Certificate thumbprints should not be case-sensitive

OctopusDeploy / Halibut

| Public | A secure communication stack for .NET using JSON-RPC over SSL.

Other

12 stars 44 forks source link

Certificate thumbprints should not be case-sensitive #605

Closed khellang closed 4 months ago

khellang commented 4 months ago

Team

[X] I've assigned a team label to this issue

What happened?

Providing a thumbprint with different casing on the client and server-side gives the following exception:

The server at https://localhost:8080/ presented an unexpected security certificate. We expected the server to present a certificate with the thumbprint 'a7b12a038945afdee39661bcf59cf1600c811122'. Instead, it presented a certificate with a thumbprint of 'A7B12A038945AFDEE39661BCF59CF1600C811122' and subject ''.

As you can see, the thumbprint is correct, but differs in casing. It expected lowercase, but got uppercase. Certificate thumbprints are a hex-string representation of SHA-based hashes and shouldn't be treated as equal whether they are upper- or lower case.

Reproduction

Provide a thumbprint with different casing on the client and server-side.

Workaround

Aligning the thumbprints with the same case fixes the problem.

LukeButters commented 4 months ago

Hi thanks for raising an issue :D.

It looks like thumbprints are always upper case hex:

net48 it generates a thumbprint in GetCertHashString 4.8 which calls EncodeHexString which looks to return upper case.
net6 looks to also return upper case (switch branches to net6)

The comparison here is between what it received over the stream (which in the error message is upper case) and what was set on the ServiceEndpoint (which in the error message is lower case). A fix could be to always upper case the thumbprint given to the ServiceEndpoint. If that isn't suitable let us know :)

khellang commented 4 months ago

A fix could be to always upper case the thumbprint given to the ServiceEndpoint. If that isn't suitable let us know :)

I guess it's suitable and it would effectively make it case-insensitive, but why bother when you can avoid the allocation?

Thumbprints are hexadecimal representations of the SHA1 (or sometimes SHA256) digest bytes of a certificate. Hexadecimal bytes are case-insensitive (i.e. 2A and 2a both represent the decimal value 42) and there are lots of ways to obtain the thumbprint of a certificate. Here's a screenshot from certmgr in Windows, showing the thumbprint as lowercase:

Anyway, it's not a blocker as its easy to work around, but it would be nice if it just worked out of the box, whether that is by doing case-insensitive comparisons or calling ToUpper on both ends. 😀