Add limited support for LocalCertificateSelectionCallback for QUIC (#…

…70716) * Inline state transition helpers Fixes #55437 * Add high level comments for HandleEventReceive and ReadAsync * [QUIC] Call `LocalCertificateSelectionCallback` to get client certificate * Code review feedback
dotnet · Jun 16, 2022 · 9a80f1d · 9a80f1d
1 parent 3874c65
commit 9a80f1d
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 17 deletions.
diff --git a/....Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs b/....Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs
@@ -26,27 +26,40 @@ public static SafeMsQuicConfigurationHandle Create(QuicClientConnectionOptions o
 
             if (options.ClientAuthenticationOptions != null)
             {
+                SslClientAuthenticationOptions clientAuthenticationOptions = options.ClientAuthenticationOptions;
+
 #pragma warning disable SYSLIB0040 // NoEncryption and AllowNoEncryption are obsolete
-                if (options.ClientAuthenticationOptions.EncryptionPolicy == EncryptionPolicy.NoEncryption)
+                if (clientAuthenticationOptions.EncryptionPolicy == EncryptionPolicy.NoEncryption)
                 {
-                    throw new PlatformNotSupportedException(SR.Format(SR.net_quic_ssl_option, nameof(options.ClientAuthenticationOptions.EncryptionPolicy)));
+                    throw new PlatformNotSupportedException(SR.Format(SR.net_quic_ssl_option, nameof(clientAuthenticationOptions.EncryptionPolicy)));
                 }
 #pragma warning restore SYSLIB0040
 
-                if (options.ClientAuthenticationOptions.ClientCertificates != null)
+                if (clientAuthenticationOptions.LocalCertificateSelectionCallback != null)
+                {
+                    X509Certificate? cert = clientAuthenticationOptions.LocalCertificateSelectionCallback(
+                        options,
+                        clientAuthenticationOptions.TargetHost ?? string.Empty,
+                        clientAuthenticationOptions.ClientCertificates ?? new X509CertificateCollection(),
+                        null,
+                        Array.Empty<string>());
+
+                    if (cert is X509Certificate2 cert2 && cert2.Handle != IntPtr.Zero && cert2.HasPrivateKey)
+                    {
+                        certificate = cert;
+                    }
+                }
+                else if (clientAuthenticationOptions.ClientCertificates != null)
                 {
-                    foreach (var cert in options.ClientAuthenticationOptions.ClientCertificates)
+                    foreach (X509Certificate cert in clientAuthenticationOptions.ClientCertificates)
                     {
-                        try
+
+                        if (cert is X509Certificate2 cert2 && cert2.Handle != IntPtr.Zero && cert2.HasPrivateKey)
                         {
-                            if (((X509Certificate2)cert).HasPrivateKey)
-                            {
-                                // Pick first certificate with private key.
-                                certificate = cert;
-                                break;
-                            }
+                            // Pick first certificate with private key.
+                            certificate = cert;
+                            break;
                         }
-                        catch { }
                     }
                 }
             }

diff --git a/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs b/src/libraries/System.Net.Quic/tests/FunctionalTests/MsQuicTests.cs
@@ -190,7 +190,7 @@ public async Task CertificateCallbackThrowPropagates()
         }
 
         [Fact]
-        public async Task ConnectWithCertificateCallback()
+        public async Task ConnectWithServerCertificateCallback()
         {
             X509Certificate2 c1 = System.Net.Test.Common.Configuration.Certificates.GetServerCertificate();
             X509Certificate2 c2 = System.Net.Test.Common.Configuration.Certificates.GetClientCertificate(); // This 'wrong' certificate but should be sufficient
@@ -340,10 +340,12 @@ public async Task ConnectWithCertificateForLoopbackIP_IndicatesExpectedError(str
         }
 
         [ConditionalTheory]
-        [InlineData(true)]
-        [InlineData(false)]
+        [InlineData(true, true)]
+        [InlineData(false, true)]
+        [InlineData(true, false)]
+        [InlineData(false, false)]
         [ActiveIssue("https://github.com/dotnet/runtime/issues/64944", TestPlatforms.Windows)]
-        public async Task ConnectWithClientCertificate(bool sendCertificate)
+        public async Task ConnectWithClientCertificate(bool sendCertificate, bool useClientSelectionCallback)
         {
             if (PlatformDetection.IsWindows10Version20348OrLower)
             {
@@ -371,7 +373,14 @@ public async Task ConnectWithClientCertificate(bool sendCertificate)
 
             using QuicListener listener = new QuicListener(QuicImplementationProviders.MsQuic, listenerOptions);
             QuicClientConnectionOptions clientOptions = CreateQuicClientOptions();
-            if (sendCertificate)
+            if (useClientSelectionCallback)
+            {
+                clientOptions.ClientAuthenticationOptions.LocalCertificateSelectionCallback = delegate
+                {
+                    return sendCertificate ? ClientCertificate : null;
+                };
+            }
+            else if (sendCertificate)
             {
                 clientOptions.ClientAuthenticationOptions.ClientCertificates = new X509CertificateCollection() { ClientCertificate };
             }