Add an exception for certs known not to work.

brendandburns · brendandburns · commit 8d1781e32b8f · 2019-11-08T16:45:05.000-08:00
diff --git a/src/KubernetesClient/CertUtils.cs b/src/KubernetesClient/CertUtils.cs
@@ -74,7 +74,13 @@ public static X509Certificate2 GeneratePfx(KubernetesClientConfiguration config)
             }
 
             var cert = new X509CertificateParser().ReadCertificate(new MemoryStream(certData));
-
+            // key usage is a bit string, zero-th bit is 'digitalSignature'
+            // See https://www.alvestrand.no/objectid/2.5.29.15.html for more details.
+            if (!cert.GetKeyUsage()[0]) {
+                throw new Exception(
+                    "Client certificates must be marked for digital signing. " +
+                    "See https://github.com/kubernetes-client/csharp/issues/319");
+            }
             object obj;
             using (var reader = new StreamReader(new MemoryStream(keyData)))
             {

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,13 @@ public static X509Certificate2 GeneratePfx(KubernetesClientConfiguration config)`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`var cert = new X509CertificateParser().ReadCertificate(new MemoryStream(certData));`
`77`		`-`
	`77`	`+ // key usage is a bit string, zero-th bit is 'digitalSignature'`
	`78`	`+ // See https://www.alvestrand.no/objectid/2.5.29.15.html for more details.`
	`79`	`+ if (!cert.GetKeyUsage()[0]) {`
	`80`	`+ throw new Exception(`
	`81`	`+ "Client certificates must be marked for digital signing. " +`
	`82`	`+ "See https://github.com/kubernetes-client/csharp/issues/319");`
	`83`	`+ }`
`78`	`84`	`object obj;`
`79`	`85`	`using (var reader = new StreamReader(new MemoryStream(keyData)))`
`80`	`86`	`{`