Skip to content

Commit

Permalink
Condition Windows SslCertificateTrust test on Registry value (dotnet#…
Browse files Browse the repository at this point in the history 
…65848)

Sending trusted issuers list on Windows is problematic (depends on registry settings), so there were no tests. This PR conditionally enables existing tests on Windows if the relevant registry setting is set.
  • Loading branch information
@rzikm
rzikm authored Mar 16, 2022
1 parent 7c89933 commit 3427a24
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 22 deletions.
31 changes: 25 additions & 6 deletions src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -238,11 +238,14 @@ private static bool GetAlpnSupport()
private static Lazy<bool> s_supportsTls11 = new Lazy<bool>(GetTls11Support);
private static Lazy<bool> s_supportsTls12 = new Lazy<bool>(GetTls12Support);
private static Lazy<bool> s_supportsTls13 = new Lazy<bool>(GetTls13Support);
private static Lazy<bool> s_sendsCAListByDefault = new Lazy<bool>(GetSendsCAListByDefault);

public static bool SupportsTls10 => s_supportsTls10.Value;
public static bool SupportsTls11 => s_supportsTls11.Value;
public static bool SupportsTls12 => s_supportsTls12.Value;
public static bool SupportsTls13 => s_supportsTls13.Value;
public static bool SendsCAListByDefault => s_sendsCAListByDefault.Value;
public static bool SupportsSendingCustomCANamesInTls => UsesAppleCrypto || IsOpenSslSupported || (PlatformDetection.IsWindows8xOrLater && SendsCAListByDefault);

private static Lazy<bool> s_largeArrayIsNotSupported = new Lazy<bool>(IsLargeArrayNotSupported);

Expand Down Expand Up @@ -295,7 +298,7 @@ private static bool GetStaticNonPublicBooleanPropertyValue(string typeName, stri

public static bool IsInvariantGlobalization => m_isInvariant.Value;
public static bool IsNotInvariantGlobalization => !IsInvariantGlobalization;
public static bool IsIcuGlobalization => ICUVersion > new Version(0,0,0,0);
public static bool IsIcuGlobalization => ICUVersion > new Version(0, 0, 0, 0);
public static bool IsNlsGlobalization => IsNotInvariantGlobalization && !IsIcuGlobalization;

public static bool IsSubstAvailable
Expand Down Expand Up @@ -360,7 +363,7 @@ private static bool GetIsInContainer()

private static bool GetProtocolSupportFromWindowsRegistry(SslProtocols protocol, bool defaultProtocolSupport)
{
string registryProtocolName = protocol switch
string registryProtocolName = protocol switch
{
#pragma warning disable CS0618 // Ssl2 and Ssl3 are obsolete
SslProtocols.Ssl3 => "SSL 3.0",
Expand Down Expand Up @@ -410,7 +413,7 @@ private static bool GetSsl3Support()
#pragma warning disable CS0618 // Ssl2 and Ssl3 are obsolete
return GetProtocolSupportFromWindowsRegistry(SslProtocols.Ssl3, ssl3DefaultSupport);
#pragma warning restore CS0618

}

return (IsOSX || (IsLinux && OpenSslVersion < new Version(1, 0, 2) && !IsDebian));
Expand All @@ -437,7 +440,7 @@ private static bool GetTls10Support()
if (IsOSXLike || IsAndroid)
{
return true;
}
}
if (IsWindows)
{
return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls, true);
Expand Down Expand Up @@ -466,7 +469,7 @@ private static bool GetTls11Support()
private static bool GetTls12Support()
{
// TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default.
bool defaultProtocolSupport = !IsWindows7;
bool defaultProtocolSupport = !IsWindows7;
return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, defaultProtocolSupport);
}

Expand Down Expand Up @@ -506,7 +509,23 @@ private static bool GetTls13Support()
else if (IsOpenSslSupported)
{
// Covers Linux, FreeBSD, illumos and Solaris
return OpenSslVersion >= new Version(1,1,1);
return OpenSslVersion >= new Version(1, 1, 1);
}

return false;
}

private static bool GetSendsCAListByDefault()
{
if (IsWindows)
{
// Sending TrustedIssuers is conditioned on the registry. Win7 sends trusted issuer list by default,
// newer Windows versions don't.
object val = Registry.GetValue(@"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", "SendTrustedIssuerList", IsWindows7 ? 1 : 0);
if (val is int i)
{
return i == 1;
}
}

return false;
Expand Down
11 changes: 3 additions & 8 deletions src/libraries/System.Net.Security/src/System/Net/Security/SslCertificateTrust.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ public static SslCertificateTrust CreateForX509Store(X509Store store, bool sendT
throw new PlatformNotSupportedException(SR.net_ssl_trust_store);
}
#else
if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS())
if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS() &&
// Necessary functions are available only on win 8 onwards
!OperatingSystem.IsWindowsVersionAtLeast(6, 2))
{
// to be removed when implemented.
throw new PlatformNotSupportedException(SR.net_ssl_trust_handshake);
Expand All @@ -43,16 +45,9 @@ public static SslCertificateTrust CreateForX509Collection(X509Certificate2Collec
{
if (sendTrustInHandshake && !System.OperatingSystem.IsLinux() && !System.OperatingSystem.IsMacOS())
{
// to be removed when implemented.
throw new PlatformNotSupportedException(SR.net_ssl_trust_handshake);
}

#if TARGET_WINDOWS
if (sendTrustInHandshake)
{
throw new PlatformNotSupportedException(SR.net_ssl_trust_collection);
}
#endif
var trust = new SslCertificateTrust();
trust._trustList = trustList;
trust._sendTrustInHandshake = sendTrustInHandshake;
Expand Down
33 changes: 27 additions & 6 deletions src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamCertificateTrustTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,11 @@ namespace System.Net.Security.Tests

public class SslStreamCertificateTrustTest
{
[Fact]
// not supported on Windows, not implemented elsewhere
[PlatformSpecific(TestPlatforms.Linux | TestPlatforms.OSX)]
public static bool SupportsSendingCustomCANamesInTls => PlatformDetection.SupportsSendingCustomCANamesInTls;
public static bool DoesNotSupportSendingCustomCANamesInTls => !PlatformDetection.SupportsSendingCustomCANamesInTls;

[ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
[SkipOnPlatform(TestPlatforms.Windows, "CertificateCollection-based SslCertificateTrust is not Supported on Windows")]
public async Task SslStream_SendCertificateTrust_CertificateCollection()
{
(X509Certificate2 certificate, X509Certificate2Collection caCerts) = TestHelper.GenerateCertificates(nameof(SslStream_SendCertificateTrust_CertificateCollection));
Expand All @@ -29,9 +31,7 @@ public async Task SslStream_SendCertificateTrust_CertificateCollection()
Assert.Equal(caCerts.Select(c => c.Subject), acceptableIssuers);
}

[Fact]
[ActiveIssue("https://github.com/dotnet/runtime/issues/65515", TestPlatforms.Windows)]
[PlatformSpecific(TestPlatforms.Windows | TestPlatforms.Linux | TestPlatforms.OSX)]
[ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
public async Task SslStream_SendCertificateTrust_CertificateStore()
{
using X509Store store = new X509Store("Root", StoreLocation.LocalMachine);
Expand Down Expand Up @@ -89,5 +89,26 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
return acceptableIssuers;
}
}

[ConditionalFact(nameof(SupportsSendingCustomCANamesInTls))]
[PlatformSpecific(TestPlatforms.Windows)]
public void SslStream_SendCertificateTrust_CertificateCollection_ThrowsOnWindows()
{
(X509Certificate2 certificate, X509Certificate2Collection caCerts) = TestHelper.GenerateCertificates(nameof(SslStream_SendCertificateTrust_CertificateCollection));

Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Collection(caCerts, sendTrustInHandshake: true));
}

[ConditionalFact(nameof(DoesNotSupportSendingCustomCANamesInTls))]
[SkipOnPlatform(TestPlatforms.Windows, "Windows tested separately")]
public void SslStream_SendCertificateTrust_ThrowsOnUnsupportedPlatform()
{
(X509Certificate2 certificate, X509Certificate2Collection caCerts) = TestHelper.GenerateCertificates(nameof(SslStream_SendCertificateTrust_CertificateCollection));

using X509Store store = new X509Store("Root", StoreLocation.LocalMachine);

Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Collection(caCerts, sendTrustInHandshake: true));
Assert.Throws<PlatformNotSupportedException>(() => SslCertificateTrust.CreateForX509Store(store, sendTrustInHandshake: true));
}
}
}
5 changes: 3 additions & 2 deletions src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamEKUTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,12 @@

namespace System.Net.Security.Tests
{
using Configuration = System.Net.Test.Common.Configuration;
using Configuration = System.Net.Test.Common.Configuration;

public class SslStreamEKUTest
{
public static bool IsRootCertificateInstalled => Capability.IsTrustedRootCertificateInstalled();
public static bool DoesNotSendCAListByDefault => !PlatformDetection.SendsCAListByDefault;

public const int TestTimeoutMilliseconds = 15 * 1000;

Expand Down Expand Up @@ -134,7 +135,7 @@ public async Task SslStream_ServerEKUClientAuth_Fails()
}
}

[ConditionalFact(nameof(IsRootCertificateInstalled))]
[ConditionalFact(nameof(IsRootCertificateInstalled), nameof(DoesNotSendCAListByDefault))]
public async Task SslStream_SelfSignedClientEKUClientAuth_Ok()
{
var serverOptions = new HttpsTestServer.Options();
Expand Down

0 comments on commit 3427a24

Please sign in to comment.