Exact subject match for CertificateLoader (dotnet#34582)

vstr · halter73 · web-flow · commit 52bf9e55ba6d · 2021-07-22T22:04:25.000Z
* Enable exact subject match for LoadFromStoreCert

* Usings revert/format

* Added tests to cover other usecases

* Commenting out added tests

security: SecKeychainItemImport: User interaction is not allowed.

* Performance improvements changes

* Take the first certificate as in original implementation for substring

* Reverting tests, using null-coalescing assignment operator

* LoadFromStoreCert remarks added

* Update src/Servers/Kestrel/Core/src/CertificateLoader.cs

Co-authored-by: Stephen Halter &lt;halter73@gmail.com&gt;
diff --git a/src/Servers/Kestrel/Core/src/CertificateLoader.cs b/src/Servers/Kestrel/Core/src/CertificateLoader.cs
@@ -20,6 +20,10 @@ public static class CertificateLoader
         /// <summary>
         /// Loads a certificate from the certificate store.
         /// </summary>
+        /// <remarks>
+        /// Exact subject match is loaded if present, otherwise best matching certificate with the subject name that contains supplied subject.
+        /// Subject comparison is case-insensitive.
+        /// </remarks>
         /// <param name="subject">The certificate subject.</param>
         /// <param name="storeName">The certificate store name.</param>
         /// <param name="storeLocation">The certificate store location.</param>
@@ -36,13 +40,21 @@ public static X509Certificate2 LoadFromStoreCert(string subject, string storeNam
                 {
                     store.Open(OpenFlags.ReadOnly);
                     storeCertificates = store.Certificates;
-                    var foundCertificates = storeCertificates.Find(X509FindType.FindBySubjectName, subject, !allowInvalid);
-                    foundCertificate = foundCertificates
+                    foreach (var certificate in storeCertificates.Find(X509FindType.FindBySubjectName, subject, !allowInvalid)
                         .OfType<X509Certificate2>()
                         .Where(IsCertificateAllowedForServerAuth)
                         .Where(DoesCertificateHaveAnAccessiblePrivateKey)
-                        .OrderByDescending(certificate => certificate.NotAfter)
-                        .FirstOrDefault();
+                        .OrderByDescending(certificate => certificate.NotAfter))
+                    {
+                        // Pick the first one if there's no exact match as a fallback to substring default.
+                        foundCertificate ??= certificate;
+
+                        if (certificate.GetNameInfo(X509NameType.SimpleName, true).Equals(subject, StringComparison.InvariantCultureIgnoreCase))
+                        {
+                            foundCertificate = certificate;
+                            break;
+                        }
+                    }
 
                     if (foundCertificate == null)
                     {
