Expand certificate testing (#1324)

Author: anrossi

.azure/azure-pipelines-int.ci.yml

@@ -141,6 +141,7 @@ stages:
       tls: schannel
       logProfile: Full.Light
       extraArgs: -Filter -*CryptTest.HpMaskChaCha20:CryptTest.WellKnownChaChaPoly:Alpn.ValidAlpnLengths
+      testCerts: true
 
 #
 # Build Verification Tests (Kernel Mode)
@@ -169,6 +170,7 @@ stages:
       logProfile: Full.Light
       extraArgs: -Kernel -Filter -*Handshake/WithHandshakeArgs6.ConnectClientCertificate/*:Alpn.ValidAlpnLengths
       kernel: true
+      testCerts: true
 
 #
 # Package

.azure/azure-pipelines.ci.yml

@@ -438,6 +438,7 @@ stages:
       logProfile: Full.Verbose
       extraArgs: -Kernel -Filter -*Handshake/WithHandshakeArgs6.ConnectClientCertificate/*:Alpn.ValidAlpnLengths
       kernel: true
+      testCerts: true
 
 #
 # Build Verification Tests
@@ -457,45 +458,46 @@ stages:
       tls: schannel
       logProfile: Full.Verbose
       extraArgs: -Filter -*CryptTest.HpMaskChaCha20:CryptTest.WellKnownChaChaPoly:Alpn.ValidAlpnLengths
+      testCerts: true
   - template: ./templates/run-bvt.yml
     parameters:
       image: windows-latest
       platform: windows
       tls: mitls
       logProfile: Full.Light
-      extraArgs: -Filter -*Unreachable/0:CryptTest/CryptTest.Encryption/2:CryptTest.WellKnownChaChaPoly:*HandshakeParam*
+      extraArgs: -Filter -*Unreachable/0:CryptTest/CryptTest.Encryption/2:CryptTest.WellKnownChaChaPoly:*HandshakeParam*:CredValidation*
   - template: ./templates/run-bvt.yml
     parameters:
       image: windows-latest
       platform: windows
       tls: openssl
-      extraArgs: -Filter -*Unreachable/0:AppData/*:Misc/*
+      extraArgs: -Filter -*Unreachable/0:AppData/*:Misc/*:CredValidation*
   - template: ./templates/run-bvt.yml
     parameters:
       image: ubuntu-latest
       platform: linux
       tls: openssl
-      extraArgs: -Filter -*.Tcp*
+      extraArgs: -Filter -*.Tcp*:CredValidation*
   - template: ./templates/run-bvt.yml
     parameters:
       image: ubuntu-latest
       platform: linux
       tls: stub
-      extraArgs: -Filter -*TlsTest.CertificateError:TlsTest.ExtraCertificateValidation:*.Tcp*:*HandshakeParam*:Handshake/WithHandshakeArgs6.ConnectClientCertificate/*:*ResumeRejection*
+      extraArgs: -Filter -*TlsTest.CertificateError:TlsTest.ExtraCertificateValidation:*.Tcp*:*HandshakeParam*:Handshake/WithHandshakeArgs6.ConnectClientCertificate/*:*ResumeRejection*:CredValidation*
   - template: ./templates/run-bvt.yml
     parameters:
       image: macOS-10.15
       platform: macos
       tls: openssl
       logProfile: None
-      extraArgs: -Filter -*.Tcp*
+      extraArgs: -Filter -*.Tcp*:CredValidation*
   - template: ./templates/run-bvt.yml
     parameters:
       image: ubuntu-latest
       platform: linux
       tls: openssl
       extraArtifactDir: '_SystemCrypto'
-      extraArgs: -Filter -*.Tcp* -ExtraArtifactDir SystemCrypto
+      extraArgs: -Filter -*.Tcp*:CredValidation* -ExtraArtifactDir SystemCrypto
 
 #
 # SpinQuic Tests

.azure/templates/run-bvt.yml

@@ -11,6 +11,7 @@ parameters:
   codeCoverage: false
   logProfile: 'Basic.Light'
   extraArgs: ''
+  testCerts: false
   extraArtifactDir: ''
 
 jobs:
@@ -41,7 +42,10 @@ jobs:
     inputs:
       pwsh: true
       filePath: scripts/prepare-machine.ps1
-      arguments: -Configuration Test
+      ${{ if eq(parameters.testCerts, true) }}:
+        arguments: -Configuration Test -TestCertificates
+      ${{ if eq(parameters.testCerts, false) }}:
+        arguments: -Configuration Test
 
   - task: PowerShell@2
     displayName: Run BVTs

scripts/prepare-machine.ps1

@@ -19,6 +19,9 @@ on the provided configuration.
 .PARAMETER Kernel
     Indicates build is for kernel mode.
 
+.PARAMETER TestCertificates
+    Generate test certificates. Only supported for Windows test configuration.
+
 .EXAMPLE
     prepare-machine.ps1 -Configuration Build
 
@@ -45,7 +48,10 @@ param (
     [switch]$Kernel,
 
     [Parameter(Mandatory = $false)]
-    [switch]$FailOnError
+    [switch]$FailOnError,
+
+    [Parameter(Mandatory = $false)]
+    [switch]$TestCertificates
 )
 
 #Requires -RunAsAdministrator
@@ -174,6 +180,68 @@ if ($IsWindows) {
     }
 
     if ($Configuration -eq "Test") {
+        if ($TestCertificates) {
+            # Install test certificates on windows
+            $PfxPassword = ConvertTo-SecureString -String "TestCert" -Force -AsPlainText
+            $NewRoot = $false
+            Write-Host "Searching for MsQuicTestRoot certificate..."
+            $RootCert = Get-ChildItem -path Cert:\LocalMachine\Root\* -Recurse | Where-Object {$_.Subject -eq "CN=MsQuicTestRoot"}
+            if (!$RootCert) {
+                Write-Host "MsQuicTestRoot not found! Creating new MsQuicTestRoot certificate..."
+                $RootCert = New-SelfSignedCertificate -Subject "CN=MsQuicTestRoot" -FriendlyName MsQuicTestRoot -KeyUsageProperty Sign -KeyUsage CertSign,DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA256 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable -KeyAlgorithm ECDSA_nistP521 -CurveExport CurveName -NotAfter(Get-Date).AddYears(5) -TextExtension @("2.5.29.19 = {text}ca=1&pathlength=0") -Type Custom
+                $TempRootPath = Join-Path $Env:TEMP "MsQuicTestRoot.cer"
+                Export-Certificate -Type CERT -Cert $RootCert -FilePath $TempRootPath
+                CertUtil.exe -addstore Root $TempRootPath
+                Remove-Item $TempRootPath
+                $NewRoot = $true
+                Write-Host "New MsQuicTestRoot certificate installed!"
+            } else {
+                Write-Host "Found existing MsQuicTestRoot certificate!"
+            }
+            Write-Host "Searching for MsQuicTestServer certificate..."
+            $ServerCert = Get-ChildItem -path Cert:\LocalMachine\My\* -Recurse | Where-Object {$_.Subject -eq "CN=MsQuicTestServer"}
+            if (!$ServerCert) {
+                Write-Host "MsQuicTestServer not found! Creating new MsQuicTestServer certificate..."
+                $ServerCert = New-SelfSignedCertificate -Subject "CN=MsQuicTestServer" -DnsName $env:computername,localhost,"127.0.0.1","::1" -FriendlyName MsQuicTestServer -KeyUsageProperty Sign -KeyUsage DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA256 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable -KeyAlgorithm ECDSA_nistP256 -CurveExport CurveName -NotAfter(Get-Date).AddYears(5) -TextExtension @("2.5.29.19 = {text}","2.5.29.37 = {text}1.3.6.1.5.5.7.3.1") -Signer $RootCert
+                $TempServerPath = Join-Path $Env:TEMP "MsQuicTestServerCert.pfx"
+                Export-PfxCertificate -Cert $ServerCert -Password $PfxPassword -FilePath $TempServerPath
+                Import-PfxCertificate -FilePath $TempServerPath -Password $PfxPassword -Exportable -CertStoreLocation Cert:\LocalMachine\My
+                Remove-Item $TempServerPath
+                Write-Host "New MsQuicTestServer certificate installed!"
+            } else {
+                Write-Host "Found existing MsQuicTestServer certificate!"
+            }
+            Write-Host "Searching for MsQuicTestExpiredServer certificate..."
+            $ExpiredServerCert = Get-ChildItem -path Cert:\LocalMachine\My\* -Recurse | Where-Object {$_.Subject -eq "CN=MsQuicTestExpiredServer"}
+            if (!$ExpiredServerCert) {
+                Write-Host "MsQuicTestExpiredServer not found! Creating new MsQuicTestExpiredServer certificate..."
+                $ExpiredServerCert = New-SelfSignedCertificate -Subject "CN=MsQuicTestExpiredServer" -DnsName $env:computername,localhost,"127.0.0.1","::1" -FriendlyName MsQuicTestExpiredServer -KeyUsageProperty Sign -KeyUsage DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA256 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable -KeyAlgorithm ECDSA_nistP256 -CurveExport CurveName -NotBefore (Get-Date).AddYears(-2) -NotAfter(Get-Date).AddYears(-1) -TextExtension @("2.5.29.19 = {text}","2.5.29.37 = {text}1.3.6.1.5.5.7.3.1") -Signer $RootCert
+                $TempExpiredServerPath = Join-Path $Env:TEMP "MsQuicTestExpiredServerCert.pfx"
+                Export-PfxCertificate -Cert $ExpiredServerCert -Password $PfxPassword -FilePath $TempExpiredServerPath
+                Import-PfxCertificate -FilePath $TempExpiredServerPath -Password $PfxPassword -Exportable -CertStoreLocation Cert:\LocalMachine\My
+                Remove-Item $TempExpiredServerPath
+                Write-Host "New MsQuicTestExpiredServer certificate installed!"
+            } else {
+                Write-Host "Found existing MsQuicTestExpiredServer certificate!"
+            }
+            Write-Host "Searching for MsQuicTestClient certificate..."
+            $ClientCert = Get-ChildItem -path Cert:\LocalMachine\My\* -Recurse | Where-Object {$_.Subject -eq "CN=MsQuicTestClient"}
+            if (!$ClientCert) {
+                Write-Host "MsQuicTestClient not found! Creating new MsQuicTestClient certificate..."
+                $ClientCert = New-SelfSignedCertificate -Subject "CN=MsQuicTestClient" -FriendlyName MsQuicTestClient -KeyUsageProperty Sign -KeyUsage DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA256 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable -KeyAlgorithm ECDSA_nistP256 -CurveExport CurveName -NotAfter(Get-Date).AddYears(5) -TextExtension @("2.5.29.19 = {text}","2.5.29.37 = {text}1.3.6.1.5.5.7.3.2") -Signer $RootCert
+                $TempClientPath = Join-Path $Env:TEMP "MsQuicTestClientCert.pfx"
+                Export-PfxCertificate -Cert $ClientCert -Password $PfxPassword -FilePath $TempClientPath
+                Import-PfxCertificate -FilePath $TempClientPath -Password $PfxPassword -Exportable -CertStoreLocation Cert:\LocalMachine\My
+                Remove-Item $TempClientPath
+                Write-Host "New MsQuicTestClient certificate installed!"
+            }else {
+                Write-Host "Found existing MsQuicTestClient certificate!"
+            }
+            if ($NewRoot) {
+                Write-Host "Deleting MsQuicTestRoot from MY store..."
+                Remove-Item $rootCert.PSPath
+            }
+        }
         # Install OpenCppCoverage on test machines
         if (!(Test-Path "C:\Program Files\OpenCppCoverage\OpenCppCoverage.exe")) {
             # Download the installer.

src/core/connection.c

@@ -1403,7 +1403,11 @@ QuicErrorCodeToStatus(
     case QUIC_ERROR_CRYPTO_USER_CANCELED:           return QUIC_STATUS_USER_CANCELED;
     case QUIC_ERROR_CRYPTO_HANDSHAKE_FAILURE:       return QUIC_STATUS_HANDSHAKE_FAILURE;
     case QUIC_ERROR_CRYPTO_NO_APPLICATION_PROTOCOL: return QUIC_STATUS_ALPN_NEG_FAILURE;
-    default:                                        return QUIC_STATUS_INTERNAL_ERROR;
+    default:
+        if (IS_QUIC_CRYPTO_ERROR(ErrorCode)) {
+            return QUIC_STATUS_TLS_ALERT(ErrorCode);
+        }
+        return QUIC_STATUS_INTERNAL_ERROR;
     }
 }
 

src/core/crypto.c

@@ -1297,7 +1297,7 @@ QuicCryptoProcessTlsCompletion(
             "[conn][%p] ERROR, %u, %s.",
             Connection,
             Crypto->TlsState.AlertCode,
-            "Received alert from TLS.");
+            "Received alert from TLS");
         QuicConnTransportError(
             Connection,
             QUIC_ERROR_CRYPTO_ERROR(0xFF & Crypto->TlsState.AlertCode));
@@ -1829,7 +1829,11 @@ QuicCryptoProcessAppData(
             &DataLength,
             &Crypto->TlsState);
     if (Crypto->ResultFlags & CXPLAT_TLS_RESULT_ERROR) {
-        Status = QUIC_STATUS_INTERNAL_ERROR;
+        if (Crypto->TlsState.AlertCode != 0) {
+            Status = QUIC_STATUS_TLS_ALERT(Crypto->TlsState.AlertCode);
+        } else {
+            Status = QUIC_STATUS_INTERNAL_ERROR;
+        }
         goto Error;
     }
 

src/core/frame.h

@@ -84,6 +84,7 @@
 // described in Section 4.8 of [QUIC-TLS].
 //
 #define QUIC_ERROR_CRYPTO_ERROR(TlsAlertCode)   ((QUIC_VAR_INT)(0x100 | (TlsAlertCode)))
+#define IS_QUIC_CRYPTO_ERROR(QuicCryptoError)   ((QuicCryptoError & 0x100) == 0x100)
 
 #define QUIC_ERROR_CRYPTO_USER_CANCELED             QUIC_ERROR_CRYPTO_ERROR(22)  // TLS error code for 'user_canceled'
 #define QUIC_ERROR_CRYPTO_HANDSHAKE_FAILURE         QUIC_ERROR_CRYPTO_ERROR(40)  // TLS error code for 'handshake_failure'

src/inc/msquic_posix.h

@@ -118,6 +118,8 @@ inline ENUMTYPE &operator ^= (ENUMTYPE &a, ENUMTYPE b) throw() { return (ENUMTYP
 #define ERROR_ALPN_NEG_FAILURE           20 + ERROR_BASE
 #define ERROR_STREAM_LIMIT_REACHED       21 + ERROR_BASE
 
+#define TLS_ERROR_BASE                  256 + ERROR_BASE
+
 #define QUIC_STATUS_SUCCESS                 ((QUIC_STATUS)ERROR_SUCCESS)
 #define QUIC_STATUS_PENDING                 ((QUIC_STATUS)ERROR_NOT_READY)
 #define QUIC_STATUS_CONTINUE                ((QUIC_STATUS)ERROR_CONTINUE)
@@ -146,6 +148,12 @@ inline ENUMTYPE &operator ^= (ENUMTYPE &a, ENUMTYPE b) throw() { return (ENUMTYP
 #define QUIC_STATUS_ALPN_NEG_FAILURE        ((QUIC_STATUS)ERROR_ALPN_NEG_FAILURE)
 #define QUIC_STATUS_STREAM_LIMIT_REACHED    ((QUIC_STATUS)ERROR_STREAM_LIMIT_REACHED)
 
+#define QUIC_STATUS_TLS_ALERT(Alert)        ((QUIC_STATUS)(0xff & Alert) + TLS_ERROR_BASE)
+
+#define QUIC_STATUS_CLOSE_NOTIFY            QUIC_STATUS_TLS_ALERT(0)    // Close notify
+#define QUIC_STATUS_BAD_CERTIFICATE         QUIC_STATUS_TLS_ALERT(42)   // Bad Certificate
+#define QUIC_STATUS_EXPIRED_CERTIFICATE     QUIC_STATUS_TLS_ALERT(45)   // Expired Certificate
+
 typedef unsigned char BOOLEAN;
 typedef struct in_addr IN_ADDR;
 typedef struct in6_addr IN6_ADDR;

src/inc/msquic_winkernel.h

@@ -76,6 +76,10 @@ typedef UINT64 uint64_t;
 #define STATUS_QUIC_STREAM_LIMIT_REACHED ((NTSTATUS)0xC0240008L)
 #endif
 
+#ifndef QUIC_TLS_ALERT_NTSTATUS_PREFIX
+#define QUIC_TLS_ALERT_NTSTATUS_PREFIX  ((NTSTATUS)0xC0240100L)
+#endif
+
 #define QUIC_API                            NTAPI
 #define QUIC_STATUS                         NTSTATUS
 #define QUIC_FAILED(X)                      (!NT_SUCCESS(X))
@@ -104,6 +108,12 @@ typedef UINT64 uint64_t;
 #define QUIC_STATUS_ALPN_NEG_FAILURE        STATUS_QUIC_ALPN_NEG_FAILURE
 #define QUIC_STATUS_STREAM_LIMIT_REACHED    STATUS_QUIC_STREAM_LIMIT_REACHED
 
+#define QUIC_STATUS_TLS_ALERT(Alert)        (QUIC_TLS_ALERT_NTSTATUS_PREFIX | (0xff & Alert))
+
+#define QUIC_STATUS_CLOSE_NOTIFY            QUIC_STATUS_TLS_ALERT(0)    // Close notify
+#define QUIC_STATUS_BAD_CERTIFICATE         QUIC_STATUS_TLS_ALERT(42)   // Bad Certificate
+#define QUIC_STATUS_EXPIRED_CERTIFICATE     QUIC_STATUS_TLS_ALERT(45)   // Expired Certificate
+
 //
 // Swaps byte orders between host and network endianness.
 //

src/inc/msquic_winuser.h

@@ -69,6 +69,10 @@
 #define ERROR_QUIC_STREAM_LIMIT_REACHED _HRESULT_TYPEDEF_(0x80410008L)
 #endif
 
+#ifndef QUIC_TLS_ALERT_HRESULT_PREFIX
+#define QUIC_TLS_ALERT_HRESULT_PREFIX   _HRESULT_TYPEDEF_(0x80410100L)
+#endif
+
 #define QUIC_API                            __cdecl
 #define QUIC_MAIN_EXPORT                    __cdecl
 #define QUIC_STATUS                         HRESULT
@@ -99,6 +103,12 @@
 #define QUIC_STATUS_ALPN_NEG_FAILURE        ERROR_QUIC_ALPN_NEG_FAILURE
 #define QUIC_STATUS_STREAM_LIMIT_REACHED    ERROR_QUIC_STREAM_LIMIT_REACHED
 
+#define QUIC_STATUS_TLS_ALERT(Alert)        (QUIC_TLS_ALERT_HRESULT_PREFIX | (0xff & Alert))
+
+#define QUIC_STATUS_CLOSE_NOTIFY            QUIC_STATUS_TLS_ALERT(0)    // Close notify
+#define QUIC_STATUS_BAD_CERTIFICATE         QUIC_STATUS_TLS_ALERT(42)   // Bad Certificate
+#define QUIC_STATUS_EXPIRED_CERTIFICATE     QUIC_STATUS_TLS_ALERT(45)   // Expired Certificate
+
 //
 // Swaps byte orders between host and network endianness.
 //