Enable ServerCertificateSelector for HTTP/3 dotnet#34858 (dotnet#35243)

Author: Tratcher

src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs

@@ -42,13 +42,13 @@ public HttpsConnectionAdapterOptions()
         /// <summary>
         /// <para>
         /// A callback that will be invoked to dynamically select a server certificate. This is higher priority than ServerCertificate.
-        /// If SNI is not available then the name parameter will be null.
+        /// If SNI is not available then the name parameter will be null. The <see cref="ConnectionContext"/> will be null for HTTP/3 connections.
         /// </para>
         /// <para>
         /// If the server certificate has an Extended Key Usage extension, the usages must include Server Authentication (OID 1.3.6.1.5.5.7.3.1).
         /// </para>
         /// </summary>
-        public Func<ConnectionContext, string?, X509Certificate2?>? ServerCertificateSelector { get; set; }
+        public Func<ConnectionContext?, string?, X509Certificate2?>? ServerCertificateSelector { get; set; }
 
         /// <summary>
         /// Specifies the client certificate requirements for a HTTPS connection. Defaults to <see cref="ClientCertificateMode.NoCertificate"/>.

src/Servers/Kestrel/Core/src/Internal/Infrastructure/TransportManager.cs

@@ -12,6 +12,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure
 {
@@ -66,6 +67,22 @@ public async Task<EndPoint> BindAsync(EndPoint endPoint, MultiplexedConnectionDe
                     ApplicationProtocols = new List<SslApplicationProtocol>() { new SslApplicationProtocol("h3"), new SslApplicationProtocol("h3-29") }
                 };
 
+                if (listenOptions.HttpsOptions.ServerCertificateSelector != null)
+                {
+                    // We can't set both
+                    sslServerAuthenticationOptions.ServerCertificate = null;
+                    sslServerAuthenticationOptions.ServerCertificateSelectionCallback = (sender, host) =>
+                    {
+                        // There is no ConnectionContext available durring the QUIC handshake.
+                        var cert = listenOptions.HttpsOptions.ServerCertificateSelector(null, host);
+                        if (cert != null)
+                        {
+                            HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert);
+                        }
+                        return cert!;
+                    };
+                }
+
                 features.Set(sslServerAuthenticationOptions);
             }
 

src/Servers/Kestrel/Core/src/PublicAPI.Unshipped.txt

@@ -183,7 +183,7 @@ Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.OnAuthen
 Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.OnAuthenticate.set -> void
 Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2?
 Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificate.set -> void
-Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificateSelector.get -> System.Func<Microsoft.AspNetCore.Connections.ConnectionContext!, string?, System.Security.Cryptography.X509Certificates.X509Certificate2?>?
+Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificateSelector.get -> System.Func<Microsoft.AspNetCore.Connections.ConnectionContext?, string?, System.Security.Cryptography.X509Certificates.X509Certificate2?>?
 Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificateSelector.set -> void
 Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.AnyIPEndpoint(int port) -> Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader!
 Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.AnyIPEndpoint(int port, System.Action<Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions!>! configure) -> Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader!

src/Servers/Kestrel/Transport.Quic/src/QuicTransportFactory.cs

@@ -54,9 +54,12 @@ public ValueTask<IMultiplexedConnectionListener> BindAsync(EndPoint endpoint, IF
             {
                 throw new InvalidOperationException("Couldn't find HTTPS configuration for QUIC transport.");
             }
-            if (sslServerAuthenticationOptions.ServerCertificate == null)
+            if (sslServerAuthenticationOptions.ServerCertificate == null
+                && sslServerAuthenticationOptions.ServerCertificateContext == null
+                && sslServerAuthenticationOptions.ServerCertificateSelectionCallback == null)
             {
-                var message = $"{nameof(SslServerAuthenticationOptions)}.{nameof(SslServerAuthenticationOptions.ServerCertificate)} must be configured with a value.";
+                var message = $"{nameof(SslServerAuthenticationOptions)} must provide a server certificate using {nameof(SslServerAuthenticationOptions.ServerCertificate)},"
+                    + $" {nameof(SslServerAuthenticationOptions.ServerCertificateContext)}, or {nameof(SslServerAuthenticationOptions.ServerCertificateSelectionCallback)}.";
                 throw new InvalidOperationException(message);
             }
 

src/Servers/Kestrel/samples/Http3SampleApp/Program.cs

@@ -25,6 +25,7 @@ public static void Main(string[] args)
                     .ConfigureKestrel((context, options) =>
                     {
                         var cert = CertificateLoader.LoadFromStoreCert("localhost", StoreName.My.ToString(), StoreLocation.CurrentUser, false);
+
                         options.ConfigureHttpsDefaults(httpsOptions =>
                         {
                             httpsOptions.ServerCertificate = cert;
@@ -54,13 +55,41 @@ public static void Main(string[] args)
                         {
                             listenOptions.UseHttps(httpsOptions =>
                             {
-                                httpsOptions.ServerCertificateSelector = (_, _) => cert;
+                                // ConnectionContext is null
+                                httpsOptions.ServerCertificateSelector = (context, host) => cert;
                             });
                             listenOptions.UseConnectionLogging();
-                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2; // TODO: http3
+                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
                         });
 
+                        // No SslServerAuthenticationOptions callback is currently supported by QuicListener
                         options.ListenAnyIP(5004, listenOptions =>
+                        {
+                            listenOptions.UseHttps(httpsOptions =>
+                            {
+                                httpsOptions.OnAuthenticate = (_, sslOptions) => sslOptions.ServerCertificate = cert;
+                            });
+                            listenOptions.UseConnectionLogging();
+                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
+                        });
+
+                        // ServerOptionsSelectionCallback isn't currently supported by QuicListener
+                        options.ListenAnyIP(5005, listenOptions =>
+                        {
+                            ServerOptionsSelectionCallback callback = (SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken) =>
+                            {
+                                var options = new SslServerAuthenticationOptions()
+                                {
+                                    ServerCertificate = cert,
+                                };
+                                return new ValueTask<SslServerAuthenticationOptions>(options);
+                            };
+                            listenOptions.UseHttps(callback, state: null);
+                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
+                        });
+
+                        // TlsHandshakeCallbackOptions (ServerOptionsSelectionCallback) isn't currently supported by QuicListener
+                        options.ListenAnyIP(5006, listenOptions =>
                         {
                             listenOptions.UseHttps(new TlsHandshakeCallbackOptions()
                             {
@@ -74,7 +103,7 @@ public static void Main(string[] args)
                                 },
                             });
                             listenOptions.UseConnectionLogging();
-                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2; // TODO: http3
+                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
                         });
                     })
                     .UseStartup<Startup>();

src/Servers/Kestrel/test/Interop.FunctionalTests/Http3/Http3Helpers.cs

@@ -0,0 +1,77 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Diagnostics;
+using System.Net;
+using System.Net.Http;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Connections;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Server.Kestrel.Core;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+
+namespace Interop.FunctionalTests.Http3
+{
+    public static class Http3Helpers
+    {
+        public static HttpMessageInvoker CreateClient(TimeSpan? idleTimeout = null)
+        {
+            var handler = new SocketsHttpHandler();
+            handler.SslOptions = new System.Net.Security.SslClientAuthenticationOptions
+            {
+                RemoteCertificateValidationCallback = (_, __, ___, ____) => true,
+                TargetHost = "targethost"
+            };
+            if (idleTimeout != null)
+            {
+                handler.PooledConnectionIdleTimeout = idleTimeout.Value;
+            }
+
+            return new HttpMessageInvoker(handler);
+        }
+
+        public static IHostBuilder CreateHostBuilder(Action<IServiceCollection> configureServices, RequestDelegate requestDelegate, HttpProtocols? protocol = null, Action<KestrelServerOptions> configureKestrel = null)
+        {
+            return new HostBuilder()
+                .ConfigureWebHost(webHostBuilder =>
+                {
+                    webHostBuilder
+                        .UseKestrel(o =>
+                        {
+                            if (configureKestrel == null)
+                            {
+                                o.Listen(IPAddress.Parse("127.0.0.1"), 0, listenOptions =>
+                                {
+                                    listenOptions.Protocols = protocol ?? HttpProtocols.Http3;
+                                    listenOptions.UseHttps();
+                                });
+                            }
+                            else
+                            {
+                                configureKestrel(o);
+                            }
+                        })
+                        .Configure(app =>
+                        {
+                            app.Run(requestDelegate);
+                        });
+                })
+                .ConfigureServices(configureServices)
+                .ConfigureHostOptions(o =>
+                {
+                    if (Debugger.IsAttached)
+                    {
+                        // Avoid timeout while debugging.
+                        o.ShutdownTimeout = TimeSpan.FromHours(1);
+                    }
+                    else
+                    {
+                        o.ShutdownTimeout = TimeSpan.FromSeconds(1);
+                    }
+                });
+        }
+    }
+}