nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-20 04:28:13 -05:00
Code

Include Root Certificates in Custom Trust Store (#5624)

Browse Source 
* Add new tests

* Include root CA's in custom trust store
This commit is contained in:
Justin Baur 2025-04-08 13:36:34 -04:00 committed by GitHub
parent 65f382ee67
commit f29b5c531f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
View File

@ -53,6 +53,10 @@ public sealed class X509ChainOptions
return false; return false;
} }
// Do this outside of the callback so that we aren't opening the root store every request.
using var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine, OpenFlags.ReadOnly);
var rootCertificates = store.Certificates;
// Ref: https://github.com/dotnet/runtime/issues/39835#issuecomment-663020581 // Ref: https://github.com/dotnet/runtime/issues/39835#issuecomment-663020581
callback = (certificate, chain, errors) => callback = (certificate, chain, errors) =>
{ {
@ -62,6 +66,10 @@ public sealed class X509ChainOptions
} }
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
// We want our additional certificates to be in addition to the machines root store.
chain.ChainPolicy.CustomTrustStore.AddRange(rootCertificates);
foreach (var additionalCertificate in AdditionalCustomTrustCertificates) foreach (var additionalCertificate in AdditionalCustomTrustCertificates)
{ {
chain.ChainPolicy.CustomTrustStore.Add(additionalCertificate); chain.ChainPolicy.CustomTrustStore.Add(additionalCertificate);

35
test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
View File

@ -257,6 +257,41 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
Assert.Equal("Hi", response); Assert.Equal("Hi", response);
} }
[Fact]
public async Task CallHttp_ReachingOutToServerTrustedThroughSystemCA()
{
var services = CreateServices((gs, environment, config) => { }, services =>
{
services.Configure<X509ChainOptions>(options =>
{
options.AdditionalCustomTrustCertificates = [];
});
});
var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
var response = await httpClient.GetAsync("https://example.com");
response.EnsureSuccessStatusCode();
}
[Fact]
public async Task CallHttpWithCustomTrustForSelfSigned_ReachingOutToServerTrustedThroughSystemCA()
{
var selfSignedCertificate = CreateSelfSignedCert("localhost");
var services = CreateServices((gs, environment, config) => { }, services =>
{
services.Configure<X509ChainOptions>(options =>
{
options.AdditionalCustomTrustCertificates = [selfSignedCertificate];
});
});
var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
var response = await httpClient.GetAsync("https://example.com");
response.EnsureSuccessStatusCode();
}
private static async Task<IAsyncDisposable> CreateServerAsync(int port, Action<HttpsConnectionAdapterOptions> configure) private static async Task<IAsyncDisposable> CreateServerAsync(int port, Action<HttpsConnectionAdapterOptions> configure)
{ {
var builder = WebApplication.CreateEmptyBuilder(new WebApplicationOptions()); var builder = WebApplication.CreateEmptyBuilder(new WebApplicationOptions());