Enable HTTP/2 client cert authentication in WinHttpHandler (#33158)

Pre-release WinHTTP's version supports client cert authentication over HTTP/2, but the feature must be explicitly opted-in. PR sets WINHTTP_OPTION_ENABLE_HTTP2_PLUS_CLIENT_CERT to TRUE before invoking WinHttpConnect if the request's protocol is HTTP/2 and scheme is HTTPS.

This PR also enables all HTTP 1.1 tests for WinHttpHandler on .Net Core and Framework and the most of HTTP/2 tests on .Net Core.

Author: alnikola

src/libraries/Common/src/Interop/Windows/WinHttp/Interop.winhttp_types.cs

@@ -149,9 +149,11 @@ internal partial class WinHttp
 
         public const uint WINHTTP_OPTION_ASSURED_NON_BLOCKING_CALLBACKS = 111;
 
+        public const uint WINHTTP_OPTION_ENABLE_HTTP2_PLUS_CLIENT_CERT = 161;
         public const uint WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL = 133;
         public const uint WINHTTP_OPTION_HTTP_PROTOCOL_USED = 134;
         public const uint WINHTTP_PROTOCOL_FLAG_HTTP2 = 0x1;
+        public const uint WINHTTP_HTTP2_PLUS_CLIENT_CERT_FLAG = 0x1;
 
         public const uint WINHTTP_OPTION_UPGRADE_TO_WEB_SOCKET = 114;
         public const uint WINHTTP_OPTION_WEB_SOCKET_CLOSE_TIMEOUT = 115;

src/libraries/Common/tests/System/Net/Http/DefaultCredentialsTest.cs

@@ -335,7 +335,8 @@ private async Task ProcessRequests()
 
                     // Send a response in the JSON format that the client expects
                     string username = context.User.Identity.Name;
-                    await context.Response.OutputStream.WriteAsync(System.Text.Encoding.UTF8.GetBytes($"{{\"authenticated\": \"true\", \"user\": \"{username}\" }}"));
+                    byte[] bytes = System.Text.Encoding.UTF8.GetBytes($"{{\"authenticated\": \"true\", \"user\": \"{username}\" }}");
+                    await context.Response.OutputStream.WriteAsync(bytes);
 
                     context.Response.Close();
                 }

src/libraries/Common/tests/System/Net/Http/GenericLoopbackServer.cs

@@ -86,7 +86,7 @@ public class GenericLoopbackOptions
         public IPAddress Address { get; set; } = IPAddress.Loopback;
         public bool UseSsl { get; set; } = PlatformDetection.SupportsAlpn && !Capability.Http2ForceUnencryptedLoopback();
         public SslProtocols SslProtocols { get; set; } =
-#if !NETSTANDARD2_0
+#if !NETSTANDARD2_0 && !NETFRAMEWORK
                 SslProtocols.Tls13 |
 #endif
                 SslProtocols.Tls12;

src/libraries/Common/tests/System/Net/Http/Http2Frames.cs

@@ -548,10 +548,12 @@ public override void WriteTo(Span<byte> buffer)
             BinaryPrimitives.WriteUInt16BigEndian(buffer, checked((ushort)Origin.Length));
             buffer = buffer.Slice(2);
 
-            Encoding.ASCII.GetBytes(Origin, buffer);
+            var tmpBuffer = Encoding.ASCII.GetBytes(Origin);
+            tmpBuffer.CopyTo(buffer);
             buffer = buffer.Slice(Origin.Length);
 
-            Encoding.ASCII.GetBytes(AltSvc, buffer);
+            tmpBuffer = Encoding.ASCII.GetBytes(AltSvc);
+            tmpBuffer.CopyTo(buffer);
         }
 
         public override string ToString() => $"{base.ToString()}\n{nameof(Origin)}: {Origin}\n{nameof(AltSvc)}: {AltSvc}";

src/libraries/Common/tests/System/Net/Http/Http2LoopbackConnection.cs

@@ -3,8 +3,8 @@
 // See the LICENSE file in the project root for more information.
 
 using System.Collections.Generic;
-using System.Diagnostics;
 using System.IO;
+using System.Linq;
 using System.Net.Http.Functional.Tests;
 using System.Net.Security;
 using System.Net.Sockets;
@@ -28,6 +28,7 @@ public class Http2LoopbackConnection : GenericLoopbackConnection
         private readonly byte[] _prefix;
         public string PrefixString => Encoding.UTF8.GetString(_prefix, 0, _prefix.Length);
         public bool IsInvalid => _connectionSocket == null;
+        public Stream Stream => _connectionStream;
 
         public Http2LoopbackConnection(Socket socket, Http2Options httpOptions)
         {
@@ -40,6 +41,7 @@ public Http2LoopbackConnection(Socket socket, Http2Options httpOptions)
 
                 using (var cert = Configuration.Certificates.GetServerCertificate())
                 {
+#if !NETFRAMEWORK
                     SslServerAuthenticationOptions options = new SslServerAuthenticationOptions();
 
                     options.EnabledSslProtocols = httpOptions.SslProtocols;
@@ -51,9 +53,12 @@ public Http2LoopbackConnection(Socket socket, Http2Options httpOptions)
 
                     options.ServerCertificate = cert;
 
-                    options.ClientCertificateRequired = false;
+                    options.ClientCertificateRequired = httpOptions.ClientCertificateRequired;
 
                     sslStream.AuthenticateAsServerAsync(options, CancellationToken.None).Wait();
+#else
+                    sslStream.AuthenticateAsServerAsync(cert, httpOptions.ClientCertificateRequired, httpOptions.SslProtocols, checkCertificateRevocation: false).Wait();
+#endif
                 }
 
                 _connectionStream = sslStream;
@@ -64,6 +69,10 @@ public Http2LoopbackConnection(Socket socket, Http2Options httpOptions)
             {
                 throw new Exception("Connection stream closed while attempting to read connection preface.");
             }
+            else if (Text.Encoding.ASCII.GetString(_prefix).Contains("HTTP/1.1"))
+            {
+                throw new Exception("HTTP 1.1 request received.");
+            }
         }
 
         public async Task SendConnectionPrefaceAsync()
@@ -331,7 +340,7 @@ private static (int bytesConsumed, string value) DecodeString(ReadOnlySpan<byte>
             }
             else
             {
-                string value = Encoding.ASCII.GetString(headerBlock.Slice(bytesConsumed, stringLength));
+                string value = Encoding.ASCII.GetString(headerBlock.Slice(bytesConsumed, stringLength).ToArray());
                 return (bytesConsumed + stringLength, value);
             }
         }

src/libraries/Common/tests/System/Net/Http/Http2LoopbackServer.cs

@@ -181,9 +181,14 @@ public override async Task AcceptConnectionAsync(Func<GenericLoopbackConnection,
             }
         }
 
-        public static async Task CreateClientAndServerAsync(Func<Uri, Task> clientFunc, Func<Http2LoopbackServer, Task> serverFunc, int timeout = 60_000)
+        public static Task CreateClientAndServerAsync(Func<Uri, Task> clientFunc, Func<Http2LoopbackServer, Task> serverFunc, int timeout = 60_000)
         {
-            using (var server = Http2LoopbackServer.CreateServer())
+            return CreateClientAndServerAsync(clientFunc, serverFunc, null, timeout);
+        }
+
+        public static async Task CreateClientAndServerAsync(Func<Uri, Task> clientFunc, Func<Http2LoopbackServer, Task> serverFunc, Http2Options http2Options, int timeout = 60_000)
+        {
+            using (var server = Http2LoopbackServer.CreateServer(http2Options ?? new Http2Options()))
             {
                 Task clientTask = clientFunc(server.Address);
                 Task serverTask = serverFunc(server);
@@ -197,6 +202,8 @@ public class Http2Options : GenericLoopbackOptions
     {
         public int ListenBacklog { get; set; } = 1;
 
+        public bool ClientCertificateRequired { get; set; }
+
         public Http2Options()
         {
             UseSsl = PlatformDetection.SupportsAlpn && !Capability.Http2ForceUnencryptedLoopback();
@@ -237,7 +244,7 @@ public override async Task CreateServerAsync(Func<GenericLoopbackServer, Uri, Ta
             }
         }
 
-        public override Version Version => HttpVersion.Version20;
+    public override Version Version => HttpVersion20.Value;
     }
 
     public enum ProtocolErrors
@@ -257,4 +264,9 @@ public enum ProtocolErrors
         INADEQUATE_SECURITY = 0xc,
         HTTP_1_1_REQUIRED = 0xd
     }
+
+    public static class HttpVersion20
+    {
+        public static readonly Version Value = new Version(2, 0);
+    }
 }

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.AcceptAllCerts.cs

@@ -39,8 +39,10 @@ public void SingletonReturnsTrue()
         [InlineData(SslProtocols.Tls, true)]
         [InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
         [InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
+#if !NETFRAMEWORK
         [InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
         [InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
+#endif
         [InlineData(SslProtocols.None, false)]
         [InlineData(SslProtocols.None, true)]
         public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol, bool requestOnlyThisProtocol)
@@ -64,7 +66,11 @@ public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol,
                     // restrictions on minimum TLS/SSL version
                     // We currently know that some platforms like Debian 10 OpenSSL
                     // will by default block < TLS 1.2
+#if !NETFRAMEWORK
                     handler.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
+#else
+                    handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
+#endif
                 }
 
                 var options = new LoopbackServer.Options { UseSsl = true, SslProtocols = acceptedProtocol };

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs

@@ -602,6 +602,12 @@ public async Task Credentials_ServerUsesWindowsAuthentication_Success(string ser
         [InlineData("Negotiate")]
         public async Task Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader(string authScheme)
         {
+#if WINHTTPHANDLER_TEST
+            if (UseVersion > HttpVersion.Version11)
+            {
+                throw new SkipTestException($"Test doesn't support {UseVersion} protocol.");
+            }
+#endif
             await LoopbackServerFactory.CreateClientAndServerAsync(
                 async uri =>
                 {

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Cancellation.cs

@@ -28,17 +28,24 @@ public abstract class HttpClientHandler_Cancellation_Test : HttpClientHandlerTes
     {
         public HttpClientHandler_Cancellation_Test(ITestOutputHelper output) : base(output) { }
 
-        [Theory]
+        [ConditionalTheory]
         [InlineData(false, CancellationMode.Token)]
         [InlineData(true, CancellationMode.Token)]
         public async Task PostAsync_CancelDuringRequestContentSend_TaskCanceledQuickly(bool chunkedTransfer, CancellationMode mode)
         {
-            if (LoopbackServerFactory.Version >= HttpVersion.Version20 && chunkedTransfer)
+            if (LoopbackServerFactory.Version >= HttpVersion20.Value && chunkedTransfer)
             {
                 // There is no chunked encoding in HTTP/2 and later
                 return;
             }
 
+#if WINHTTPHANDLER_TEST
+            if (UseVersion >= HttpVersion20.Value)
+            {
+                throw new SkipTestException($"Test doesn't support {UseVersion} protocol.");
+            }
+#endif
+
             var serverRelease = new TaskCompletionSource<bool>();
             await LoopbackServerFactory.CreateClientAndServerAsync(async uri =>
             {
@@ -76,16 +83,23 @@ await LoopbackServerFactory.CreateClientAndServerAsync(async uri =>
             });
         }
 
-        [Theory]
+        [ConditionalTheory]
         [MemberData(nameof(OneBoolAndCancellationMode))]
         public async Task GetAsync_CancelDuringResponseHeadersReceived_TaskCanceledQuickly(bool connectionClose, CancellationMode mode)
         {
-            if (LoopbackServerFactory.Version >= HttpVersion.Version20 && connectionClose)
+            if (LoopbackServerFactory.Version >= HttpVersion20.Value && connectionClose)
             {
                 // There is no Connection header in HTTP/2 and later
                 return;
             }
 
+#if WINHTTPHANDLER_TEST
+            if (UseVersion >= HttpVersion20.Value)
+            {
+                throw new SkipTestException($"Test doesn't support {UseVersion} protocol.");
+            }
+#endif
+
             using (HttpClient client = CreateHttpClient())
             {
                 client.Timeout = Timeout.InfiniteTimeSpan;
@@ -130,7 +144,7 @@ await ValidateClientCancellationAsync(async () =>
         [MemberData(nameof(TwoBoolsAndCancellationMode))]
         public async Task GetAsync_CancelDuringResponseBodyReceived_Buffered_TaskCanceledQuickly(bool chunkedTransfer, bool connectionClose, CancellationMode mode)
         {
-            if (LoopbackServerFactory.Version >= HttpVersion.Version20 && (chunkedTransfer || connectionClose))
+            if (LoopbackServerFactory.Version >= HttpVersion20.Value && (chunkedTransfer || connectionClose))
             {
                 // There is no chunked encoding or connection header in HTTP/2 and later
                 return;
@@ -182,16 +196,23 @@ await ValidateClientCancellationAsync(async () =>
             }
         }
 
-        [Theory]
+        [ConditionalTheory]
         [MemberData(nameof(ThreeBools))]
         public async Task GetAsync_CancelDuringResponseBodyReceived_Unbuffered_TaskCanceledQuickly(bool chunkedTransfer, bool connectionClose, bool readOrCopyToAsync)
         {
-            if (LoopbackServerFactory.Version >= HttpVersion.Version20 && (chunkedTransfer || connectionClose))
+            if (LoopbackServerFactory.Version >= HttpVersion20.Value && (chunkedTransfer || connectionClose))
             {
                 // There is no chunked encoding or connection header in HTTP/2 and later
                 return;
             }
 
+#if WINHTTPHANDLER_TEST
+            if (UseVersion >= HttpVersion20.Value)
+            {
+                throw new SkipTestException($"Test doesn't support {UseVersion} protocol.");
+            }
+#endif
+
             using (HttpClient client = CreateHttpClient())
             {
                 client.Timeout = Timeout.InfiniteTimeSpan;
@@ -237,14 +258,19 @@ await ValidateClientCancellationAsync(async () =>
                 });
             }
         }
-
-        [Theory]
+        [ConditionalTheory]
         [InlineData(CancellationMode.CancelPendingRequests, false)]
         [InlineData(CancellationMode.DisposeHttpClient, false)]
         [InlineData(CancellationMode.CancelPendingRequests, true)]
         [InlineData(CancellationMode.DisposeHttpClient, true)]
         public async Task GetAsync_CancelPendingRequests_DoesntCancelReadAsyncOnResponseStream(CancellationMode mode, bool copyToAsync)
         {
+#if WINHTTPHANDLER_TEST
+            if (UseVersion >= HttpVersion20.Value)
+            {
+                throw new SkipTestException($"Test doesn't support {UseVersion} protocol.");
+            }
+#endif
             using (HttpClient client = CreateHttpClient())
             {
                 client.Timeout = Timeout.InfiniteTimeSpan;
@@ -312,7 +338,7 @@ await LoopbackServerFactory.CreateServerAsync(async (server, url) =>
         [ConditionalFact]
         public async Task MaxConnectionsPerServer_WaitingConnectionsAreCancelable()
         {
-            if (LoopbackServerFactory.Version >= HttpVersion.Version20)
+            if (LoopbackServerFactory.Version >= HttpVersion20.Value)
             {
                 // HTTP/2 does not use connection limits.
                 throw new SkipTestException("Not supported on HTTP/2 and later");
@@ -490,11 +516,18 @@ public static IEnumerable<object[]> PostAsync_Cancel_CancellationTokenPassedToCo
             }
         }
 
+#if !NETFRAMEWORK
         [OuterLoop("Uses Task.Delay")]
-        [Theory]
+        [ConditionalTheory]
         [MemberData(nameof(PostAsync_Cancel_CancellationTokenPassedToContent_MemberData))]
         public async Task PostAsync_Cancel_CancellationTokenPassedToContent(HttpContent content, CancellationTokenSource cancellationTokenSource)
         {
+#if WINHTTPHANDLER_TEST
+            if (UseVersion > HttpVersion.Version11)
+            {
+                throw new SkipTestException($"Test doesn't support {UseVersion} protocol.");
+            }
+#endif
             await LoopbackServerFactory.CreateClientAndServerAsync(
                 async uri =>
                 {
@@ -518,6 +551,7 @@ await LoopbackServerFactory.CreateClientAndServerAsync(
                     catch (Exception) { }
                 });
         }
+#endif
 
         private async Task ValidateClientCancellationAsync(Func<Task> clientBodyAsync)
         {

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ClientCertificates.cs

@@ -113,7 +113,7 @@ await TestHelper.WhenAllCompletedOrAnyFailed(
                         {
                             _output.WriteLine(
                                 "Client cert: {0}",
-                                ((X509Certificate2)sslStream.RemoteCertificate).GetNameInfo(X509NameType.SimpleName, false));
+                                new X509Certificate2(sslStream.RemoteCertificate.Export(X509ContentType.Cert)).GetNameInfo(X509NameType.SimpleName, false));
                             Assert.Equal(cert, sslStream.RemoteCertificate);
                         }
                         else