[release/5.0] fix SslStreamCertificateContext.Create with partial certificate chain #46904
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
this is port of #46664 to 5.0 branch
Fixes #46654
reported by customer originally in dotnet/aspnetcore#28584
Customer Impact
Kestrel server cannot be started if the machine is somehow missing the cert forming the root of the certificate chain being used.
This is caused by an out of bound array iteration in runtime code.
Regression?
Users who were previously able to start Kestrel no longer can. (Our API is new in 5.0, but Kestrel now uses it.)
Testing
new test case was added for partial certificate chain.
Risk
Low. The fix corrects how we iterate over the array representing the certificate chain so that we don't try to read beyond the array, nor send the wrong certificates.
Details:
With TrimRootCertificate=false, the old logic would incorrectly increase count when chain.Build() return partial chain. That would later cause ArgumentOutOfRangeException when iterating through the chain certificate collection. Further more, the TrimRootCertificate is swapped. If we want to trim root we need to subtract 2 (e.g. root itself and leaf cert) This will cause wrong number of certificates sent on the wire on Unix.