Skip to content

Fix issue with X509VerificationFlags.AllowUnknownCertificateAuthority behavior #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 13, 2018
Merged

Fix issue with X509VerificationFlags.AllowUnknownCertificateAuthority behavior #174

merged 2 commits into from
Jun 13, 2018

Conversation

davidorbelian
Copy link
Contributor

Fix this issue with this solution.

How to test:
Replace your certificate-authority-data from kubeconfig with data from another certificate and run.

  • BEFORE:
    The program works despite the non-validity of the certificate because of validation does not fail.
  • AFTER:
    System.Net.Http.HttpRequestException is thrown because of validation fails.

bartonjs
bartonjs reviewed Jun 12, 2018
View reviewed changes
src/KubernetesClient/Kubernetes.ConfigInit.cs Outdated
chain.Build((X509Certificate2) certificate);

var rootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
var isValid = rootCert.RawData.SequenceEqual(caCert.RawData);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to test for a custom root you'd leave the check as it was, and then add isValid = isValid && rootCert.RawData.SequenceEqual(caCert.RawData);

As it is, this change would start accepting expired and revoked certificates (and possibly certificates where the signatures didn't check out).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@davidorbelian
Copy link
Contributor Author

@bartonjs can you please confirm now it is ok?

@bartonjs
Copy link

Seems right to me.

@bartonjs
Copy link

(Assuming that caCert is the root, and not just an intermediate. Otherwise you need to loop over the rest of the things to see if it was an intermediate)

@davidorbelian
Copy link
Contributor Author

@bartonjs Sure, thank you!
@brendandburns What you think?

@brendandburns
Copy link
Contributor

LGTM, thanks. Can you add a unit test that validates this behavior? e.g. fails w/o the fix, passes with the fix?

Thanks!

@davidorbelian
Copy link
Contributor Author

@brendandburns Done!

@brendandburns
Copy link
Contributor

LGTM, many thanks!

@brendandburns brendandburns merged commit 6eb5555 into kubernetes-client:master Jun 13, 2018
JonJam pushed a commit to JonJam/csharp that referenced this pull request Sep 8, 2018
@davidorbelian @JonJam
Fix issue with X509VerificationFlags.AllowUnknownCertificateAuthority…
94cf799 
… behavior (kubernetes-client#174)

* Fix issue with X509VerificationFlags.AllowUnknownCertificateAuthority behavior

* Add CertificateValidationTests
@etchang etchang mentioned this pull request Mar 7, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartonjs bartonjs bartonjs left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidorbelian @bartonjs @brendandburns