csharp/src/KubernetesClient/CertUtils.cs

using k8s.Exceptions;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509;
using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;

namespace k8s
{
    public static class CertUtils
    {
        /// <summary>
        /// Load pem encoded cert file
        /// </summary>
        /// <param name="file">Path to pem encoded cert file</param>
        /// <returns>List of x509 instances.</returns>
        public static X509Certificate2Collection LoadPemFileCert(string file)
        {
            var certCollection = new X509Certificate2Collection();
            using (var stream = FileUtils.FileSystem().File.OpenRead(file))
            {
                var certs = new X509CertificateParser().ReadCertificates(stream);

                // Convert BouncyCastle X509Certificates to the .NET cryptography implementation and add
                // it to the certificate collection
                //
                foreach (Org.BouncyCastle.X509.X509Certificate cert in certs)
                {
                    certCollection.Add(new X509Certificate2(cert.GetEncoded()));
                }
            }

            return certCollection;
        }

        /// <summary>
        /// Generates pfx from client configuration
        /// </summary>
        /// <param name="config">Kubernetes Client Configuration</param>
        /// <returns>Generated Pfx Path</returns>
        public static X509Certificate2 GeneratePfx(KubernetesClientConfiguration config)
        {
            if (config == null)
            {
                throw new ArgumentNullException(nameof(config));
            }

            byte[] keyData = null;
            byte[] certData = null;

            if (!string.IsNullOrWhiteSpace(config.ClientCertificateKeyData))
            {
                keyData = Convert.FromBase64String(config.ClientCertificateKeyData);
            }

            if (!string.IsNullOrWhiteSpace(config.ClientKeyFilePath))
            {
                keyData = File.ReadAllBytes(config.ClientKeyFilePath);
            }

            if (keyData == null)
            {
                throw new KubeConfigException("keyData is empty");
            }

            if (!string.IsNullOrWhiteSpace(config.ClientCertificateData))
            {
                certData = Convert.FromBase64String(config.ClientCertificateData);
            }

            if (!string.IsNullOrWhiteSpace(config.ClientCertificateFilePath))
            {
                certData = File.ReadAllBytes(config.ClientCertificateFilePath);
            }

            if (certData == null)
            {
                throw new KubeConfigException("certData is empty");
            }

            var cert = new X509CertificateParser().ReadCertificate(new MemoryStream(certData));
            // key usage is a bit string, zero-th bit is 'digitalSignature'
            // See https://www.alvestrand.no/objectid/2.5.29.15.html for more details.
            if (cert != null && cert.GetKeyUsage() != null && !cert.GetKeyUsage()[0])
            {
                throw new Exception(
                    "Client certificates must be marked for digital signing. " +
                    "See https://github.com/kubernetes-client/csharp/issues/319");
            }

            object obj;
            using (var reader = new StreamReader(new MemoryStream(keyData)))
            {
                obj = new PemReader(reader).ReadObject();
                var key = obj as AsymmetricCipherKeyPair;
                if (key != null)
                {
                    var cipherKey = key;
                    obj = cipherKey.Private;
                }
            }

            var keyParams = (AsymmetricKeyParameter)obj;

            var store = new Pkcs12StoreBuilder().Build();
            store.SetKeyEntry("K8SKEY", new AsymmetricKeyEntry(keyParams), new[] { new X509CertificateEntry(cert) });

            using (var pkcs = new MemoryStream())
            {
                store.Save(pkcs, new char[0], new SecureRandom());

                if (config.ClientCertificateKeyStoreFlags.HasValue)
                {
                    return new X509Certificate2(pkcs.ToArray(), "", config.ClientCertificateKeyStoreFlags.Value);
                }
                else
                {
                    return new X509Certificate2(pkcs.ToArray());
                }
            }
        }

        /// <summary>
        /// Retrieves Client Certificate PFX from configuration
        /// </summary>
        /// <param name="config">Kubernetes Client Configuration</param>
        /// <returns>Client certificate PFX</returns>
        public static X509Certificate2 GetClientCert(KubernetesClientConfiguration config)
        {
            if (config == null)
            {
                throw new ArgumentNullException(nameof(config));
            }

            if ((!string.IsNullOrWhiteSpace(config.ClientCertificateData) ||
                 !string.IsNullOrWhiteSpace(config.ClientCertificateFilePath)) &&
                (!string.IsNullOrWhiteSpace(config.ClientCertificateKeyData) ||
                 !string.IsNullOrWhiteSpace(config.ClientKeyFilePath)))
            {
                return GeneratePfx(config);
            }

            return null;
        }
    }
}
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`using k8s.Exceptions;`
			`using Org.BouncyCastle.Crypto;`
			`using Org.BouncyCastle.OpenSsl;`
			`using Org.BouncyCastle.Pkcs;`
			`using Org.BouncyCastle.Security;`
			`using Org.BouncyCastle.X509;`
Add bundle certificate support (#253) * initial * add some comments * cleanup * var * Use X509Certificate2cCollection * add missing asset files * address comments 2019-03-11 06:39:28 -07:00			`using System;`
			`using System.IO;`
			`using System.Security.Cryptography.X509Certificates;`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`namespace k8s`
			`{`
cleanup unused code and functions and fix unittest naming style 2017-11-08 14:22:10 +08:00			`public static class CertUtils`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`{`
			`/// <summary>`
introduce go client style config creating functions 2017-10-11 21:27:22 +08:00			`/// Load pem encoded cert file`
			`/// </summary>`
			`/// <param name="file">Path to pem encoded cert file</param>`
Add bundle certificate support (#253) * initial * add some comments * cleanup * var * Use X509Certificate2cCollection * add missing asset files * address comments 2019-03-11 06:39:28 -07:00			`/// <returns>List of x509 instances.</returns>`
			`public static X509Certificate2Collection LoadPemFileCert(string file)`
introduce go client style config creating functions 2017-10-11 21:27:22 +08:00			`{`
Add bundle certificate support (#253) * initial * add some comments * cleanup * var * Use X509Certificate2cCollection * add missing asset files * address comments 2019-03-11 06:39:28 -07:00			`var certCollection = new X509Certificate2Collection();`
Add support for loading namespaces from pod configuration. (#640) 2021-06-14 16:22:08 -07:00			`using (var stream = FileUtils.FileSystem().File.OpenRead(file))`
pretend to support chain (#245) 2019-02-15 11:57:24 -08:00			`{`
Add support for loading namespaces from pod configuration. (#640) 2021-06-14 16:22:08 -07:00			`var certs = new X509CertificateParser().ReadCertificates(stream);`

			`// Convert BouncyCastle X509Certificates to the .NET cryptography implementation and add`
			`// it to the certificate collection`
			`//`
			`foreach (Org.BouncyCastle.X509.X509Certificate cert in certs)`
			`{`
			`certCollection.Add(new X509Certificate2(cert.GetEncoded()));`
			`}`
pretend to support chain (#245) 2019-02-15 11:57:24 -08:00			`}`
Add bundle certificate support (#253) * initial * add some comments * cleanup * var * Use X509Certificate2cCollection * add missing asset files * address comments 2019-03-11 06:39:28 -07:00
			`return certCollection;`
introduce go client style config creating functions 2017-10-11 21:27:22 +08:00			`}`

			`/// <summary>`
			`/// Generates pfx from client configuration`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`/// </summary>`
fix misspelling of Kubernetes (#99) 2018-03-12 17:55:21 -04:00			`/// <param name="config">Kubernetes Client Configuration</param>`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`/// <returns>Generated Pfx Path</returns>`
Add tests. 2017-09-27 21:51:00 -07:00			`public static X509Certificate2 GeneratePfx(KubernetesClientConfiguration config)`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`{`
Style fix final (#523) * all net5 * var * SA1310 * SA1310 * allow 1031 * SA1805 * fix SA1642 * remove unused code * allow sa1405 * isempty * fix CA1714 * fix CA1806 * remove always false if * fix format * fix CA1062 * allow SA0001 * fix CA1062 * allow ca1034 and temp allow ca1835 * fix 16XX doc related warnings * elm SA16XX * elm SA16XX * fix CA2213 * revert to pass all test * move unclear rule to ruleset * follow up of moving ruleset * remove this * fix test flaky 2020-11-22 14:52:09 -08:00			`if (config == null)`
			`{`
			`throw new ArgumentNullException(nameof(config));`
			`}`

add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`byte[] keyData = null;`
			`byte[] certData = null;`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00
rename client cert params to a better name 2017-10-13 01:53:25 +08:00			`if (!string.IsNullOrWhiteSpace(config.ClientCertificateKeyData))`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`{`
rename client cert params to a better name 2017-10-13 01:53:25 +08:00			`keyData = Convert.FromBase64String(config.ClientCertificateKeyData);`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`}`
stylecop fix followup, enforce SA1503 (#432) * enforce SA1503 * fix spacing * fix SA1413 * fix spacing * fix SA1013 2020-04-23 11:40:06 -07:00
rename client cert params to a better name 2017-10-13 01:53:25 +08:00			`if (!string.IsNullOrWhiteSpace(config.ClientKeyFilePath))`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`{`
rename client cert params to a better name 2017-10-13 01:53:25 +08:00			`keyData = File.ReadAllBytes(config.ClientKeyFilePath);`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`}`

add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`if (keyData == null)`
			`{`
Fix incorrect exception message in CertUtils (#172) 2018-06-12 00:09:51 +04:00			`throw new KubeConfigException("keyData is empty");`
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`}`

Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`if (!string.IsNullOrWhiteSpace(config.ClientCertificateData))`
			`{`
			`certData = Convert.FromBase64String(config.ClientCertificateData);`
			`}`
stylecop fix followup, enforce SA1503 (#432) * enforce SA1503 * fix spacing * fix SA1413 * fix spacing * fix SA1013 2020-04-23 11:40:06 -07:00
rename client cert params to a better name 2017-10-13 01:53:25 +08:00			`if (!string.IsNullOrWhiteSpace(config.ClientCertificateFilePath))`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`{`
rename client cert params to a better name 2017-10-13 01:53:25 +08:00			`certData = File.ReadAllBytes(config.ClientCertificateFilePath);`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`}`

add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`if (certData == null)`
			`{`
			`throw new KubeConfigException("certData is empty");`
			`}`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`var cert = new X509CertificateParser().ReadCertificate(new MemoryStream(certData));`
Add an exception for certs known not to work. (#322) 2019-11-21 20:29:28 -08:00			`// key usage is a bit string, zero-th bit is 'digitalSignature'`
			`// See https://www.alvestrand.no/objectid/2.5.29.15.html for more details.`
Add in formatting pre-check. (#431) 2020-04-22 12:15:45 -07:00			`if (cert != null && cert.GetKeyUsage() != null && !cert.GetKeyUsage()[0])`
			`{`
Add an exception for certs known not to work. (#322) 2019-11-21 20:29:28 -08:00			`throw new Exception(`
			`"Client certificates must be marked for digital signing. " +`
			`"See https://github.com/kubernetes-client/csharp/issues/319");`
			`}`
stylecop fix followup, enforce SA1503 (#432) * enforce SA1503 * fix spacing * fix SA1413 * fix spacing * fix SA1013 2020-04-23 11:40:06 -07:00
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`object obj;`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`using (var reader = new StreamReader(new MemoryStream(keyData)))`
			`{`
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`obj = new PemReader(reader).ReadObject();`
			`var key = obj as AsymmetricCipherKeyPair;`
			`if (key != null)`
			`{`
			`var cipherKey = key;`
Add tests. 2017-09-27 21:51:00 -07:00			`obj = cipherKey.Private;`
			`}`
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00			`}`

Add in formatting pre-check. (#431) 2020-04-22 12:15:45 -07:00			`var keyParams = (AsymmetricKeyParameter)obj;`
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00
			`var store = new Pkcs12StoreBuilder().Build();`
Add in formatting pre-check. (#431) 2020-04-22 12:15:45 -07:00			`store.SetKeyEntry("K8SKEY", new AsymmetricKeyEntry(keyParams), new[] { new X509CertificateEntry(cert) });`
add net standard way to create cert with key 2017-10-13 03:06:35 +08:00
			`using (var pkcs = new MemoryStream())`
			`{`
fix load error on linux 2017-10-13 03:34:24 +08:00			`store.Save(pkcs, new char[0], new SecureRandom());`
Introducing KubernetesClientConfiguration.ClientCertificateKeyStoreFl… (#237) * Introducing KubernetesClientConfiguration.ClientCertificateKeyStoreFlags to specify how private key is imported * Type-o 2019-02-07 07:58:08 +01:00
			`if (config.ClientCertificateKeyStoreFlags.HasValue)`
			`{`
			`return new X509Certificate2(pkcs.ToArray(), "", config.ClientCertificateKeyStoreFlags.Value);`
			`}`
			`else`
			`{`
			`return new X509Certificate2(pkcs.ToArray());`
			`}`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`}`
			`}`
Add missing client cert (#729) * Updated GitVersioning package to fix issue with loading native libgit lib. Added check for missing HttpClientHandler * fixed type * HttpClientHandler is null when trying to get client certificates for web socket connection. Added direct configuration of client cert instead of via HttpClientHandler * fixed indentation warning * re-added certs from httpclienthandler if present * Updated GitVersioning package to fix issue with loading native libgit lib. Added check for missing HttpClientHandler * fixed type * HttpClientHandler is null when trying to get client certificates for web socket connection. Added direct configuration of client cert instead of via HttpClientHandler * fixed indentation warning * re-added certs from httpclienthandler if present * merged duplicate code * reverted package changes 2021-10-20 15:51:58 +02:00
			`/// <summary>`
			`/// Retrieves Client Certificate PFX from configuration`
			`/// </summary>`
			`/// <param name="config">Kubernetes Client Configuration</param>`
			`/// <returns>Client certificate PFX</returns>`
			`public static X509Certificate2 GetClientCert(KubernetesClientConfiguration config)`
			`{`
			`if (config == null)`
			`{`
			`throw new ArgumentNullException(nameof(config));`
			`}`

			`if ((!string.IsNullOrWhiteSpace(config.ClientCertificateData) \|\|`
			`!string.IsNullOrWhiteSpace(config.ClientCertificateFilePath)) &&`
			`(!string.IsNullOrWhiteSpace(config.ClientCertificateKeyData) \|\|`
			`!string.IsNullOrWhiteSpace(config.ClientKeyFilePath)))`
			`{`
			`return GeneratePfx(config);`
			`}`

			`return null;`
			`}`
Remove openssl dependency. Move to dotnet 2.0 2017-09-22 20:59:41 -07:00			`}`
introduce go client style config creating functions 2017-10-11 21:27:22 +08:00			`}`