Use correct certs, add test for ClientCertificateContext

lukebakken · lukebakken · commit 92ea99b1d18d · 2025-11-05T11:45:11.000-08:00
diff --git a/.ci/certs/intermediate_ca_certificate.pem b/.ci/certs/intermediate_ca_certificate.pem
@@ -0,0 +1,20 @@
+﻿-----BEGIN CERTIFICATE-----
+MIIDWTCCAkGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBLMTowOAYDVQQDDDFUTFNH
+ZW5TZWxmU2lnbmVkUm9vdENBIDIwMjUtMTEtMDVUMTE6MDk6MDEuNzUwMzk0MQ0w
+CwYDVQQHDAQkJCQkMB4XDTI1MTEwNTE5MDkwMloXDTM1MTEwMzE5MDkwMlowMDES
+MBAGA1UEAwwJbG9jYWxob3N0MRowGAYDVQQKDBFJbnRlcm1lZGlhdGUgQ0EgMTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGTs4Ko9Oki5JxasnIgb8wK
+GLm+dIj1ZChIrh1TOu0avkWBHobj7xP7TXN3Vq/R1sIkTud/CU2KFklc8TZGEvhN
+Gw93W6pHoxMrb8QA6X+ZDO86V0jJInuY0JLUqvFDxteOdm3ZjCXyQ4IpIukfa64f
+gYgrrw8V/OYY7LVEpmYZBVTWQgfs60zXWQGH6mWMveyhyz0cn0s16vVFkGph+WP8
+/hn62vV1RWPfC4t5z3wBdFswHk4qI510Mf0T15uHHeXYi76iSy7gXJKNtFzlS/1r
+CrXQlt7UbvyF7pKKLKpx4jFKaF/SRQcfAEq+pVxWDPE/YYcQJxqb5RwXvGz6wF0C
+AwEAAaNjMGEwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwHQYDVR0O
+BBYEFK9IWEFnYGJeyCQd177yQJAAzqKXMB8GA1UdIwQYMBaAFLZFdCoYSf57KzPs
+DaRWoM/JCmiWMA0GCSqGSIb3DQEBCwUAA4IBAQCbrk/bLbm+2I0wsFDDmXW6MyAJ
+8h4yp0JYOcas+rDqQCVKyprHn1ARbWqtKJYxKseV5583y/vHB9lG8wuoMqWlfUAS
+aG7v+sw4f35Qf9fl1YboSPYEHuW7ZB481ffj0NBlhKKLkNj7K/uQTgzd67dXcH1W
+jmvKXfpISLAvLzh0645JCDYR+yzGrQJ7K7qR0qEia9dGb1f7reaevi8S9dg6YqXs
+eFOm0F9c3I3D2yNVy8vrAi/4Qmczs1GC9/9zXKhYjRKDKeRTpe1bSY9jstlgwYbS
+oNA029JJBBhz0eX26frVt0YBxm8qPJKrmjcsG/ICCsBsfcm17qZoRWiEr3DN
+-----END CERTIFICATE-----
diff --git a/projects/Test/Common/SslEnv.cs b/projects/Test/Common/SslEnv.cs
@@ -37,7 +37,9 @@ namespace Test
     public class SslEnv
     {
         private readonly string _certPassphrase;
-        private readonly string _certPath;
+        private readonly string _certDirectPath;
+        private readonly string _certIntermediatePath;
+        private readonly string _certIntermediateCaPath;
         private const string _hostname = "localhost";
         private readonly string _sslDir;
         private readonly bool _isSslConfigured;
@@ -52,13 +54,25 @@ public SslEnv()
 
             if (_isSslConfigured)
             {
-                _certPath = Path.Combine(_sslDir, $"client.p12");
+                _certDirectPath = Path.Combine(_sslDir, $"client_direct.p12");
+                _certIntermediatePath = Path.Combine(_sslDir, $"client_certificate.p12");
+                _certIntermediateCaPath = Path.Combine(_sslDir, $"intermediate_ca_certificate.pem");
             }
         }
 
-        public string CertPath
+        public string CertDirectPath
         {
-            get { return _certPath; }
+            get { return _certDirectPath; }
+        }
+
+        public string CertIntermediatePath
+        {
+            get { return _certIntermediatePath; }
+        }
+
+        public string CertIntermediateCaPath
+        {
+            get { return _certIntermediateCaPath; }
         }
 
         public string CertPassphrase
diff --git a/projects/Test/Integration/TestSsl.cs b/projects/Test/Integration/TestSsl.cs
@@ -32,6 +32,7 @@
 using System.IO;
 using System.Net.Security;
 using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using RabbitMQ.Client;
 using Xunit;
@@ -42,13 +43,11 @@ namespace Test.Integration
     public class TestSsl : IntegrationFixture
     {
         private readonly SslEnv _sslEnv;
-        private readonly string _certPath;
 
         public TestSsl(ITestOutputHelper output) : base(output)
         {
             _sslEnv = new SslEnv();
-            _certPath = _sslEnv.CertPath;
-            Assert.True(File.Exists(_certPath));
+            Assert.True(File.Exists(_sslEnv.CertDirectPath));
         }
 
         public override Task InitializeAsync()
@@ -67,7 +66,8 @@ public async Task TestServerVerifiedIgnoringNameMismatch()
             ConnectionFactory cf = CreateConnectionFactory();
             cf.Port = 5671;
             cf.Ssl.ServerName = "*";
-            cf.Ssl.CertPath = _certPath;
+            cf.Ssl.CertPath = _sslEnv.CertDirectPath;
+            cf.Ssl.CertPassphrase = _sslEnv.CertPassphrase;
             cf.Ssl.AcceptablePolicyErrors = SslPolicyErrors.RemoteCertificateNameMismatch;
             cf.Ssl.Enabled = true;
 
@@ -82,7 +82,8 @@ public async Task TestServerVerified()
             ConnectionFactory cf = CreateConnectionFactory();
             cf.Port = 5671;
             cf.Ssl.ServerName = _sslEnv.Hostname;
-            cf.Ssl.CertPath = _certPath;
+            cf.Ssl.CertPath = _sslEnv.CertDirectPath;
+            cf.Ssl.CertPassphrase = _sslEnv.CertPassphrase;
             cf.Ssl.Enabled = true;
 
             await SendReceiveAsync(cf);
@@ -96,7 +97,7 @@ public async Task TestClientAndServerVerified()
             ConnectionFactory cf = CreateConnectionFactory();
             cf.Port = 5671;
             cf.Ssl.ServerName = _sslEnv.Hostname;
-            cf.Ssl.CertPath = _certPath;
+            cf.Ssl.CertPath = _sslEnv.CertDirectPath;
             cf.Ssl.CertPassphrase = _sslEnv.CertPassphrase;
             cf.Ssl.Enabled = true;
 
@@ -112,7 +113,8 @@ public async Task TestWithClientCertificate()
             cf.Port = 5671;
             cf.Ssl = new SslOption()
             {
-                CertPath = _certPath,
+                CertPath = _sslEnv.CertDirectPath,
+                CertPassphrase = _sslEnv.CertPassphrase,
                 Enabled = true,
                 ServerName = _sslEnv.Hostname,
                 Version = SslProtocols.None,
@@ -124,6 +126,31 @@ public async Task TestWithClientCertificate()
             await SendReceiveAsync(cf);
         }
 
+#if NET
+        [SkippableFact]
+        public async Task TestWithClientCertificateSignedByIntermediate()
+        {
+            Skip.IfNot(_sslEnv.IsSslConfigured, "SSL_CERTS_DIR and/or PASSWORD are not configured, skipping test");
+
+            Assert.True(File.Exists(_sslEnv.CertIntermediatePath));
+
+            X509Certificate2 clientCertificate = new(_sslEnv.CertIntermediatePath, _sslEnv.CertPassphrase);
+            X509Certificate2 intermediateCaCertificate = new(_sslEnv.CertIntermediateCaPath);
+            X509Certificate2Collection intermediateCertificates = new(intermediateCaCertificate);
+
+            ConnectionFactory cf = CreateConnectionFactory();
+            cf.Port = 5671;
+            cf.Ssl.Enabled = true;
+            cf.Ssl.ClientCertificateContext = SslStreamCertificateContext.Create(clientCertificate, intermediateCertificates);
+            cf.Ssl.ServerName = _sslEnv.Hostname;
+            cf.Ssl.AcceptablePolicyErrors =
+                SslPolicyErrors.RemoteCertificateNotAvailable |
+                SslPolicyErrors.RemoteCertificateNameMismatch;
+
+            await SendReceiveAsync(cf);
+        }
+#endif
+
         private async Task SendReceiveAsync(ConnectionFactory connectionFactory)
         {
             await using IConnection conn = await CreateConnectionAsyncWithRetries(connectionFactory);
diff --git a/projects/Test/SequentialIntegration/TestHeartbeats.cs b/projects/Test/SequentialIntegration/TestHeartbeats.cs
@@ -85,7 +85,7 @@ public async Task TestThatHeartbeatWriterWithTLSEnabledAsync()
             cf.AutomaticRecoveryEnabled = false;
 
             cf.Ssl.ServerName = sslEnv.Hostname;
-            cf.Ssl.CertPath = sslEnv.CertPath;
+            cf.Ssl.CertPath = sslEnv.CertDirectPath;
             cf.Ssl.CertPassphrase = sslEnv.CertPassphrase;
             cf.Ssl.Enabled = true;
 
