Certificate authentication fails validation when intermediate certificate isn't in store

[mk185147]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

When you configure Kestler to use certificate authentication and a client sends certificate including an intermediate certificate to a server then server will fail the chain validation if it has the root CA in certificate store but doesn't have the intermediate certificate in the certificate store on Windows.

Expected Behavior

The chain validation should succeed, it should read the intermediate certificates from the TLS connection to build the chain.

Steps To Reproduce

Create CA, intermediate and child certificates (e.g. like described https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-6.0#create-certificates-in-powershell)

You can use a simple web server with certificate authentication, e.g.:

using Microsoft.AspNetCore.Authentication.Certificate;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.AspNetCore.Server.Kestrel.Https;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthentication(
        CertificateAuthenticationDefaults.AuthenticationScheme)
    .AddCertificate();
builder.Services.Configure<KestrelServerOptions>(options =>
{
    options.ConfigureHttpsDefaults(options =>
        options.ClientCertificateMode = ClientCertificateMode.AllowCertificate);
});

var app = builder.Build();

app.UseAuthentication();
app.UseHttpsRedirection();

app.MapGet("/", () => "Hello World!");

app.Run();

Put the CA into windows store where you have the server.

Then put on a different computer all 3 certificates into certificate stores and call the service from that computer. The service will ask you for a certificate, choose the child certificate.

Exceptions (if any)

No response

.NET Version

6.0.300

Anything else?

No response

[davidfowl]

building the cert chain on the fly is a potential performance bottleneck on server applications.

[mk185147]

building the cert chain on the fly is a potential performance bottleneck on server applications.

I think you can possibly build it on the fly only in the case where you don't find it in the certificate store, such a fix would not affect performance of existing applications. The server can also choose to use certificate valadation caching to improve the performance.

[davidfowl]

It would need to be opt in. In fact you cloud do it yourself today with an API call.

[mk185147]

It would need to be opt in. In fact you cloud do it yourself today with an API call.

Why? Today the implementation is against RFC 5246, the RFC states about client certificate message: "This message conveys the client's certificate chain to the server; the server will use it when verifying the CertificateVerify message..." also it describes the structure "This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case." I feel it clearly expects the server to do the validation using the chain that is sent (with the exception of root).

How can I do it today with an API call, please? (I had problem both finding on server the intermedate certificates that were sent and also adjusting the chain validation when ClientCertificateMode.AllowCertificate is used). Thanks.

[HaoK]

@mk185147

How can I do it today with an API call, please?

Assuming you have the full chain in a pem file on disk at certPath, you can load the full cert chain like this

        // Import the full cert chain
        var fullChain = new X509Certificate2Collection();
        fullChain.ImportFromPemFile(certPath);

Hi @mk185147. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[mk185147]

@mk185147

How can I do it today with an API call, please?

Assuming you have the full chain in a pem file on disk at certPath, you can load the full cert chain like this

        // Import the full cert chain
        var fullChain = new X509Certificate2Collection();
        fullChain.ImportFromPemFile(certPath);

Thanks, but this part is easy. I don't have the information on the disk nor in the store. The client certificate and intermediate certificates are in the transport only - so one part is how to get it from there in the code where I customize the validation, I know how to get client certificate but I don't know how to get the intermediates. Then, even if I had the certificates, the ability to customize the validation seems week - I don't know how to easily customize that when server doesn't require certificate but it allows it.