nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-04 20:50:21 -05:00
Code

Introduce options for adding certificates to the X509ChainPolicy.CustomTrustStore

Browse Source 
Co-authored-by: tangowithfoxtrot <tangowithfoxtrot@users.noreply.github.com>
This commit is contained in:
Justin Baur 2025-04-04 11:58:15 -04:00
parent 39ac93326d
commit 190328c0cf
No known key found for this signature in database
8 changed files with 412 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
src/Core/Platform/X509ChainCustomization/PostConfigureX509ChainOptions.cs Normal file
View File

@ -0,0 +1,94 @@
#nullable enable
using System.Security.Cryptography.X509Certificates;
using Microsoft.Extensions.Options;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Hosting;
using Bit.Core.Settings;
namespace Bit.Core.Platform.X509ChainCustomization;
internal sealed class PostConfigureX509ChainOptions : IPostConfigureOptions<X509ChainOptions>
{
const string CertificateSearchPattern = "*.crt";
private readonly ILogger<PostConfigureX509ChainOptions> _logger;
private readonly IHostEnvironment _hostEnvironment;
private readonly GlobalSettings _globalSettings;
public PostConfigureX509ChainOptions(
ILogger<PostConfigureX509ChainOptions> logger,
IHostEnvironment hostEnvironment,
GlobalSettings globalSettings)
{
_logger = logger;
_hostEnvironment = hostEnvironment;
_globalSettings = globalSettings;
}
public void PostConfigure(string? name, X509ChainOptions options)
{
if (name != Options.DefaultName)
{
return;
}
// We only allow this setting to be configured on self host.
if (!_globalSettings.SelfHosted)
{
options.AdditionalCustomTrustCertificatesDirectory = null;
return;
}
if (options.AdditionalCustomTrustCertificates != null)
{
// Additional certificates were added directly, this overwrites the need to
// read them from the directory.
_logger.LogInformation(
"Additional custom trust certificates were added directly, skipping loading them from '{Directory}'",
options.AdditionalCustomTrustCertificatesDirectory
);
return;
}
if (string.IsNullOrEmpty(options.AdditionalCustomTrustCertificatesDirectory))
{
return;
}
if (!Directory.Exists(options.AdditionalCustomTrustCertificatesDirectory))
{
// The default directory is volume mounted via the default Bitwarden setup process.
// If the directory doesn't exist it could indicate a error in configuration but this
// directory is never expected in a normal development environment so lower the log
// level in that case.
var logLevel = _hostEnvironment.IsDevelopment()
? LogLevel.Debug
: LogLevel.Warning;
_logger.Log(
logLevel,
"An additional custom trust certificate directory was given '{Directory}' but that directory does not exist.",
options.AdditionalCustomTrustCertificatesDirectory
);
return;
}
var certificates = new List<X509Certificate2>();
foreach (var certFile in Directory.EnumerateFiles(options.AdditionalCustomTrustCertificatesDirectory, CertificateSearchPattern))
{
certificates.Add(new X509Certificate2(certFile));
}
if (options.AdditionalCustomTrustCertificatesDirectory != X509ChainOptions.DefaultAdditionalCustomTrustCertificatesDirectory && certificates.Count == 0)
{
// They have intentionally given us a non-default directory but there weren't certificates, that is odd.
_logger.LogWarning(
"No additional custom trust certificates were found in '{Directory}'",
options.AdditionalCustomTrustCertificatesDirectory
);
}
options.AdditionalCustomTrustCertificates = certificates;
}
}

53
src/Core/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensions.cs Normal file
View File

@ -0,0 +1,53 @@
using Bit.Core.Platform.X509ChainCustomization;
using Microsoft.Extensions.Options;
using Microsoft.Extensions.DependencyInjection.Extensions;
namespace Microsoft.Extensions.DependencyInjection;
/// <summary>
/// Extension methods for setting up the ability to provide customization to how TLS works in an <see cref="IServiceCollection"/>.
/// </summary>
public static class X509ChainCustomizationServiceCollectionExtensions
{
/// <summary>
/// Configures X509ChainPolicy customization through the root level <c>TlsOptions</c> configuration section
/// and configures the primary <see cref="HttpMessageHandler"/> to use custom certificate validation
/// when customized to do so.
/// </summary>
/// <param name="services">The <see cref="IServiceCollection"/>.</param>
/// <returns>The <see cref="IServiceCollection"/> for additional chaining.</returns>
public static IServiceCollection AddX509ChainCustomization(this IServiceCollection services)
{
ArgumentNullException.ThrowIfNull(services);
services.AddOptions<X509ChainOptions>()
.BindConfiguration(nameof(X509ChainOptions));
// Use TryAddEnumerable to make sure `PostConfigureTlsOptions` isn't added multiple
// times even if this method is called multiple times.
services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<X509ChainOptions>, PostConfigureX509ChainOptions>());
services.AddHttpClient()
.ConfigureHttpClientDefaults(builder =>
{
builder.ConfigurePrimaryHttpMessageHandler(sp =>
{
var tlsOptions = sp.GetRequiredService<IOptions<X509ChainOptions>>().Value;
var handler = new HttpClientHandler();
if (tlsOptions.TryGetCustomRemoteCertificateValidationCallback(out var callback))
{
handler.ServerCertificateCustomValidationCallback = (sender, certificate, chain, errors) =>
{
return callback(certificate, chain, errors);
};
}
return handler;
});
});
return services;
}
}

72
src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs Normal file
View File

@ -0,0 +1,72 @@
#nullable enable
using System.Diagnostics.CodeAnalysis;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
namespace Bit.Core.Platform.X509ChainCustomization;
/// <summary>
/// Allows for customization of
/// </summary>
public sealed class X509ChainOptions
{
// This is the directory that we historically used to allow certificates be added inside our container
// and then on start of the container we would move them to `/usr/local/share/ca-certificates/` and call
// `update-ca-certificates` but since that operation requires root we can't do it in a rootless container.
// Ref: https://github.com/bitwarden/server/blob/67d7d685a619a5fc413f8532dacb09681ee5c956/src/Api/entrypoint.sh#L38-L41
public const string DefaultAdditionalCustomTrustCertificatesDirectory = "/etc/bitwarden/ca-certificates/";
/// <summary>
/// A directory where additional certificates should be read from and included in <see cref="X509ChainPolicy.CustomTrustStore"/>.
/// </summary>
/// <remarks>
/// Only certificates suffixed with <c>*.crt</c> will be read. If <see cref="AdditionalCustomTrustCertificates"/> is
/// set, then this directory will not be read from.
/// </remarks>
public string? AdditionalCustomTrustCertificatesDirectory { get; set; } = DefaultAdditionalCustomTrustCertificatesDirectory;
/// <summary>
/// A list of additional certificates that should be included in <see cref="X509ChainPolicy.CustomTrustStore"/>.
/// </summary>
/// <remarks>
/// If this value is set manually, then <see cref="AdditionalCustomTrustCertificatesDirectory"/> will be ignored.
/// </remarks>
public List<X509Certificate2>? AdditionalCustomTrustCertificates { get; set; }
/// <summary>
/// Attempts to retrieve a custom remote certificate validation callback.
/// </summary>
/// <param name="callback"></param>
/// <returns>Returns <see langword="true"/> when we have custom remote certification that should be added,
/// <see langword="false"/> when no custom validation is needed and the default validation callback should
/// be used instead.
/// </returns>
[MemberNotNullWhen(true, nameof(AdditionalCustomTrustCertificates))]
public bool TryGetCustomRemoteCertificateValidationCallback(
[MaybeNullWhen(false)]out Func<X509Certificate2?, X509Chain?, SslPolicyErrors, bool> callback)
{
callback = null;
if (AdditionalCustomTrustCertificates == null || AdditionalCustomTrustCertificates.Count == 0)
{
return false;
}
// Ref: https://github.com/dotnet/runtime/issues/39835#issuecomment-663020581
callback = (certificate, chain, errors) =>
{
if (chain == null || certificate == null)
{
return false;
}
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
foreach (var additionalCertificate in AdditionalCustomTrustCertificates)
{
chain.ChainPolicy.CustomTrustStore.Add(additionalCertificate);
}
return chain.Build(certificate);
};
return true;
}
}

17
src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs
View File

@ -1,7 +1,10 @@
using Bit.Core.Settings;
using System.Security.Cryptography.X509Certificates;
using Bit.Core.Platform.X509ChainCustomization;
using Bit.Core.Settings;
using Bit.Core.Utilities;
using MailKit.Net.Smtp;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using MimeKit;
namespace Bit.Core.Services;
@ -10,12 +13,14 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
{
private readonly GlobalSettings _globalSettings;
private readonly ILogger<MailKitSmtpMailDeliveryService> _logger;
private readonly X509ChainOptions _x509CertificateCustomization;
private readonly string _replyDomain;
private readonly string _replyEmail;
public MailKitSmtpMailDeliveryService(
GlobalSettings globalSettings,
ILogger<MailKitSmtpMailDeliveryService> logger)
ILogger<MailKitSmtpMailDeliveryService> logger,
IOptions<X509ChainOptions> tlsOptions)
{
if (globalSettings.Mail?.Smtp?.Host == null)
{
@ -31,6 +36,7 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
_globalSettings = globalSettings;
_logger = logger;
_x509CertificateCustomization = tlsOptions.Value;
}
public async Task SendEmailAsync(Models.Mail.MailMessage message)
@ -75,6 +81,13 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService
{
client.ServerCertificateValidationCallback = (s, c, h, e) => true;
}
else if (_x509CertificateCustomization.TryGetCustomRemoteCertificateValidationCallback(out var callback))
{
client.ServerCertificateValidationCallback = (sender, cert, chain, errors) =>
{
return callback(new X509Certificate2(cert), chain, errors);
};
}
if (!_globalSettings.Mail.Smtp.StartTls && !_globalSettings.Mail.Smtp.Ssl &&
_globalSettings.Mail.Smtp.Port == 25)

49
test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs
View File

@ -3,9 +3,11 @@ using System.Security.Cryptography.X509Certificates;
using Bit.Core.Models.Mail;
using Bit.Core.Services;
using Bit.Core.Settings;
using Bit.Core.Platform.TlsCustomization;
using MailKit.Security;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Rnwood.SmtpServer;
using Rnwood.SmtpServer.Extensions.Auth;
using Xunit.Abstractions;
@ -100,7 +102,8 @@ public class MailKitSmtpMailDeliveryServiceTests
var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
globalSettings,
NullLogger<MailKitSmtpMailDeliveryService>.Instance
NullLogger<MailKitSmtpMailDeliveryService>.Instance,
Options.Create(new X509CertificateCustomizationOptions())
);
await Assert.ThrowsAsync<SslHandshakeException>(
@ -113,7 +116,7 @@ public class MailKitSmtpMailDeliveryServiceTests
);
}
[Fact(Skip = "Upcoming feature")]
[Fact]
public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertInCustomLocation_Works()
{
// If an SMTP server is using a self signed cert we will in the future
@ -130,12 +133,18 @@ public class MailKitSmtpMailDeliveryServiceTests
gs.Mail.Smtp.Ssl = true;
});
// TODO: Setup custom location and save self signed cert there.
// await SaveCertAsync("./my-location", _selfSignedCert);
var tlsOptions = new X509CertificateCustomizationOptions
{
AdditionalCustomTrustCertificates =
[
_selfSignedCert,
],
};
var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
globalSettings,
NullLogger<MailKitSmtpMailDeliveryService>.Instance
NullLogger<MailKitSmtpMailDeliveryService>.Instance,
Options.Create(tlsOptions)
);
var tcs = new TaskCompletionSource();
@ -162,7 +171,7 @@ public class MailKitSmtpMailDeliveryServiceTests
await tcs.Task;
}
[Fact(Skip = "Upcoming feature")]
[Fact]
public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertInCustomLocation_WithUnrelatedCerts_Works()
{
// If an SMTP server is using a self signed cert we will in the future
@ -179,15 +188,19 @@ public class MailKitSmtpMailDeliveryServiceTests
gs.Mail.Smtp.Ssl = true;
});
// TODO: Setup custom location and save self signed cert there
// along with another self signed cert that is not related to
// the SMTP server.
// await SaveCertAsync("./my-location", _selfSignedCert);
// await SaveCertAsync("./my-location", CreateSelfSignedCert("example.com"));
var tlsOptions = new X509CertificateCustomizationOptions
{
AdditionalCustomTrustCertificates =
[
_selfSignedCert,
CreateSelfSignedCert("example.com"),
],
};
var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
globalSettings,
NullLogger<MailKitSmtpMailDeliveryService>.Instance
NullLogger<MailKitSmtpMailDeliveryService>.Instance,
Options.Create(tlsOptions)
);
var tcs = new TaskCompletionSource();
@ -234,7 +247,8 @@ public class MailKitSmtpMailDeliveryServiceTests
var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
globalSettings,
NullLogger<MailKitSmtpMailDeliveryService>.Instance
NullLogger<MailKitSmtpMailDeliveryService>.Instance,
Options.Create(new X509CertificateCustomizationOptions())
);
var tcs = new TaskCompletionSource();
@ -280,7 +294,8 @@ public class MailKitSmtpMailDeliveryServiceTests
var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
globalSettings,
NullLogger<MailKitSmtpMailDeliveryService>.Instance
NullLogger<MailKitSmtpMailDeliveryService>.Instance,
Options.Create(new X509CertificateCustomizationOptions())
);
var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
@ -315,7 +330,8 @@ public class MailKitSmtpMailDeliveryServiceTests
var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
globalSettings,
NullLogger<MailKitSmtpMailDeliveryService>.Instance
NullLogger<MailKitSmtpMailDeliveryService>.Instance,
Options.Create(new X509CertificateCustomizationOptions())
);
var tcs = new TaskCompletionSource();
@ -381,7 +397,8 @@ public class MailKitSmtpMailDeliveryServiceTests
var mailKitDeliveryService = new MailKitSmtpMailDeliveryService(
globalSettings,
NullLogger<MailKitSmtpMailDeliveryService>.Instance
NullLogger<MailKitSmtpMailDeliveryService>.Instance,
Options.Create(new X509CertificateCustomizationOptions())
);
var tcs = new TaskCompletionSource();

137
test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs Normal file
View File

@ -0,0 +1,137 @@
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Bit.Core.Platform.X509ChainCustomization;
using Bit.Core.Settings;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Options;
using NSubstitute;
using Xunit;
namespace Bit.Core.Test.Platform.TlsCustomization;
public class X509ChainCustomizationServiceCollectionExtensionsTests
{
private static X509Certificate2 CreateSelfSignedCert(string commonName)
{
using var rsa = RSA.Create(2048);
var certRequest = new CertificateRequest($"CN={commonName}", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
return certRequest.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
}
[Fact]
public async Task OptionsPatternReturnsCachedValue()
{
var tempDir = Directory.CreateTempSubdirectory("certs");
var tempCert = Path.Combine(tempDir.FullName, "test.crt");
await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
var services = CreateServices((gs, environment, config) =>
{
gs.SelfHosted = true;
environment.EnvironmentName = "Development";
config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
});
// Create options once
var firstOptions = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
Assert.NotNull(firstOptions.AdditionalCustomTrustCertificates);
var cert = Assert.Single(firstOptions.AdditionalCustomTrustCertificates);
Assert.Equal("CN=localhost", cert.Subject);
// Since the second resolution should have cached values, deleting the file during operation
// should have no impact.
File.Delete(tempCert);
// This is expected to be a cached version and doesn't actually need to go and read the file system
var secondOptions = services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
Assert.Same(firstOptions, secondOptions);
// This is the same reference as the first one so it shouldn't be different but just in case.
Assert.NotNull(secondOptions.AdditionalCustomTrustCertificates);
Assert.Single(secondOptions.AdditionalCustomTrustCertificates);
}
[Fact]
public async Task DoesNotProvideCustomCallbackOnCloud()
{
var tempDir = Directory.CreateTempSubdirectory("certs");
var tempCert = Path.Combine(tempDir.FullName, "test.crt");
await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
var options = CreateOptions((gs, environment, config) =>
{
gs.SelfHosted = false;
environment.EnvironmentName = "Development";
config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
});
Assert.False(options.TryGetCustomRemoteCertificateValidationCallback(out _));
}
[Fact]
public async Task ManuallyAddingOptionsTakesPrecedence()
{
var tempDir = Directory.CreateTempSubdirectory("certs");
var tempCert = Path.Combine(tempDir.FullName, "test.crt");
await File.WriteAllBytesAsync(tempCert, CreateSelfSignedCert("localhost").Export(X509ContentType.Cert));
var options = CreateOptions((gs, environment, config) =>
{
gs.SelfHosted = false;
environment.EnvironmentName = "Development";
config["X509ChainOptions:AdditionalCustomTrustCertificatesDirectory"] = tempDir.FullName;
}, services =>
{
services.Configure<X509ChainOptions>(options =>
{
options.AdditionalCustomTrustCertificates = [CreateSelfSignedCert("example.com")];
});
});
Assert.True(options.TryGetCustomRemoteCertificateValidationCallback(out var callback));
var cert = Assert.Single(options.AdditionalCustomTrustCertificates);
Assert.Equal("CN=example.com", cert.Subject);
}
private static X509ChainOptions CreateOptions(Action<GlobalSettings, IHostEnvironment, Dictionary<string, string>> configure, Action<IServiceCollection>? after = null)
{
var services = CreateServices(configure, after);
return services.GetRequiredService<IOptions<X509ChainOptions>>().Value;
}
private static IServiceProvider CreateServices(Action<GlobalSettings, IHostEnvironment, Dictionary<string, string>> configure, Action<IServiceCollection>? after = null)
{
var globalSettings = new GlobalSettings();
var hostEnvironment = Substitute.For<IHostEnvironment>();
var config = new Dictionary<string, string>();
configure(globalSettings, hostEnvironment, config);
var services = new ServiceCollection();
services.AddSingleton(globalSettings);
services.AddSingleton(hostEnvironment);
services.AddSingleton<IConfiguration>(
new ConfigurationBuilder()
.AddInMemoryCollection(config)
.Build()
);
services.AddX509ChainCustomization();
after?.Invoke(services);
return services.BuildServiceProvider();
}
}

4
test/Core.Test/Services/HandlebarsMailServiceTests.cs
View File

@ -4,9 +4,11 @@ using Bit.Core.AdminConsole.Entities.Provider;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Models.Business;
using Bit.Core.Entities;
using Bit.Core.Platform.X509ChainCustomization;
using Bit.Core.Services;
using Bit.Core.Settings;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using NSubstitute;
using Xunit;
@ -136,7 +138,7 @@ public class HandlebarsMailServiceTests
SiteName = "Bitwarden",
};
var mailDeliveryService = new MailKitSmtpMailDeliveryService(globalSettings, Substitute.For<ILogger<MailKitSmtpMailDeliveryService>>());
var mailDeliveryService = new MailKitSmtpMailDeliveryService(globalSettings, Substitute.For<ILogger<MailKitSmtpMailDeliveryService>>(), Options.Create(new X509ChainOptions()));
var handlebarsService = new HandlebarsMailService(globalSettings, mailDeliveryService, new BlockingMailEnqueuingService());

7
test/Core.Test/Services/MailKitSmtpMailDeliveryServiceTests.cs
View File

@ -1,6 +1,8 @@
using Bit.Core.Services;
using Bit.Core.Platform.X509ChainCustomization;
using Bit.Core.Services;
using Bit.Core.Settings;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using NSubstitute;
using Xunit;
@ -23,7 +25,8 @@ public class MailKitSmtpMailDeliveryServiceTests
_sut = new MailKitSmtpMailDeliveryService(
_globalSettings,
_logger
_logger,
Options.Create(new X509ChainOptions())
);
}