[HTTPS] Adds PEM support for Kestrel

[javiercn]

• Allows loading protected and unprotected PEM key files combined with a DER (crt) certificate

Open questions.

• Is there a better way to detect the key type other than probing?
• ECDsa support.

Addresses #4706

[blowdart]

How long will ECC support take to add?

[davidfowl]

I'd like to discuss this a bit before merging @javiercn to make sure it aligns with the other features we're doing here.

[javiercn]

How long will ECC support take to add?

Like 30 minutes? I forgot to add them in the first place

[blowdart]

Hehe. OK if this gets updated for ECC then I'm good with it, once Jeremy's concerns are addressed

[javiercn]

• Removed the probing in favor of using the OIDs in the public key of the cert to figure out the private key type.
• Added suppport for PEM cert + PEM Key
• Check the certificate file to determine content type instead of invoking the X509Certificate2 constructor on random data.

[javiercn]

🆙📅

The only thing left is to determine is if we need to handle more OIDs to support the current keys.

[javiercn]

I'd like to discuss this a bit before merging @javiercn to make sure it aligns with the other features we're doing here.

We've discussed this offline, I've capture the feedback here. I think we are still missing some update on the runtime before we can load certificate collection/chains, but that should build on top of this PR.

Once we have an updated BCL with these APIs we can complete the work described in #23623
https://github.com/dotnet/runtime/blob/master/src/libraries/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates/X509Certificate2Collection.cs#L339

I think this is ready to go % build passes

/cc: @davidfowl

Changes were made, discussions were had

[davidfowl]

@javiercn a couple follow up items:

• Certificate disposal (I see there’s an issue)
• Documentation
• Do we need a public API somewhere that can loads the pem cert and any key in the BCL?

[javiercn]

• Do we need a public API somewhere that can loads the pem cert and any key in the BCL?

There's LoadFromPemFile on che BCL, which is waht you would use.

[davidfowl]

Why don’t we use it?

[javiercn]

Why don’t we use it?

Cause the API is PEM + PEM and I wanted to also support loading the cert in DER format, so we load the CERT (PEM or DER) and then we load the key separately and marry it to the cert.

• Documentation

dotnet/AspNetCore.Docs#19113

• Certificate disposal (I see there’s an issue)

I would say if it is safe to double dispose certificates we just dispose all certificates on shutdown, otherwise we just dispose the ones loaded from config.

[davidfowl]

Cause the API is PEM + PEM and I wanted to also support loading the cert in DER format, so we load the CERT (PEM or DER) and then we load the key separately and marry it to the cert.

Right, should we have an API for this? Or is it too niche?

[javiercn]

Right, should we have an API for this? Or is it too niche?

I'm not sure how niche it is, PEM+PEM is likely way more popular, but I want to support if for convenience, so you don't have to use a tool to change the cert format. Some of the dev-servers that I used support this and it is convenient not to require a tool to change the format.

For example, you can use our dev cert with the angular dev server proxy by passing the cert in DER format and the key in PEM format, which is what we plan to do.

[bartonjs]

I would say if it is safe to double dispose certificates we just dispose all certificates on shutdown

Yep, certificate disposal is well-behaved.

[halter73]

This could throw if the cert is missing, not just because the key was missing or invalid right? This exception message implies the key must be the problem?

And why do we use the exact same exception and log message any time the key is missing or invalid? It would be a lot better to log exactly why the key is invalid and to be very clear when the key is actually missing vs being invalid in both the exception and log messages.