tcp)
+        {
+            string hostName = null;
+
+            if (_options.RemoteEndpoint is DnsEndPoint)
+            {
+                var dns = (DnsEndPoint)_options.RemoteEndpoint;
+                hostName = dns.Host;
+
+                _log.WriteLine("[Client] Connecting to {0}:{1}", hostName, dns.Port);
+                await tcp.ConnectAsync(hostName, dns.Port).ConfigureAwait(false);
+            }
+            else
+            {
+                var ip = (IPEndPoint)_options.RemoteEndpoint;
+                hostName = ip.Address.ToString();
+                _log.WriteLine("[Client] Connecting to {0}:{1}", hostName, ip.Port);
+                await tcp.ConnectAsync(hostName, ip.Port).ConfigureAwait(false);
+            }
+
+            if (_options.ServerName == null)
+            {
+                _options.ServerName = hostName;
+            }
+        }
+
+        private Task<string> DefaultHttpConversation(string read)
+        {
+            if (_requestCount == 1 && read.Length == 0)
+            {
+                throw new InvalidOperationException("Https empty response.");
+            }
+
+            string requestString = null;
+            if (read == null)
+            {
+                requestString = string.Format(Options.DefaultRequestStringTemplate, _options.ServerName);
+            }
+
+            _requestCount++;
+            return Task.FromResult(requestString);
+        }
+    }
+}