Skip to content

Update certificate validation to use custom trust store for .NET 5.0+ #1653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Aug 27, 2025
+66 −6
Merged

Update certificate validation to use custom trust store for .NET 5.0+ #1653

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
65d84f0
Update certificate validation to use custom trust store for .NET 5.0 …
tg123 Aug 26, 2025
33b5ef2
Update src/KubernetesClient/Kubernetes.ConfigInit.cs
brendandburns Aug 27, 2025
3739514
Update apiserver-pfx-data.txt with new certificate data
tg123 Aug 27, 2025
27a95f0
Merge branch 'net8ca' of https://github.com/tg123/csharp into net8ca
tg123 Aug 27, 2025
f21f787
Update tests/KubernetesClient.Tests/CertificateValidationTests.cs
tg123 Aug 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions src/KubernetesClient/Kubernetes.ConfigInit.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,12 +213,14 @@
{
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

// Added our trusted certificates to the chain
//
chain.ChainPolicy.ExtraStore.AddRange(caCerts);

chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
#if NET5_0_OR_GREATER
// Use custom trust store only, ignore system root CA
chain.ChainPolicy.CustomTrustStore.AddRange(caCerts);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
#else
throw new NotSupportedException("Custom trust store is not supported on this platform.");
#endif
var isValid = chain.Build((X509Certificate2)certificate);

Check warning on line 223 in src/KubernetesClient/Kubernetes.ConfigInit.cs

View workflow job for this annotation

GitHub Actions / Analyze (csharp) 

Unreachable code detected

Check warning on line 223 in src/KubernetesClient/Kubernetes.ConfigInit.cs

View workflow job for this annotation

GitHub Actions / Analyze (csharp) 

Unreachable code detected

var isTrusted = false;

Expand Down
57 changes: 57 additions & 0 deletions tests/KubernetesClient.Tests/CertificateValidationTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
using System;
using System.Security.Cryptography;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using Xunit;
Expand All @@ -6,11 +8,66 @@
{
public class CertificateValidationTests
{
[Fact]
public void ShouldRejectCertFromDifferentCA()
{
// Load our "trusted" Kubernetes CA
var trustedCaCert = CertUtils.LoadPemFileCert("assets/ca.crt");

// Generate a completely different CA and server cert in memory
var differentCA = CreateSelfSignedCA("CN=Different CA");
var untrustedServerCert = CreateServerCert(differentCA, "CN=fake-server.com");

var chain = new X509Chain();

// Pre-populate the chain like SSL validation would do
// This will likely succeed because we allow unknown CAs in the validation
chain.Build(untrustedServerCert);

var errors = SslPolicyErrors.RemoteCertificateChainErrors;

var result = Kubernetes.CertificateValidationCallBack(this, trustedCaCert, untrustedServerCert, chain, errors);

// This SHOULD be false because the server cert wasn't signed by our trusted CA
// But the current K8s validation logic might incorrectly return true
Assert.False(result, "Should reject certificates not signed by trusted CA");

// Cleanup
differentCA.Dispose();
untrustedServerCert.Dispose();
}

// Helper methods to create test certificates
private static X509Certificate2 CreateSelfSignedCA(string subject)
{
using (var rsa = RSA.Create(2048))
{
var req = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
req.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));

return req.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(365));
}
}

private static X509Certificate2 CreateServerCert(X509Certificate2 issuerCA, string subject)
{
using (var rsa = RSA.Create(2048))
{
var req = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true));
req.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true));
req.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, true));

return req.Create(issuerCA, DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(90), new byte[] { 1, 2, 3, 4 });
Copy link
Preview

Copilot AI Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The serial number byte array { 1, 2, 3, 4 } is a magic value. Consider defining it as a named constant or generating a proper serial number to make the test more maintainable.

Copilot uses AI. Check for mistakes.

}
}

[Fact]
public void ValidCert()
{
var caCert = CertUtils.LoadPemFileCert("assets/ca.crt");
var testCert = new X509Certificate2("assets/ca.crt");

Check warning on line 70 in tests/KubernetesClient.Tests/CertificateValidationTests.cs

View workflow job for this annotation

GitHub Actions / Analyze (csharp) 

'X509Certificate2.X509Certificate2(string)' is obsolete: 'Loading certificate data through the constructor or Import is obsolete. Use X509CertificateLoader instead to load certificates.' (https://aka.ms/dotnet-warnings/SYSLIB0057)
var chain = new X509Chain();
var errors = SslPolicyErrors.RemoteCertificateChainErrors;

Expand All @@ -23,7 +80,7 @@
public void InvalidCert()
{
var caCert = CertUtils.LoadPemFileCert("assets/ca.crt");
var testCert = new X509Certificate2("assets/ca2.crt");

Check warning on line 83 in tests/KubernetesClient.Tests/CertificateValidationTests.cs

View workflow job for this annotation

GitHub Actions / Analyze (csharp) 

'X509Certificate2.X509Certificate2(string)' is obsolete: 'Loading certificate data through the constructor or Import is obsolete. Use X509CertificateLoader instead to load certificates.' (https://aka.ms/dotnet-warnings/SYSLIB0057)
var chain = new X509Chain();
var errors = SslPolicyErrors.RemoteCertificateChainErrors;

Expand Down Expand Up @@ -52,7 +109,7 @@
public void InvalidBundleCert()
{
var caCert = CertUtils.LoadPemFileCert("assets/ca-bundle.crt");
var testCert = new X509Certificate2("assets/ca2.crt");

Check warning on line 112 in tests/KubernetesClient.Tests/CertificateValidationTests.cs

View workflow job for this annotation

GitHub Actions / Analyze (csharp) 

'X509Certificate2.X509Certificate2(string)' is obsolete: 'Loading certificate data through the constructor or Import is obsolete. Use X509CertificateLoader instead to load certificates.' (https://aka.ms/dotnet-warnings/SYSLIB0057)
var chain = new X509Chain();
var errors = SslPolicyErrors.RemoteCertificateChainErrors;

Expand Down
Loading