Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/2.3] Pass Through Disable AIA Flag (#4674) #4675

Merged
merged 1 commit into from
Dec 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/api/QUIC_CREDENTIAL_CONFIG.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,10 @@ Obtain the peer certificate using a faster in-process API call. Only available o

Enable CA certificate file provided in the `CaCertificateFile` member.

`QUIC_CREDENTIAL_FLAG_DISABLE_AIA`

The following flag can be set to explicitly disable AIA retrievals. Only valid on Windows.

#### `CertificateHash`

Must **only** use with `QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH` type.
Expand Down
1 change: 1 addition & 0 deletions src/cs/lib/msquic_generated.cs
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ internal enum QUIC_CREDENTIAL_FLAGS
REVOCATION_CHECK_CACHE_ONLY = 0x00040000,
INPROC_PEER_CERTIFICATE = 0x00080000,
SET_CA_CERTIFICATE_FILE = 0x00100000,
DISABLE_AIA = 0x00200000,
}

[System.Flags]
Expand Down
1 change: 1 addition & 0 deletions src/inc/msquic.h
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ typedef enum QUIC_CREDENTIAL_FLAGS {
QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY = 0x00040000, // Windows only currently
QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE = 0x00080000, // Schannel only
QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE = 0x00100000, // OpenSSL only currently
QUIC_CREDENTIAL_FLAG_DISABLE_AIA = 0x00200000, // Schannel only currently
} QUIC_CREDENTIAL_FLAGS;

DEFINE_ENUM_FLAG_OPERATORS(QUIC_CREDENTIAL_FLAGS)
Expand Down
3 changes: 3 additions & 0 deletions src/platform/certificates_capi.c
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ CxPlatCertVerifyRawCertificate(
if (CredFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
CertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
}
if (CredFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
CertFlags |= CERT_CHAIN_DISABLE_AIA;
}

Result =
CxPlatCertValidateChain(
Expand Down
6 changes: 4 additions & 2 deletions src/platform/tls_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -981,7 +981,8 @@ CxPlatTlsSecConfigCreate(
CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
return QUIC_STATUS_INVALID_PARAMETER;
}

Expand All @@ -992,7 +993,8 @@ CxPlatTlsSecConfigCreate(
CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
return QUIC_STATUS_INVALID_PARAMETER;
}
#endif
Expand Down
4 changes: 4 additions & 0 deletions src/platform/tls_schannel.c
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ typedef struct _SecPkgCred_ClientCertPolicy
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x20000000
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x40000000
#define CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY 0x80000000
#define CERT_CHAIN_DISABLE_AIA 0x00002000

#define SECPKG_ATTR_REMOTE_CERTIFICATES 0x5F // returns SecPkgContext_Certificates

Expand Down Expand Up @@ -754,6 +755,9 @@ CxPlatTlsSetClientCertPolicy(
if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
ClientCertPolicy.dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
}
if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
ClientCertPolicy.dwCertFlags |= CERT_CHAIN_DISABLE_AIA;
}

SecStatus =
SetCredentialsAttributesW(
Expand Down
1 change: 1 addition & 0 deletions src/platform/unittest/TlsTest.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -2222,6 +2222,7 @@ TEST_F(TlsTest, PlatformSpecificFlagsSchannel)
QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_END_CERT, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK, QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE,
QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY,
QUIC_CREDENTIAL_FLAG_DISABLE_AIA,
#ifndef __APPLE__
QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN,
#endif
Expand Down
Loading