CSHARP-1003 Fix support for Astra custom domains in linux environments (#602)

joao-r-reis · web-flow · commit 4a7143bbca90 · 2023-11-27T16:02:05.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # ChangeLog - DataStax C# Driver
 
+## 3.19.5
+
+2023-11-23
+
+### Bug fixes
+
+*   [[CSHARP-1003](https://datastax-oss.atlassian.net/browse/CSHARP-1003)] Fix support for Astra custom domain names in linux environments
+
 ## 3.19.4
 
 2023-11-07
diff --git a/src/Cassandra/Cassandra.csproj b/src/Cassandra/Cassandra.csproj
@@ -4,8 +4,8 @@
     <Copyright>Copyright © by DataStax</Copyright>
     <AssemblyTitle>DataStax C# Driver for Apache Cassandra</AssemblyTitle>
     <AssemblyVersion>3.99.0.0</AssemblyVersion>
-    <FileVersion>3.19.4.0</FileVersion>
-    <VersionPrefix>3.19.4</VersionPrefix>
+    <FileVersion>3.19.5.0</FileVersion>
+    <VersionPrefix>3.19.5</VersionPrefix>
     <Authors>DataStax</Authors>
     <TargetFrameworks Condition="'$(BuildCoreOnly)' != 'True'">net452;netstandard2.0</TargetFrameworks>
     <TargetFramework Condition="'$(BuildCoreOnly)' == 'True'">netstandard2.0</TargetFramework>
diff --git a/src/Cassandra/DataStax/Cloud/CustomCACertificateValidator.cs b/src/Cassandra/DataStax/Cloud/CustomCACertificateValidator.cs
@@ -20,7 +20,6 @@
 using System.Net.Security;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
-using System.Text.RegularExpressions;
 
 namespace Cassandra.DataStax.Cloud
 {
@@ -32,9 +31,52 @@ internal class CustomCaCertificateValidator : ICertificateValidator
         private const string SubjectAlternateNameOid = "2.5.29.17"; // Oid for the SAN extension
 
         private static readonly Logger Logger = new Logger(typeof(CustomCaCertificateValidator));
+
+        private static readonly string SanPlatformId;
+        private static readonly string SanSeparator;
+
         private readonly X509Certificate2 _trustedRootCertificateAuthority;
         private readonly string _hostname;
 
+        static CustomCaCertificateValidator()
+        {
+            // use a well known example SAN extension to extract the platform identifier (since it is affected by platform and locale/culture)
+
+            const string wellKnownSanExtension = @"MBuCC2V4YW1wbGUuY29tggxmYWtlLXN1YmplY3Q=";
+            const string firstWellKnownDomainName = "example.com";
+            const string secondWellKnownDomainName = "fake-subject";
+
+            var formattedExtString = new X509Extension(SubjectAlternateNameOid, Convert.FromBase64String(wellKnownSanExtension), true).Format(false);
+
+            // Windows identifier is affected by locale/culture
+            // Example well known SAN extension has the following format:
+            // Windows: "DNS Name=example.com, DNS Name=fake-subject"
+            // Linux: "DNS:example.com, DNS:fake-subject"
+            //
+            // Parse it as the following:
+            // <platform-id><domain-name><separator><platform-id><domain-name>
+            // e.g. for Windows with EN culture:
+            //      platform-id -> "DNS Name="
+            //      first-domain-name -> "example.com"
+            //      second-domain-name -> "fake-subject"
+            //      separator   -> ", "
+
+            // "example.com"
+            var firstDomainNameIndex = formattedExtString.IndexOf(firstWellKnownDomainName, StringComparison.Ordinal);
+
+            // "fake-subject"
+            var secondDomainNameIndex = formattedExtString.IndexOf(secondWellKnownDomainName, StringComparison.Ordinal);
+
+            // "DNS Name="
+            SanPlatformId = formattedExtString.Substring(0, firstDomainNameIndex);
+
+            // ", "
+            var separatorIndex = firstDomainNameIndex + firstWellKnownDomainName.Length;
+            var lengthUntilSeparator = firstDomainNameIndex + firstWellKnownDomainName.Length;
+            var separatorLength = secondDomainNameIndex - SanPlatformId.Length - lengthUntilSeparator;
+            SanSeparator = formattedExtString.Substring(separatorIndex, separatorLength);
+        }
+
         public CustomCaCertificateValidator(X509Certificate2 trustedRootCertificateAuthority, string hostname)
         {
             _trustedRootCertificateAuthority =
@@ -168,32 +210,23 @@ private bool ValidateName(string name)
             return false;
         }
 
+        /// <summary>
+        /// Check the static constructor inline comments for an explanation about this
+        /// </summary>
         private IEnumerable<string> GetSubjectAlternativeNames(X509Certificate2 cert)
         {
-            var result = new List<string>();
-
-            var subjectAlternativeName = cert.Extensions.Cast<X509Extension>()
-                .Where(n => n.Oid.Value == SubjectAlternateNameOid)
-                .Select(n => new AsnEncodedData(n.Oid, n.RawData))
-                .Select(n => n.Format(true))
-                .FirstOrDefault();
+            var sanStrings = cert.Extensions
+                .Cast<X509Extension>()
+                .Where(ext => ext.Oid.Value == SubjectAlternateNameOid)
+                .Select(ext => new AsnEncodedData(ext.Oid, ext.RawData).Format(false)).ToList();
 
-            if (subjectAlternativeName != null)
-            {
-                var alternativeNames = subjectAlternativeName.Split(new[] { "\r\n", "\r", "\n" }, StringSplitOptions.None);
+            var splitSanStrings = sanStrings.SelectMany(s => s.Split(new[] { SanSeparator }, StringSplitOptions.RemoveEmptyEntries));
 
-                foreach (var alternativeName in alternativeNames)
-                {
-                    var groups = Regex.Match(alternativeName, @"^(.*)=(.*)").Groups; // @"^DNS Name=(.*)").Groups;
-
-                    if (groups.Count > 0 && !string.IsNullOrEmpty(groups[2].Value))
-                    {
-                        result.Add(groups[2].Value);
-                    }
-                }
-            }
+            // remove the platform identifier (i.e. "DNS Name=") from the strings to get the domain names
+            return splitSanStrings
+                .Where(s => s.StartsWith(SanPlatformId) && s.Length > SanPlatformId.Length)
+                .Select(s => s.Substring(SanPlatformId.Length));
 
-            return result;
         }
 
         private void GetOrCreateCert2(ref X509Certificate2 cert2, X509Certificate cert)
diff --git a/src/Extensions/Cassandra.AppMetrics/Cassandra.AppMetrics.csproj b/src/Extensions/Cassandra.AppMetrics/Cassandra.AppMetrics.csproj
@@ -4,8 +4,8 @@
     <Description>This package builds on the DataStax Enterprise C# driver and DataStax C# Driver for Apache Cassandra, adding a metrics provider implementation using App Metrics.</Description>
     <Copyright>Copyright © by DataStax</Copyright>
     <AssemblyVersion>3.99.0.0</AssemblyVersion>
-    <FileVersion>3.19.4.0</FileVersion>
-    <VersionPrefix>3.19.4</VersionPrefix>
+    <FileVersion>3.19.5.0</FileVersion>
+    <VersionPrefix>3.19.5</VersionPrefix>
     <Authors>DataStax</Authors>
     <TargetFrameworks Condition="'$(BuildCoreOnly)' != 'True'">netstandard2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition="'$(BuildCoreOnly)' == 'True'">netstandard2.0</TargetFrameworks>
