snatpshot

dotnet · wfurt · Jul 12, 2021 · Mar 23, 2021 · Mar 24, 2021 · Apr 1, 2021
commit ecf3b37261ef4ed2fd9b40129b874c7c78f4ecda
diff --git a/src/libraries/Common/src/Interop/Windows/SspiCli/Interop.SSPI.cs b/src/libraries/Common/src/Interop/Windows/SspiCli/Interop.SSPI.cs
@@ -66,6 +66,7 @@ internal enum ContextAttribute
             SECPKG_ATTR_LOCAL_CERT_CONTEXT = 0x54,     // returns PCCERT_CONTEXT
             SECPKG_ATTR_ROOT_STORE = 0x55,             // returns HCERTCONTEXT to the root store
             SECPKG_ATTR_ISSUER_LIST_EX = 0x59,         // returns SecPkgContext_IssuerListInfoEx
+            SECPKG_ATTR_CLIENT_CERT_POLICY = 0x60,     // sets    SecPkgCred_ClientCertCtlPolicy
             SECPKG_ATTR_CONNECTION_INFO = 0x5A,        // returns SecPkgContext_ConnectionInfo
             SECPKG_ATTR_CIPHER_INFO = 0x64,            // returns SecPkgContext_CipherInfo
             SECPKG_ATTR_UI_INFO = 0x68, // sets SEcPkgContext_UiInfo
@@ -316,6 +317,26 @@ public SecBufferDesc(int count)
             }
         }
 
+        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+        internal unsafe struct SecPkgCred_ClientCertPolicy
+        {
+            public int dwFlags;
+            public fixed byte guid[16];
+            public int dwCertFlags;
+            public int dwUrlRetrievalTimeout;
+            [MarshalAs(UnmanagedType.Bool)]
+            public bool fCheckRevocationFreshnessTime;
+            public int dwRevocationFreshnessTime;
+            [MarshalAs(UnmanagedType.Bool)]
+            public bool fOmitUsageCheck;
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string? pwszSslCtlStoreName;
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string? pwszSslCtlIdentifier;
+            //LPWSTR pwszSslCtlStoreName; � Here is the named cert store you can set.
+            //LPWSTR pwszSslCtlIdentifier;
+        }
+
         [DllImport(Interop.Libraries.SspiCli, ExactSpelling = true, SetLastError = true)]
         internal static extern int EncryptMessage(
               ref CredHandle contextHandle,
@@ -473,5 +494,12 @@ internal static extern SECURITY_STATUS SspiEncodeStringsAsAuthIdentity(
             [In] string domainName,
             [In] string password,
             [Out] out SafeSspiAuthDataHandle authData);
+
+        [DllImport(Interop.Libraries.SspiCli, ExactSpelling = true, CharSet = CharSet.Unicode, SetLastError = true)]
+        internal static extern SECURITY_STATUS SetCredentialsAttributesW(
+            [In] ref CredHandle handlePtr,
+            [In] long ulAttribute,
+            [In] ref SecPkgCred_ClientCertPolicy pBuffer,
+            [In] long cbBuffer);
     }
 }
diff --git a/src/libraries/System.Net.NameResolution/src/System.Net.NameResolution.csproj b/src/libraries/System.Net.NameResolution/src/System.Net.NameResolution.csproj
@@ -125,5 +125,6 @@
     <Reference Include="System.Threading" />
     <Reference Include="System.Threading.Overlapped" />
     <Reference Include="System.Threading.ThreadPool" />
+    <Reference Include="System.Console" />
   </ItemGroup>
 </Project>
diff --git a/src/libraries/System.Net.Security/src/System.Net.Security.csproj b/src/libraries/System.Net.Security/src/System.Net.Security.csproj
@@ -381,6 +381,7 @@
     <Reference Include="System.Security.Principal" />
     <Reference Include="System.Threading" />
     <Reference Include="System.Threading.ThreadPool" />
+    <Reference Include="System.Console" />
   </ItemGroup>
   <ItemGroup Condition="'$(TargetsUnix)' == 'true'">
     <Reference Include="System.Console" Condition="'$(Configuration)' == 'Debug'" />

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs
@@ -112,8 +112,9 @@ public static SecurityStatusPal InitializeSecurityContext(ref SafeFreeCredential
 
         public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateContext? certificateContext, SslProtocols protocols, EncryptionPolicy policy, bool isServer)
         {
+            Console.WriteLine("AcquireCredentialsHandle called for {0} {1}", UseNewCryptoApi, isServer);
             // New crypto API supports TLS1.3 but it does not allow to force NULL encryption.
-            return !UseNewCryptoApi || policy == EncryptionPolicy.NoEncryption ?
+            return true || !UseNewCryptoApi || policy == EncryptionPolicy.NoEncryption ?
                         AcquireCredentialsHandleSchannelCred(certificateContext?.Certificate, protocols, policy, isServer) :
                         AcquireCredentialsHandleSchCredentials(certificateContext?.Certificate, protocols, policy, isServer);
         }
@@ -126,6 +127,20 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchannelCred(X5
             Interop.SspiCli.SCHANNEL_CRED.Flags flags;
             Interop.SspiCli.CredentialUse direction;
 
+            Console.WriteLine("AcquireCredentialsHandleSchannelCred  called!!!!");
+
+            IntPtr storeHandle = (IntPtr)0;
+            //X509Store store = new X509Store("Enterprise Trust", StoreLocation.CurrentUser);
+            X509Store store = new X509Store("teststore", StoreLocation.CurrentUser);
+            store.Open(OpenFlags.ReadOnly);
+            storeHandle = store.StoreHandle;
+            Console.WriteLine("Enterprise Trust opened {0} {1} ({2}) count={3}", store, store.Name, storeHandle, store.Certificates.Count);
+            foreach (var c in store.Certificates)
+            {
+                Console.WriteLine("Got {0}", c.Subject);
+            }
+
+
             if (!isServer)
             {
                 direction = Interop.SspiCli.CredentialUse.SECPKG_CRED_OUTBOUND;
@@ -161,8 +176,33 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchannelCred(X5
                 certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;
                 secureCredential.paCred = &certificateHandle;
             }
+            secureCredential.hRootStore = storeHandle;
+            Console.WriteLine("ALL API with {0}", secureCredential.hRootStore);
+
 
-            return AcquireCredentialsHandle(direction, &secureCredential);
+            SafeFreeCredentials cred =  AcquireCredentialsHandle(direction, &secureCredential);
+            //Console.WriteLine("Got creed = {0} {1}", cred, cred.DangerousGetHandle());
+            if (isServer&& cred != null)
+            {
+
+                Interop.SspiCli.SecPkgCred_ClientCertPolicy clientCertPolicy;
+                clientCertPolicy.dwFlags = 0;
+                clientCertPolicy.dwCertFlags = 0;
+                clientCertPolicy.fCheckRevocationFreshnessTime = false;
+                clientCertPolicy.fOmitUsageCheck = false;
+                clientCertPolicy.pwszSslCtlIdentifier = null;
+                clientCertPolicy.pwszSslCtlStoreName = null;
+                clientCertPolicy.dwRevocationFreshnessTime = 0;
+                clientCertPolicy.dwUrlRetrievalTimeout = 0;
+                clientCertPolicy.guid[0] = 11;
+                clientCertPolicy.guid[1] = 22;
+
+                Interop.SspiCli.CredHandle credentialHandle = cred._handle;
+                Interop.SECURITY_STATUS status = Interop.SspiCli.SetCredentialsAttributesW(ref credentialHandle, (long)Interop.SspiCli.ContextAttribute.SECPKG_ATTR_CLIENT_CERT_POLICY, ref clientCertPolicy, 48); // sizeof(Interop.SspiCli.SecPkgCred_ClientCertPolicy));
+                Console.WriteLine("SetCredentialsAttributesW finished with {0} {1} {1:x}", status, (int)status);
+
+            }
+            return cred!;
         }
 
         // This function uses new crypto API to support TLS 1.3 and beyond.
@@ -171,11 +211,18 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchCredentials(
             int protocolFlags = GetProtocolFlagsFromSslProtocols(protocols, isServer);
             Interop.SspiCli.SCH_CREDENTIALS.Flags flags;
             Interop.SspiCli.CredentialUse direction;
+            IntPtr storeHandle = (IntPtr)0;
 
+            Console.WriteLine("AcquireCredentialsHandleSchCredentials called!!!!");
             if (isServer)
             {
                 direction = Interop.SspiCli.CredentialUse.SECPKG_CRED_INBOUND;
                 flags = Interop.SspiCli.SCH_CREDENTIALS.Flags.SCH_SEND_AUX_RECORD;
+
+                X509Store store = new X509Store("Enterprise Trust", StoreLocation.CurrentUser);
+                Console.WriteLine("Enterprise Trust opened {0} {1}", store, store.Name);
+                store.Open(OpenFlags.ReadOnly);
+                storeHandle = store.StoreHandle;
             }
             else
             {
@@ -207,7 +254,8 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchCredentials(
             Interop.SspiCli.SCH_CREDENTIALS credential = default;
             credential.dwVersion = Interop.SspiCli.SCH_CREDENTIALS.CurrentVersion;
             credential.dwFlags = flags;
-
+            credential.hRootStore = storeHandle;
+            Console.WriteLine("hRootStore = {0}", storeHandle);
             Interop.Crypt32.CERT_CONTEXT *certificateHandle = null;
             if (certificate != null)
             {