SSL_CERT_DIR should support multiple paths

[tmds]

I'm looking into an issue where .NET fails to trust an HTTPS certificate in a Kubernetes cluster.

The root cause is the environment mounts additional certificates and sets SSL_CERT_DIR to a colon separated list of paths, while .NET expects it to contain only a single path.

OpenSSL documents it to be a list of paths. From X509_get_default_cert_dir_env:

The X509_get_default_cert_dir() function returns a default delimeter-separated list of paths to a directories containing trusted CA certificates named in the hashed format.

Go also had this problem: golang/go#35325.

cc @bartonjs @vcsjones

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

I'm looking into an issue where .NET fails to trust an HTTPS certificate in a Kubernetes cluster.

The root cause is the environment mounts additional certificates and sets SSL_CERT_DIR to a colon separated list of paths, while .NET expects it to contain only a single path.

OpenSSL documents it to be a list of paths. From X509_get_default_cert_dir_env:

The X509_get_default_cert_dir() function returns a default delimeter-separated list of paths to a directories containing trusted CA certificates named in the hashed format.

Go also had this problem: golang/go#35325.

cc @bartonjs @vcsjones

Author:	tmds
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[adamsitnik]

@bartonjs @vcsjones it sounds very reasonable to me, I've moved it to 9.0

[vcsjones]

Simple enough. I'll address this soon. I agree that multiple, delimited directories is the expected behavior.

[tmds]

@vcsjones If you can pick this up, that is great. Otherwise, I can look into myself.

[vcsjones]

This is somewhat complicated by the fact that we assume this environment variable is a single directory:

runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509_root.c

Lines 9 to 15 in e1dba07

	const char* CryptoNative_GetX509RootStorePath(uint8_t* defaultPath)
	{
	assert(defaultPath != NULL);
	// No error queue impact.
	const char* dir = getenv(X509_get_default_cert_dir_env());

We basically equate this to "the machine store" for X509Store.

We go out of our way to treat this as a single directory throughout .NET:

• runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.Crypto.cs

  Line 71 in e1dba07

  internal static unsafe string? GetX509RootStorePath(out bool defaultPath)

• runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslCachedSystemStoreProvider.cs

  Lines 305 to 313 in e1dba07

  	string? rootDirectory = Interop.Crypto.GetX509RootStorePath(out s_defaultRootDir);
  	if (!string.IsNullOrEmpty(rootDirectory))
  	{
  	try
  	{
  	return new DirectoryInfo(rootDirectory);
  	}
  	catch (ArgumentException)

This isn't quite as simple as the Golang fix which basically just did strings.Split(path, ":").

We're fortunate enough that we treat the LocalMachine stores in Unix as read-only, so we don't have to make a decision about how we write to the store.

It will take a little more effort to fix this, we just now need to start thinking of the machine store as "directories" instead of "a directory". I'll still take a stab at fixing this, just noting that it isn't a one-liner like the Go fix.

[tmds]

@vcsjones I'd like to have the feature so I can try some things on Kubernetes. Do you have time to work on this on the short term? Otherwise, I can work on it next week.