Skip to content

Fix issue with X509VerificationFlags.AllowUnknownCertificateAuthority behavior #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 13, 2018
Merged

Fix issue with X509VerificationFlags.AllowUnknownCertificateAuthority behavior #174

merged 2 commits into from
Jun 13, 2018

Conversation

@davidorbelian
Copy link
Contributor

@davidorbelian davidorbelian commented Jun 12, 2018

Fix this issue with this solution.

How to test:
Replace your certificate-authority-data from kubeconfig with data from another certificate and run.

  • BEFORE:
    The program works despite the non-validity of the certificate because of validation does not fail.
  • AFTER:
    System.Net.Http.HttpRequestException is thrown because of validation fails.

bartonjs
bartonjs reviewed Jun 12, 2018
View reviewed changes
src/KubernetesClient/Kubernetes.ConfigInit.cs Outdated
chain.Build((X509Certificate2) certificate);

var rootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
var isValid = rootCert.RawData.SequenceEqual(caCert.RawData);
Copy link

@bartonjs bartonjs Jun 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to test for a custom root you'd leave the check as it was, and then add isValid = isValid && rootCert.RawData.SequenceEqual(caCert.RawData);

As it is, this change would start accepting expired and revoked certificates (and possibly certificates where the signatures didn't check out).

Copy link
Contributor Author

@davidorbelian davidorbelian Jun 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@davidorbelian
Copy link
Contributor Author

davidorbelian commented Jun 12, 2018

@bartonjs can you please confirm now it is ok?

@bartonjs
Copy link

bartonjs commented Jun 12, 2018

Seems right to me.

@bartonjs
Copy link

bartonjs commented Jun 12, 2018

(Assuming that caCert is the root, and not just an intermediate. Otherwise you need to loop over the rest of the things to see if it was an intermediate)

@davidorbelian
Copy link
Contributor Author

davidorbelian commented Jun 12, 2018

@bartonjs Sure, thank you!
@brendandburns What you think?

@brendandburns
Copy link
Contributor

brendandburns commented Jun 13, 2018

LGTM, thanks. Can you add a unit test that validates this behavior? e.g. fails w/o the fix, passes with the fix?

Thanks!

@davidorbelian
Copy link
Contributor Author

davidorbelian commented Jun 13, 2018

@brendandburns Done!

@brendandburns
Copy link
Contributor

brendandburns commented Jun 13, 2018

LGTM, many thanks!

@brendandburns brendandburns merged commit 6eb5555 into kubernetes-client:master Jun 13, 2018
JonJam pushed a commit to JonJam/csharp that referenced this pull request Sep 8, 2018
@davidorbelian @JonJam
Fix issue with X509VerificationFlags.AllowUnknownCertificateAuthority…
94cf799 
… behavior (kubernetes-client#174)

* Fix issue with X509VerificationFlags.AllowUnknownCertificateAuthority behavior

* Add CertificateValidationTests
@etchang etchang mentioned this pull request Mar 7, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bartonjs bartonjs bartonjs left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@davidorbelian @bartonjs @brendandburns