Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

UpdateDnsNameList forX509Certificate2 to useX509SubjectAlternativeNameExtension.EnumerateDnsNames Method#24714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Show file tree
Hide file tree
Changes from6 commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -3309,30 +3309,37 @@ public EnhancedKeyUsageProperty(X509Certificate2 cert)
public sealed class DnsNameProperty
{
private readonly List<DnsNameRepresentation> _dnsList = new();
private readonlySystem.Globalization.IdnMapping idnMapping = new();
private readonly IdnMapping idnMapping = new();

private const string dnsNamePrefix = "DNS Name=";
private const string distinguishedNamePrefix = "CN=";

/// <summary>
/// Get property of DnsNameList.
/// </summary>
public List<DnsNameRepresentation> DnsNameList
public List<DnsNameRepresentation> DnsNameList => _dnsList;

private DnsNameRepresentation GetDnsNameRepresentation(string dnsName)
{
get
string unicodeName;

try
{
unicodeName = idnMapping.GetUnicode(dnsName);
}
catch (ArgumentException)
{
return _dnsList;
// The name is not valid Punycode, assume it's valid ASCII.
unicodeName = dnsName;
}

return new DnsNameRepresentation(dnsName, unicodeName);
}

/// <summary>
/// Constructor for DnsNameProperty.
/// </summary>
public DnsNameProperty(X509Certificate2 cert)
{
string name;
string unicodeName;
DnsNameRepresentation dnsName;
_dnsList = new List<DnsNameRepresentation>();

// extract DNS name from subject distinguish name
Expand All@@ -3341,50 +3348,24 @@ public DnsNameProperty(X509Certificate2 cert)
if (cert.Subject.StartsWith(distinguishedNamePrefix, System.StringComparison.OrdinalIgnoreCase) &&
!cert.Subject.Contains(','))
{
name = cert.Subject.Substring(distinguishedNamePrefix.Length);
try
{
unicodeName = idnMapping.GetUnicode(name);
}
catch (System.ArgumentException)
{
// The name is not valid punyCode, assume it's valid ascii.
unicodeName = name;
}

dnsName = new DnsNameRepresentation(name, unicodeName);
string parsedSubjectDistinguishedDnsName = cert.Subject.Substring(distinguishedNamePrefix.Length);
DnsNameRepresentation dnsName = GetDnsNameRepresentation(parsedSubjectDistinguishedDnsName);
Comment on lines +3351 to +3352
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Copy link
ContributorAuthor

@ArmaanMcleodArmaanMcleodDec 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Actually will park this, just realised this will include all distinguished names outside ofCN=. dotnet runtime probably needs to expose something for just common name without too much extra work. Right now you'd need to still check the OID during enumeration which is not ideal and probably leads to more complex code in its current state.

dotnet/runtime#33914

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think it would end up being something like:

privateconststringCommonNameOid="2.5.4.3";// Extract DNS name from Subject distinguished nameforeach(X500RelativeDistinguishedNamedistinguishedNameincert.SubjectName.EnumerateRelativeDistinguishedNames()){if(!distinguishedName.HasMultipleElements&&distinguishedName.GetSingleElementType().Value.Equals(CommonNameOid,StringComparison.OrdinalIgnoreCase)){DnsNameRepresentationdnsName=GetDnsNameRepresentation(distinguishedName.GetSingleElementValue());_dnsList.Add(dnsName);}}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The change is not related the PR. Please revert.
If you think original code has an issue, please open new issue to discuss.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yeah so this was just referring to how distinguished names are handled. I have reverted that change and will open a new issue to discuss. This is resolved for this PR.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I don't see new commit.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I force pushed and removed the changes.

_dnsList.Add(dnsName);
}

// Extract DNS names from SAN extensions
foreach (X509Extension extension in cert.Extensions)
{
// Filter to the OID for Subject Alternative Name
if (extension.Oid.Value == "2.5.29.17")
if (extension is X509SubjectAlternativeNameExtension sanExtension)
{
string[] names = extension.Format(true).Split(Environment.NewLine);
foreach (string nameLine in names)
foreach (string dnsNameEntry in sanExtension.EnumerateDnsNames())
{
// Get the part after 'DNS Name='
if (nameLine.StartsWith(dnsNamePrefix, System.StringComparison.InvariantCultureIgnoreCase))
{
name = nameLine.Substring(dnsNamePrefix.Length);
try
{
unicodeName = idnMapping.GetUnicode(name);
}
catch (System.ArgumentException)
{
// The name is not valid punyCode, assume it's valid ascii.
unicodeName = name;
}

dnsName = new DnsNameRepresentation(name, unicodeName);
DnsNameRepresentation dnsName = GetDnsNameRepresentation(dnsNameEntry);

// Only add the name if it is not the same as an existing name.
if (!_dnsList.Contains(dnsName))
{
_dnsList.Add(dnsName);
}
// Only add the name if it is not the same as an existing name.
if (!_dnsList.Contains(dnsName))
{
_dnsList.Add(dnsName);
}
}
}
Expand Down
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -292,4 +292,80 @@ Describe "Certificate Provider tests" -Tags "Feature" {
$certs.Thumbprint | Should -BeExactly $thumbprint
}
}

Context "SAN DNS Name Tests" {
BeforeAll {
$configFilePath = Join-Path -Path $TestDrive -ChildPath 'openssl.cnf'
$keyFilePath = Join-Path -Path $TestDrive -ChildPath 'privateKey.key'
$certFilePath = Join-Path -Path $TestDrive -ChildPath 'certificate.crt'
$pfxFilePath = Join-Path -Path $TestDrive -ChildPath 'certificate.pfx'
$password = "test"

$config = @"
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = yourdomain.com

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = yourdomain.com
DNS.2 = www.yourdomain.com
DNS.3 = api.yourdomain.com
DNS.4 = xn--mnchen-3ya.com
DNS.5 = xn--80aaxitdbjr.com
DNS.6 = xn--caf-dma.com
"@

# Write the configuration to the specified path
Set-Content -Path $configFilePath -Value $config

# Generate the self-signed certificate with SANs
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $keyFilePath -out $certFilePath -config $configFilePath -extensions v3_req

# Create the PFX file
openssl pkcs12 -export -out $pfxFilePath -inkey $keyFilePath -in $certFilePath -passout pass:$password
}

It "Should set DNSNameList from SAN extensions" {
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($pfxFilePath, $password)

$expectedDnsNameList = @(
[PSCustomObject]@{
Punycode = "yourdomain.com"
Unicode = "yourdomain.com"
}
[PSCustomObject]@{
Punycode = "www.yourdomain.com"
Unicode = "www.yourdomain.com"
}
[PSCustomObject]@{
Punycode = "api.yourdomain.com"
Unicode = "api.yourdomain.com"
}
[PSCustomObject]@{
Punycode = "xn--mnchen-3ya.com"
Unicode = "münchen.com"
}
[PSCustomObject]@{
Punycode = "xn--80aaxitdbjr.com"
Unicode = "папитрока.com"
}
[PSCustomObject]@{
Punycode = "xn--caf-dma.com"
Unicode = "café.com"
}
)

$cert | Should -Not -BeNullOrEmpty
$cert.DnsNameList | Should -HaveCount 6
($cert.DnsNameList | ConvertTo-Json -Compress) | Should -BeExactly ($expectedDnsNameList | ConvertTo-Json -Compress)
}
}
}
Loading
[8]ページ先頭
©2009-2025 Movatter.jp