From 330e665f6ba72ae8937dd724d3908bf084fd6dee Mon Sep 17 00:00:00 2001 From: Joseph Doherty Date: Mon, 1 Jun 2026 07:27:15 -0400 Subject: [PATCH] fix(gateway): correct ECDSA key usage and dispose CertificateRequest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Drop KeyEncipherment from the self-signed cert's key-usage extension — it is semantically wrong for ECDSA (RSA key-transport only); DigitalSignature alone is correct for TLS 1.3 / ECDHE server certs. CertificateRequest is unchanged (not IDisposable in .NET 10). Test now also asserts MachineName, 127.0.0.1 and IPv6 loopback are present in the SAN extension. --- .../Security/Tls/SelfSignedCertificateProvider.cs | 2 +- .../Security/Tls/SelfSignedCertificateProviderTests.cs | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs b/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs index 1816d5b..271ab55 100644 --- a/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs +++ b/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs @@ -39,7 +39,7 @@ public sealed class SelfSignedCertificateProvider request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true)); request.CertificateExtensions.Add(new X509KeyUsageExtension( - X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, + X509KeyUsageFlags.DigitalSignature, critical: true)); request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension( [new Oid(ServerAuthOid, "Server Authentication")], diff --git a/src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs b/src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs index e376118..986bffb 100644 --- a/src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs +++ b/src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs @@ -27,6 +27,12 @@ public sealed class SelfSignedCertificateProviderTests string sans = ReadSubjectAltNames(cert); Assert.Contains("localhost", sans); Assert.Contains("gw.internal", sans); + Assert.Contains(Environment.MachineName, sans); + // Format() renders IP SANs as "IP Address:"; the IPv6 loopback may appear + // as "::1" or its expanded form depending on the platform crypto library. + Assert.Contains("127.0.0.1", sans); + Assert.True(sans.Contains("::1") || sans.Contains("0:0:0:0:0:0:0:1"), + $"Expected IPv6 loopback in SANs but got: {sans}"); X509EnhancedKeyUsageExtension eku = cert.Extensions.OfType().Single(); Assert.Contains(eku.EnhancedKeyUsages.Cast(),