[release/7.0] Fix server-side OCSP stapling on Linux (#96808)

* Recover from failed OCSP download. (#96448)

* Recover from failed OCSP check.

* Add 5s back-off after failed OCSP querry

* Do not OCSP staple invalid OCSP responses

* Add entire issuer chain to trusted X509_STORE when validating OCSP_Response

Code review feedback

More code review feedback

Update src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs

Co-authored-by: Jeremy Barton <jbarton@microsoft.com>

Fix compilation

Always include root certificate

* Fix compilation

* Don't shorten OCSP expriation on failed server OCSP fetch (#96972)

* Don't shorten OCSP expriation on failed server OCSP fetch

* Code review feedback

---------

Co-authored-by: Kevin Jones <kevin@vcsjones.com>
Co-authored-by: Carlos Sánchez López <1175054+carlossanlop@users.noreply.github.com>

Author: 3 people

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OCSP.cs

@@ -29,27 +29,30 @@ private static unsafe partial int CryptoNative_X509DecodeOcspToExpiration(
             int len,
             SafeOcspRequestHandle req,
             IntPtr subject,
-            IntPtr issuer,
+            IntPtr* issuers,
+            int issuersLen,
             ref long expiration);
 
         internal static unsafe bool X509DecodeOcspToExpiration(
             ReadOnlySpan<byte> buf,
             SafeOcspRequestHandle request,
             IntPtr x509Subject,
-            IntPtr x509Issuer,
+            ReadOnlySpan<IntPtr> x509Issuers,
             out DateTimeOffset expiration)
         {
             long timeT = 0;
             int ret;
 
             fixed (byte* pBuf = buf)
+            fixed (IntPtr* pIssuers = x509Issuers)
             {
                 ret = CryptoNative_X509DecodeOcspToExpiration(
                     pBuf,
                     buf.Length,
                     request,
                     x509Subject,
-                    x509Issuer,
+                    pIssuers,
+                    x509Issuers.Length,
                     ref timeT);
             }
 

src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/RevocationResponder.cs

@@ -16,6 +16,9 @@ internal sealed class RevocationResponder : IDisposable
         private static readonly bool s_traceEnabled =
             Environment.GetEnvironmentVariable("TRACE_REVOCATION_RESPONSE") != null;
 
+        private static readonly byte[] s_invalidResponse =
+            "<html><marquee>The server is down for maintenence.</marquee></html>"u8.ToArray();
+
         private readonly HttpListener _listener;
 
         private readonly Dictionary<string, CertificateAuthority> _aiaPaths =
@@ -29,7 +32,7 @@ private readonly Dictionary<string, CertificateAuthority> _crlPaths
 
         public string UriPrefix { get; }
 
-        public bool RespondEmpty { get; set; }
+        public RespondKind RespondKind { get; set; }
         public AiaResponseKind AiaResponseKind { get; set; }
 
         public TimeSpan ResponseDelay { get; set; }
@@ -183,7 +186,12 @@ private void HandleRequest(HttpListenerContext context, ref bool responded)
                     Thread.Sleep(ResponseDelay);
                 }
 
-                byte[] certData = RespondEmpty ? Array.Empty<byte>() : GetCertDataForAiaResponseKind(AiaResponseKind, authority);
+                byte[] certData = RespondKind switch
+                {
+                    RespondKind.Empty => Array.Empty<byte>(),
+                    RespondKind.Invalid => s_invalidResponse,
+                    _ => GetCertDataForAiaResponseKind(AiaResponseKind, authority),
+                };
 
                 responded = true;
                 context.Response.StatusCode = 200;
@@ -201,7 +209,12 @@ private void HandleRequest(HttpListenerContext context, ref bool responded)
                     Thread.Sleep(ResponseDelay);
                 }
 
-                byte[] crl = RespondEmpty ? Array.Empty<byte>() : authority.GetCrl();
+                byte[] crl = RespondKind switch
+                {
+                    RespondKind.Empty => Array.Empty<byte>(),
+                    RespondKind.Invalid => s_invalidResponse,
+                    _ => authority.GetCrl(),
+                };
 
                 responded = true;
                 context.Response.StatusCode = 200;
@@ -236,7 +249,12 @@ private void HandleRequest(HttpListenerContext context, ref bool responded)
                             return;
                         }
 
-                        byte[] ocspResponse = RespondEmpty ? Array.Empty<byte>() : authority.BuildOcspResponse(certId, nonce);
+                        byte[] ocspResponse = RespondKind switch
+                        {
+                            RespondKind.Empty => Array.Empty<byte>(),
+                            RespondKind.Invalid => s_invalidResponse,
+                            _ => authority.BuildOcspResponse(certId, nonce),
+                        };
 
                         if (DelayedActions.HasFlag(DelayedActionsFlag.Ocsp))
                         {
@@ -468,4 +486,11 @@ public enum AiaResponseKind
         Cert = 0,
         Pkcs12 = 1,
     }
+
+    public enum RespondKind
+    {
+        Normal = 0,
+        Empty = 1,
+        Invalid = 2,
+    }
 }

src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs

@@ -25,14 +25,31 @@ public partial class SslStreamCertificateContext
         private byte[]? _ocspResponse;
         private DateTimeOffset _ocspExpiration;
         private DateTimeOffset _nextDownload;
+        // Private copy of the intermediate certificates, in case the user decides to dispose the
+        // instances reachable through IntermediateCertificates property.
+        private X509Certificate2[] _privateIntermediateCertificates;
+        private X509Certificate2? _rootCertificate;
         private Task<byte[]?>? _pendingDownload;
         private List<string>? _ocspUrls;
-        private X509Certificate2? _ca;
 
         private SslStreamCertificateContext(X509Certificate2 target, X509Certificate2[] intermediates, SslCertificateTrust? trust)
         {
             Certificate = target;
             IntermediateCertificates = intermediates;
+            if (intermediates.Length > 0)
+            {
+                _privateIntermediateCertificates = new X509Certificate2[intermediates.Length];
+
+                for (int i = 0; i < intermediates.Length; i++)
+                {
+                    _privateIntermediateCertificates[i] = new X509Certificate2(intermediates[i]);
+                }
+            }
+            else
+            {
+                _privateIntermediateCertificates = Array.Empty<X509Certificate2>();
+            }
+
             Trust = trust;
             SslContexts = new ConcurrentDictionary<SslProtocols, SafeSslContextHandle>();
 
@@ -54,7 +71,7 @@ private SslStreamCertificateContext(X509Certificate2 target, X509Certificate2[]
                     }
                 }
 
-                if (KeyHandle== null)
+                if (KeyHandle == null)
                 {
                     throw new NotSupportedException(SR.net_ssl_io_no_server_cert);
                 }
@@ -75,15 +92,8 @@ partial void SetNoOcspFetch(bool noOcspFetch)
 
         partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool transferredOwnership)
         {
-            if (IntermediateCertificates.Length == 0)
-            {
-                _ca = rootCertificate;
-                transferredOwnership = true;
-            }
-            else
-            {
-                _ca = IntermediateCertificates[0];
-            }
+            _rootCertificate = rootCertificate;
+            transferredOwnership = rootCertificate != null;
 
             if (!_staplingForbidden)
             {
@@ -148,7 +158,7 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                 return new ValueTask<byte[]?>(pending);
             }
 
-            if (_ocspUrls is null && _ca is not null)
+            if (_ocspUrls is null && _rootCertificate is not null)
             {
                 foreach (X509Extension ext in Certificate.Extensions)
                 {
@@ -191,7 +201,9 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
 
         private async Task<byte[]?> FetchOcspAsync()
         {
-            X509Certificate2? caCert = _ca;
+            Debug.Assert(_rootCertificate != null);
+            X509Certificate2? caCert = _privateIntermediateCertificates.Length > 0 ? _privateIntermediateCertificates[0] : _rootCertificate;
+
             Debug.Assert(_ocspUrls is not null);
             Debug.Assert(_ocspUrls.Count > 0);
             Debug.Assert(caCert is not null);
@@ -210,6 +222,13 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                 return null;
             }
 
+            IntPtr[] issuerHandles = ArrayPool<IntPtr>.Shared.Rent(_privateIntermediateCertificates.Length + 1);
+            for (int i = 0; i < _privateIntermediateCertificates.Length; i++)
+            {
+                issuerHandles[i] = _privateIntermediateCertificates[i].Handle;
+            }
+            issuerHandles[_privateIntermediateCertificates.Length] = _rootCertificate.Handle;
+
             using (SafeOcspRequestHandle ocspRequest = Interop.Crypto.X509BuildOcspRequest(subject, issuer))
             {
                 byte[] rentedBytes = ArrayPool<byte>.Shared.Rent(Interop.Crypto.GetOcspRequestDerSize(ocspRequest));
@@ -226,8 +245,9 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
 
                     if (ret is not null)
                     {
-                        if (!Interop.Crypto.X509DecodeOcspToExpiration(ret, ocspRequest, subject, issuer, out DateTimeOffset expiration))
+                        if (!Interop.Crypto.X509DecodeOcspToExpiration(ret, ocspRequest, subject, issuerHandles.AsSpan(0, _privateIntermediateCertificates.Length + 1), out DateTimeOffset expiration))
                         {
+                            ret = null;
                             continue;
                         }
 
@@ -245,15 +265,27 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                         _ocspResponse = ret;
                         _ocspExpiration = expiration;
                         _nextDownload = nextCheckA < nextCheckB ? nextCheckA : nextCheckB;
-                        _pendingDownload = null;
                         break;
                     }
                 }
 
+                issuerHandles.AsSpan().Clear();
+                ArrayPool<IntPtr>.Shared.Return(issuerHandles);
                 ArrayPool<byte>.Shared.Return(rentedBytes);
                 ArrayPool<char>.Shared.Return(rentedChars.Array!);
                 GC.KeepAlive(Certificate);
+                GC.KeepAlive(_privateIntermediateCertificates);
+                GC.KeepAlive(_rootCertificate);
                 GC.KeepAlive(caCert);
+
+                _pendingDownload = null;
+                if (ret == null)
+                {
+                    // All download attempts failed, don't try again for 5 seconds.
+                    // This backoff will be applied only if the OCSP staple is not expired.
+                    // If it is expired, we will force-refresh it during next GetOcspResponseAsync call.
+                    _nextDownload = DateTimeOffset.UtcNow.AddSeconds(5);
+                }
                 return ret;
             }
         }

src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamCertificateContextTests.cs

@@ -0,0 +1,64 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Reflection;
+using System.Security.Cryptography.X509Certificates;
+using System.Security.Cryptography.X509Certificates.Tests.Common;
+using System.Threading.Tasks;
+using Xunit;
+
+namespace System.Net.Security.Tests
+{
+    public static class SslStreamCertificateContextTests
+    {
+        [Fact]
+        [OuterLoop("Subject to resource contention and load.")]
+        [PlatformSpecific(TestPlatforms.Linux)]
+        public static async Task Create_OcspDoesNotReturnOrCacheInvalidStapleData()
+        {
+            string serverName = $"{nameof(Create_OcspDoesNotReturnOrCacheInvalidStapleData)}.example";
+
+            CertificateAuthority.BuildPrivatePki(
+                PkiOptions.EndEntityRevocationViaOcsp | PkiOptions.CrlEverywhere,
+                out RevocationResponder responder,
+                out CertificateAuthority rootAuthority,
+                out CertificateAuthority[] intermediateAuthorities,
+                out X509Certificate2 serverCert,
+                intermediateAuthorityCount: 1,
+                subjectName: serverName,
+                keySize: 2048,
+                extensions: TestHelper.BuildTlsServerCertExtensions(serverName));
+
+            using (responder)
+            using (rootAuthority)
+            using (CertificateAuthority intermediateAuthority = intermediateAuthorities[0])
+            using (serverCert)
+            using (X509Certificate2 rootCert = rootAuthority.CloneIssuerCert())
+            using (X509Certificate2 issuerCert = intermediateAuthority.CloneIssuerCert())
+            {
+                responder.RespondKind = RespondKind.Invalid;
+
+                SslStreamCertificateContext context = SslStreamCertificateContext.Create(
+                    serverCert,
+                    additionalCertificates: new X509Certificate2Collection { issuerCert },
+                    offline: false);
+
+                MethodInfo fetchOcspAsyncMethod = typeof(SslStreamCertificateContext).GetMethod(
+                    "DownloadOcspAsync",
+                    BindingFlags.Instance | BindingFlags.NonPublic);
+                FieldInfo ocspResponseField = typeof(SslStreamCertificateContext).GetField(
+                    "_ocspResponse",
+                    BindingFlags.Instance | BindingFlags.NonPublic);
+
+                Assert.NotNull(fetchOcspAsyncMethod);
+                Assert.NotNull(ocspResponseField);
+
+                byte[] ocspFetch = await (ValueTask<byte[]>)fetchOcspAsyncMethod.Invoke(context, Array.Empty<object>());
+                Assert.Null(ocspFetch);
+
+                byte[] ocspResponseValue = (byte[])ocspResponseField.GetValue(context);
+                Assert.Null(ocspResponseValue);
+            }
+        }
+    }
+}

src/libraries/System.Net.Security/tests/FunctionalTests/System.Net.Security.Tests.csproj

@@ -31,6 +31,7 @@
     <Compile Include="ServerAsyncAuthenticateTest.cs" />
     <Compile Include="ServerNoEncryptionTest.cs" />
     <Compile Include="ServerRequireEncryptionTest.cs" />
+    <Compile Include="SslStreamCertificateContextTests.cs" />
     <Compile Include="SslStreamConformanceTests.cs" />
     <Compile Include="SslStreamStreamToStreamTest.cs" />
     <Compile Include="SslStreamNetworkStreamTest.cs" />

src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs

@@ -33,7 +33,7 @@ public static void EmptyAiaResponseIsIgnored()
             using (endEntity)
             using (X509Certificate2 intermediate2Cert = intermediate2.CloneIssuerCert())
             {
-                responder.RespondEmpty = true;
+                responder.RespondKind = RespondKind.Empty;
 
                 RetryHelper.Execute(() => {
                     using (ChainHolder holder = new ChainHolder())

src/native/libs/System.Security.Cryptography.Native/pal_x509.c

@@ -1280,11 +1280,11 @@ CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx, OCSP_REQUEST* req, OC
     return X509ChainVerifyOcsp(storeCtx, subject, issuer, req, resp, cachePath);
 }
 
-int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len, OCSP_REQUEST* req, X509* subject, X509* issuer, int64_t* expiration)
+int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len, OCSP_REQUEST* req, X509* subject, X509** issuers, int issuersLen, int64_t* expiration)
 {
     ERR_clear_error();
 
-    if (buf == NULL || len == 0)
+    if (buf == NULL || len == 0 || issuersLen == 0)
     {
         return 0;
     }
@@ -1307,7 +1307,16 @@ int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len,
 
     if (bag != NULL)
     {
-        if (X509_STORE_add_cert(store, issuer) && sk_X509_push(bag, issuer))
+        int i;
+        for (i = 0; i < issuersLen; i++)
+        {
+            if (!X509_STORE_add_cert(store, issuers[i]) || !sk_X509_push(bag, issuers[i]))
+            {
+                break;
+            }
+        }
+
+        if (i == issuersLen)
         {
             ctx = X509_STORE_CTX_new();
         }
@@ -1321,7 +1330,7 @@ int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len,
         {
             int canCache = 0;
             time_t expiration_t = 0;
-            X509VerifyStatusCode code = CheckOcspGetExpiry(req, resp, subject, issuer, ctx, &canCache, &expiration_t);
+            X509VerifyStatusCode code = CheckOcspGetExpiry(req, resp, subject, issuers[0], ctx, &canCache, &expiration_t);
 
             if (sizeof(time_t) == sizeof(int64_t))
             {

src/native/libs/System.Security.Cryptography.Native/pal_x509.h

@@ -407,4 +407,4 @@ PALEXPORT int32_t CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx,
 Decode len bytes of buf into an OCSP response, process it against the OCSP request, and return if the bytes were valid.
 If the bytes were valid, and the OCSP response had a nextUpdate value, assign it to expiration.
 */
-PALEXPORT int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len, OCSP_REQUEST* req, X509* subject, X509* issuer, int64_t* expiration);
+PALEXPORT int32_t CryptoNative_X509DecodeOcspToExpiration(const uint8_t* buf, int32_t len, OCSP_REQUEST* req, X509* subject, X509** issuers, int issuersLen, int64_t* expiration);