Skip to content

Unify certificate chain building between SslStream and WinHttpHandler #115761

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
May 20, 2025
Merged

Unify certificate chain building between SslStream and WinHttpHandler #115761

merged 7 commits into from
May 20, 2025
+40 −120

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented May 20, 2025
edited
Loading

This PR unifies the certificate chain building logic between SslStream and WinHttpHandler by replacing the duplicate implementation in WinHttpCertificateHelper.cs with the shared implementation from CertificateValidation.Windows.cs.

Changes

  • Removed WinHttpCertificateHelper.cs which contained duplicate certificate chain building logic
  • Modified WinHttpRequestCallback.cs to use the shared implementation in CertificateValidation.BuildChainAndVerifyProperties
  • Updated project files to include a reference to CertificateValidation.Windows.cs
  • Added appropriate parameter mapping between the two implementations:
    • Created and configured X509Chain with the same settings as before
    • Set appropriate parameters for certificate validation (isServer=false since WinHttpHandler is a client validating server certificates)
  • Updated test files to work with the new implementation

This change makes the codebase more consistent, reduces duplication, and simplifies future maintenance of certificate validation logic.

Fixes #113468.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • dc.services.visualstudio.com
    • Triggering command: /home/REDACTED/work/runtime/runtime/.dotnet/dotnet msbuild /m /nologo /clp:Summary /v:minimal /nr:true /warnaserror /p:TreatWarningsAsErrors=true /p:ContinuousIntegrationBuild=false /home/REDACTED/work/runtime/runtime/artifacts/toolset/restore.proj /t:__WriteToolsetLocation /clp:ErrorsOnly;NoSummary /p:__ToolsetLocationOutputFile=/home/REDACTED/work/runtime/runtime/artifacts/toolset/10.0.0-beta.25260.104.txt (dns block)
  • pkgs.dev.azure.com
    • Triggering command: /home/REDACTED/work/runtime/runtime/.dotnet/dotnet msbuild /m /nologo /clp:Summary /v:minimal /nr:true /warnaserror /p:TreatWarningsAsErrors=true /p:ContinuousIntegrationBuild=false /home/REDACTED/work/runtime/runtime/artifacts/toolset/restore.proj /t:__WriteToolsetLocation /clp:ErrorsOnly;NoSummary /p:__ToolsetLocationOutputFile=/home/REDACTED/work/runtime/runtime/artifacts/toolset/10.0.0-beta.25260.104.txt (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@dotnet-policy-service dotnet-policy-service bot added the linkable-framework Issues associated with delivering a linker friendly framework label May 20, 2025
Copilot AI and others added 2 commits May 20, 2025 06:45
@Copilot @liveans
Update WinHttpRequestCallback to use CertificateValidation
a8df85f 
Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>
@Copilot @liveans
Remove unused WinHttpCertificateHelper.cs file
72d517d 
Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] Unify certificate chain building between SslStream and WinHttpHandler Unify certificate chain building between SslStream and WinHttpHandler May 20, 2025
@Copilot Copilot AI requested a review from liveans May 20, 2025 06:46
Copilot finished work on behalf of liveans May 20, 2025 06:46
@liveans
Copy link
Member

liveans commented May 20, 2025

/azp run runtime-libraries-coreclr outerloop-windows

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@jkotas jkotas added area-System.Net.Http and removed linkable-framework Issues associated with delivering a linker friendly framework labels May 20, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

liveans
liveans reviewed May 20, 2025
View reviewed changes
Copy link
Member

@liveans liveans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Seems like code has unnecessary trailing/leading whitespaces, which causes build failures.
Also, you should be aware that WinHttpHandler is shared code between .NET and .NET Framework, and some of the APIs we're currently using Marshal.GetLastPInvokeError in Common\System\Net\Security\CertificateValidation.Windows.cs which doesn't exist on .NET Framework, we might need to do some changes here.

@Copilot @liveans
Fix formatting issues in WinHttpRequestCallback.cs
be4a4e4 
Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>
@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented May 20, 2025
edited
Loading

@copilot Seems like code has unnecessary trailing/leading whitespaces, which causes build failures.
Also, you should be aware that WinHttpHandler is shared code between .NET and .NET Framework, and...

Fixed the whitespace issues in be4a4e4. Removed trailing spaces and reformatted the code to maintain consistent style. Regarding the .NET Framework compatibility, I understand that we may need additional changes to handle the Marshal.GetLastPInvokeError API which doesn't exist in .NET Framework. Please let me know if you'd like me to address this issue as well.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • dc.services.visualstudio.com
    • Triggering command: /home/REDACTED/work/runtime/runtime/.dotnet/dotnet msbuild /m /nologo /clp:Summary /v:minimal /nr:true /warnaserror /p:TreatWarningsAsErrors=true /p:ContinuousIntegrationBuild=false /home/REDACTED/work/runtime/runtime/artifacts/toolset/restore.proj /t:__WriteToolsetLocation /clp:ErrorsOnly;NoSummary /p:__ToolsetLocationOutputFile=/home/REDACTED/work/runtime/runtime/artifacts/toolset/10.0.0-beta.25260.104.txt (dns block)
  • pkgs.dev.azure.com
    • Triggering command: /home/REDACTED/work/runtime/runtime/.dotnet/dotnet msbuild /m /nologo /clp:Summary /v:minimal /nr:true /warnaserror /p:TreatWarningsAsErrors=true /p:ContinuousIntegrationBuild=false /home/REDACTED/work/runtime/runtime/artifacts/toolset/restore.proj /t:__WriteToolsetLocation /clp:ErrorsOnly;NoSummary /p:__ToolsetLocationOutputFile=/home/REDACTED/work/runtime/runtime/artifacts/toolset/10.0.0-beta.25260.104.txt (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot finished work on behalf of liveans May 20, 2025 07:43
@liveans
Copy link
Member

liveans commented May 20, 2025

@copilot Seems like code has unnecessary trailing/leading whitespaces, which causes build failures.
Also, you should be aware that WinHttpHandler is shared code between .NET and .NET Framework, and...

Fixed the whitespace issues in be4a4e4. Removed trailing spaces and reformatted the code to maintain consistent style. Regarding the .NET Framework compatibility, I understand that we may need additional changes to handle the Marshal.GetLastPInvokeError API which doesn't exist in .NET Framework. Please let me know if you'd like me to address this issue as well.

Warning

Firewall rules blocked me from connecting to one or more addresses
Help improve Copilot by leaving feedback using the 👍 or 👎 buttons

Please address this issue as well, be aware that current usage should not change for .NET, we should only handle this case for .NET Framework.

@Copilot @liveans
Fix compatibility with .NET Framework by using GetLastWin32Error
c6a5f9d 
Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>
@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented May 20, 2025
edited
Loading

@copilot Seems like code has unnecessary trailing/leading whitespaces, which causes build failures.
Also, you should be aware that WinHttpHandler is shared code between .NET and .NET Framew...

Added conditional compilation in c6a5f9d to handle the Marshal.GetLastPInvokeError() incompatibility with .NET Framework. The fix uses Marshal.GetLastWin32Error() when targeting .NET Framework while preserving the existing behavior for .NET.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • dc.services.visualstudio.com
    • Triggering command: /home/REDACTED/work/runtime/runtime/.dotnet/dotnet msbuild /m /nologo /clp:Summary /v:minimal /nr:true /warnaserror /p:TreatWarningsAsErrors=true /p:ContinuousIntegrationBuild=false /home/REDACTED/work/runtime/runtime/artifacts/toolset/restore.proj /t:__WriteToolsetLocation /clp:ErrorsOnly;NoSummary /p:__ToolsetLocationOutputFile=/home/REDACTED/work/runtime/runtime/artifacts/toolset/10.0.0-beta.25260.104.txt (dns block)
  • pkgs.dev.azure.com
    • Triggering command: /home/REDACTED/work/runtime/runtime/.dotnet/dotnet msbuild /m /nologo /clp:Summary /v:minimal /nr:true /warnaserror /p:TreatWarningsAsErrors=true /p:ContinuousIntegrationBuild=false /home/REDACTED/work/runtime/runtime/artifacts/toolset/restore.proj /t:__WriteToolsetLocation /clp:ErrorsOnly;NoSummary /p:__ToolsetLocationOutputFile=/home/REDACTED/work/runtime/runtime/artifacts/toolset/10.0.0-beta.25260.104.txt (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot finished work on behalf of liveans May 20, 2025 07:49
@build-analysis build-analysis bot mentioned this pull request May 20, 2025
Open
@Copilot @krwq
Fix FakeX509Certificates.cs to clarify empty namespace
06fed96 
Co-authored-by: krwq <660048+krwq@users.noreply.github.com>
Copilot finished work on behalf of krwq May 20, 2025 08:02
@Copilot @liveans
Remove unnecessary code per review comments
33c9398 
Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>
Copilot finished work on behalf of liveans May 20, 2025 10:34
@rzikm rzikm self-requested a review May 20, 2025 11:55
@liveans
Copy link
Member

liveans commented May 20, 2025

/azp run runtime-libraries-coreclr outerloop-windows

@liveans liveans marked this pull request as ready for review May 20, 2025 13:34
@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

rzikm
rzikm approved these changes May 20, 2025
View reviewed changes
Copy link
Member

@rzikm rzikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if CI is green

@build-analysis build-analysis bot mentioned this pull request May 20, 2025
Open
3 tasks
@liveans
Copy link
Member

liveans commented May 20, 2025

/ba-g Cancelled jobs (failed according to build analysis) are linux, although this change is windows only. Unrelated failures.

@liveans
Copy link
Member

liveans commented May 20, 2025

Outerloop failures are also unrelated.

@liveans liveans merged commit 86f6fa9 into main May 20, 2025
82 of 89 checks passed
@danmoseley danmoseley deleted the copilot/fix-113468 branch May 22, 2025 16:21
SimaTian pushed a commit that referenced this pull request May 27, 2025
@Copilot @liveans
@krwq @SimaTian
Unify certificate chain building between SslStream and WinHttpHandler (
05b15c2 
…#115761)

* Initial plan for issue

* Update WinHttpRequestCallback to use CertificateValidation

Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>

* Remove unused WinHttpCertificateHelper.cs file

Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>

* Fix formatting issues in WinHttpRequestCallback.cs

Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>

* Fix compatibility with .NET Framework by using GetLastWin32Error

Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>

* Fix FakeX509Certificates.cs to clarify empty namespace

Co-authored-by: krwq <660048+krwq@users.noreply.github.com>

* Remove unnecessary code per review comments

Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: liveans <45091041+liveans@users.noreply.github.com>
Co-authored-by: krwq <660048+krwq@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krwq krwq krwq left review comments

@liveans liveans liveans left review comments

@rzikm rzikm rzikm approved these changes

Assignees

@liveans liveans

Copilot code review Copilot

Labels
area-System.Net.Http
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unify certificate chain building between SslStream and WinHttpHandler
5 participants
@Copilot @liveans @krwq @rzikm @jkotas