Halibut icon indicating copy to clipboard operation
Halibut copied to clipboard

Published 20 hours ago verified publisher icon OctopusDeploy

Certificate thumbprints should not be case-sensitive

Open khellang opened this issue 9 months ago • 2 comments

Team

  • [X] I've assigned a team label to this issue

What happened?

Providing a thumbprint with different casing on the client and server-side gives the following exception:

The server at https://localhost:8080/ presented an unexpected security certificate. We expected the server to present a certificate with the thumbprint 'a7b12a038945afdee39661bcf59cf1600c811122'. Instead, it presented a certificate with a thumbprint of 'A7B12A038945AFDEE39661BCF59CF1600C811122' and subject ''.

As you can see, the thumbprint is correct, but differs in casing. It expected lowercase, but got uppercase. Certificate thumbprints are a hex-string representation of SHA-based hashes and shouldn't be treated as equal whether they are upper- or lower case.

Reproduction

Provide a thumbprint with different casing on the client and server-side.

Workaround

Aligning the thumbprints with the same case fixes the problem.

khellang avatar May 03 '24 13:05 khellang

Hi thanks for raising an issue :D.

It looks like thumbprints are always upper case hex:

The comparison here is between what it received over the stream (which in the error message is upper case) and what was set on the ServiceEndpoint (which in the error message is lower case). A fix could be to always upper case the thumbprint given to the ServiceEndpoint. If that isn't suitable let us know :)

LukeButters avatar May 09 '24 02:05 LukeButters

A fix could be to always upper case the thumbprint given to the ServiceEndpoint. If that isn't suitable let us know :)

I guess it's suitable and it would effectively make it case-insensitive, but why bother when you can avoid the allocation?

Thumbprints are hexadecimal representations of the SHA1 (or sometimes SHA256) digest bytes of a certificate. Hexadecimal bytes are case-insensitive (i.e. 2A and 2a both represent the decimal value 42) and there are lots of ways to obtain the thumbprint of a certificate. Here's a screenshot from certmgr in Windows, showing the thumbprint as lowercase:

image

Anyway, it's not a blocker as its easy to work around, but it would be nice if it just worked out of the box, whether that is by doing case-insensitive comparisons or calling ToUpper on both ends. 😀

khellang avatar May 13 '24 13:05 khellang