Support more certificate loading scenarios (#69).

Author: Cesar Blum Silveira

MetaPackages.sln

@@ -40,11 +40,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "StartRequestDelegateUrlApp"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "CreateDefaultBuilderApp", "test\TestSites\CreateDefaultBuilderApp\CreateDefaultBuilderApp.csproj", "{79CF58CE-B020-45D8-BDB5-2D8036BEAD14}"
 EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "TestArtifacts", "TestArtifacts", "{9BBA7A0A-109A-4AC8-B6EF-A52EA7CF1D90}"
-	ProjectSection(SolutionItems) = preProject
-		test\TestArtifacts\testCert.pfx = test\TestArtifacts\testCert.pfx
-	EndProjectSection
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "dotnet-archive", "src\dotnet-archive\dotnet-archive.csproj", "{AE4216BF-D471-471B-82F3-6B6D004F7D17}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.Archive", "src\Microsoft.DotNet.Archive\Microsoft.DotNet.Archive.csproj", "{302400A0-98BB-4C04-88D4-C32DC2D4B945}"
@@ -115,7 +110,6 @@ Global
 		{3A85FA52-F601-422E-A42E-9F187DB28492} = {EC22261D-0DE1-47DE-8F7C-072675D6F5B4}
 		{401C741B-6C7C-4E08-9F09-C3D43D22C0DE} = {EC22261D-0DE1-47DE-8F7C-072675D6F5B4}
 		{79CF58CE-B020-45D8-BDB5-2D8036BEAD14} = {EC22261D-0DE1-47DE-8F7C-072675D6F5B4}
-		{9BBA7A0A-109A-4AC8-B6EF-A52EA7CF1D90} = {9E49B5B9-9E72-42FB-B684-90CA1B1BCF9C}
 		{AE4216BF-D471-471B-82F3-6B6D004F7D17} = {ED834E68-51C3-4ADE-ACC8-6BA6D4207C09}
 		{302400A0-98BB-4C04-88D4-C32DC2D4B945} = {ED834E68-51C3-4ADE-ACC8-6BA6D4207C09}
 	EndGlobalSection

src/Microsoft.AspNetCore/CertificateLoader.cs

@@ -12,23 +12,90 @@ namespace Microsoft.AspNetCore
     /// <summary>
     /// A helper class to load certificates from files and certificate stores based on <seealso cref="IConfiguration"/> data.
     /// </summary>
-    public static class CertificateLoader
+    public class CertificateLoader
     {
+        private readonly IConfiguration _certificatesConfiguration;
+
+        /// <summary>
+        /// Creates a new instance of <see cref="KestrelServerOptionsSetup"/>.
+        /// </summary>
+        public CertificateLoader()
+        {
+        }
+
+        /// <summary>
+        /// Creates a new instance of <see cref="KestrelServerOptionsSetup"/> that can load certificates by name.
+        /// </summary>
+        /// <param name="certificatesConfig">An <see cref="IConfiguration"/> instance with information about certificates.</param>
+        public CertificateLoader(IConfiguration certificatesConfig)
+        {
+            _certificatesConfiguration = certificatesConfig;
+        }
+
+        /// <summary>
+        /// Loads one or more certificates based on the information found in a configuration section.
+        /// </summary>
+        /// <param name="certificateConfiguration">A configuration section containing either a string value referencing certificates
+        /// by name, or one or more inline certificate specifications.
+        /// </param>
+        /// <returns>One or more loaded certificates.</returns>
+        public IEnumerable<X509Certificate2> Load(IConfigurationSection certificateConfiguration)
+        {
+            var certificateNames = certificateConfiguration.Value;
+
+            List<X509Certificate2> certificates = new List<X509Certificate2>();
+
+            if (certificateNames != null)
+            {
+                foreach (var certificateName in certificateNames.Split(' '))
+                {
+                    certificates.Add(Load(certificateName));
+                }
+            }
+            else
+            {
+                if (certificateConfiguration["Source"] != null)
+                {
+                    certificates.Add(LoadSingle(certificateConfiguration));
+                }
+                else
+                {
+                    certificates.AddRange(LoadMultiple(certificateConfiguration));
+                }
+            }
+
+            return certificates;
+        }
+
         /// <summary>
-        /// Loads one or more certificates from a single source.
+        /// Loads a certificate by name.
         /// </summary>
-        /// <param name="certificateConfiguration">An <seealso cref="IConfiguration"/> with information about a certificate source.</param>
-        /// <param name="password">The certificate password, in case it's being loaded from a file.</param>
-        /// <returns>The loaded certificates.</returns>
-        public static X509Certificate2 Load(IConfiguration certificateConfiguration, string password)
+        /// <param name="certificateName">The certificate name.</param>
+        /// <returns>The loaded certificate</returns>
+        /// <remarks>This method only works if the <see cref="CertificateLoader"/> instance was constructed with
+        /// a reference to an <see cref="IConfiguration"/> instance containing named certificates.
+        /// </remarks>
+        public X509Certificate2 Load(string certificateName)
         {
-            var sourceKind = certificateConfiguration.GetValue<string>("Source");
+            var certificateConfiguration = _certificatesConfiguration?.GetSection(certificateName);
+
+            if (certificateConfiguration == null)
+            {
+                throw new InvalidOperationException($"No certificate named {certificateName} found in configuration");
+            }
+
+            return LoadSingle(certificateConfiguration);
+        }
+
+        private X509Certificate2 LoadSingle(IConfigurationSection certificateConfiguration)
+        {
+            var sourceKind = certificateConfiguration["Source"];
 
             CertificateSource certificateSource;
             switch (sourceKind.ToLowerInvariant())
             {
                 case "file":
-                    certificateSource = new CertificateFileSource(password);
+                    certificateSource = new CertificateFileSource();
                     break;
                 case "store":
                     certificateSource = new CertificateStoreSource();
@@ -38,23 +105,12 @@ public static X509Certificate2 Load(IConfiguration certificateConfiguration, str
             }
 
             certificateConfiguration.Bind(certificateSource);
+
             return certificateSource.Load();
         }
 
-        /// <summary>
-        /// Loads all certificates specified in an <seealso cref="IConfiguration"/>.
-        /// </summary>
-        /// <param name="configurationRoot">The root <seealso cref="IConfiguration"/>.</param>
-        /// <returns>
-        /// A dictionary mapping certificate names to loaded certificates.
-        /// </returns>
-        public static Dictionary<string, X509Certificate2> LoadAll(IConfiguration configurationRoot)
-        {
-            return configurationRoot.GetSection("Certificates").GetChildren()
-                .ToDictionary(
-                    certificateSource => certificateSource.Key,
-                    certificateSource => Load(certificateSource, certificateSource["Password"]));
-        }
+        private IEnumerable<X509Certificate2> LoadMultiple(IConfigurationSection certificatesConfiguration)
+            => certificatesConfiguration.GetChildren().Select(LoadSingle);
 
         private abstract class CertificateSource
         {
@@ -65,15 +121,10 @@ private abstract class CertificateSource
 
         private class CertificateFileSource : CertificateSource
         {
-            private readonly string _password;
-
-            public CertificateFileSource(string password)
-            {
-                _password = password;
-            }
-
             public string Path { get; set; }
 
+            public string Password { get; set; }
+
             public override X509Certificate2 Load()
             {
                 var certificate = TryLoad(X509KeyStorageFlags.DefaultKeySet, out var error)
@@ -95,7 +146,7 @@ private X509Certificate2 TryLoad(X509KeyStorageFlags flags, out Exception except
             {
                 try
                 {
-                    var loadedCertificate = new X509Certificate2(Path, _password, flags);
+                    var loadedCertificate = new X509Certificate2(Path, Password, flags);
                     exception = null;
                     return loadedCertificate;
                 }

src/Microsoft.AspNetCore/KestrelServerOptionsSetup.cs

@@ -2,100 +2,71 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Collections.Generic;
 using System.Linq;
 using System.Net;
-using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
-using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore
 {
-    /// <summary>
-    /// Binds Kestrel configuration.
-    /// </summary>
-    public class KestrelServerOptionsSetup : IConfigureOptions<KestrelServerOptions>
+    internal class KestrelServerOptionsSetup : IConfigureOptions<KestrelServerOptions>
     {
         private readonly IConfiguration _configurationRoot;
 
-        /// <summary>
-        /// Creates a new instance of <see cref="KestrelServerOptionsSetup"/>.
-        /// </summary>
-        /// <param name="configurationRoot">The root <seealso cref="IConfiguration"/>.</param>
         public KestrelServerOptionsSetup(IConfiguration configurationRoot)
         {
             _configurationRoot = configurationRoot;
         }
 
-        /// <summary>
-        /// Configures a <seealso cref="KestrelServerOptions"/> instance.
-        /// </summary>
-        /// <param name="options">The <seealso cref="KestrelServerOptions"/> to configure.</param>
         public void Configure(KestrelServerOptions options)
         {
             BindConfiguration(options);
         }
 
         private void BindConfiguration(KestrelServerOptions options)
         {
-            var certificates = CertificateLoader.LoadAll(_configurationRoot);
-            var endPoints = _configurationRoot.GetSection("Kestrel:EndPoints");
+            var certificateLoader = new CertificateLoader(_configurationRoot.GetSection("Certificates"));
 
-            foreach (var endPoint in endPoints.GetChildren())
+            foreach (var endPoint in _configurationRoot.GetSection("Kestrel:EndPoints").GetChildren())
             {
-                BindEndPoint(options, endPoint, certificates);
+                BindEndPoint(options, endPoint, certificateLoader);
             }
         }
 
         private void BindEndPoint(
             KestrelServerOptions options,
             IConfigurationSection endPoint,
-            Dictionary<string, X509Certificate2> certificates)
+            CertificateLoader certificateLoader)
         {
-            var addressValue = endPoint.GetValue<string>("Address");
-            var portValue = endPoint.GetValue<string>("Port");
+            var configAddress = endPoint.GetValue<string>("Address");
+            var configPort = endPoint.GetValue<string>("Port");
 
-            IPAddress address;
-            if (!IPAddress.TryParse(addressValue, out address))
+            if (!IPAddress.TryParse(configAddress, out var address))
             {
-                throw new InvalidOperationException($"Invalid IP address: {addressValue}");
+                throw new InvalidOperationException($"Invalid IP address in configuration: {configAddress}");
             }
 
-            int port;
-            if (!int.TryParse(portValue, out port))
+            if (!int.TryParse(configPort, out var port))
             {
-                throw new InvalidOperationException($"Invalid port: {portValue}");
+                throw new InvalidOperationException($"Invalid port in configuration: {configPort}");
             }
 
             options.Listen(address, port, listenOptions =>
             {
-                var certificateName = endPoint.GetValue<string>("Certificate");
+                var certificateConfig = endPoint.GetSection("Certificate");
 
-                X509Certificate2 endPointCertificate = null;
-                if (certificateName != null)
+                if (certificateConfig.Exists())
                 {
-                    if (!certificates.TryGetValue(certificateName, out endPointCertificate))
-                    {
-                        throw new InvalidOperationException($"No certificate named {certificateName} found in configuration");
-                    }
-                }
-                else
-                {
-                    var certificate = endPoint.GetSection("Certificate");
+                    var certificate = certificateLoader.Load(certificateConfig).FirstOrDefault();
 
-                    if (certificate.GetChildren().Any())
+                    if (certificate == null)
                     {
-                        endPointCertificate = CertificateLoader.Load(certificate, certificate["Password"]);
+                        throw new InvalidOperationException($"Unable to load certificate for endpoint '{endPoint.Key}'");
                     }
-                }
 
-                if (endPointCertificate != null)
-                {
-                    listenOptions.UseHttps(endPointCertificate);
+                    listenOptions.UseHttps(certificate);
                 }
             });
         }