From 8a615c275aca995ec0bcec0c020b40c1019b9e56 Mon Sep 17 00:00:00 2001
From: Brendan Burns <bburns@microsoft.com>
Date: Thu, 21 Nov 2019 20:29:28 -0800
Subject: [PATCH] Add an exception for certs known not to work. (#322)

---
 src/KubernetesClient/CertUtils.cs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/KubernetesClient/CertUtils.cs b/src/KubernetesClient/CertUtils.cs
index dd0ba71..b4e6a3a 100644
--- a/src/KubernetesClient/CertUtils.cs
+++ b/src/KubernetesClient/CertUtils.cs
@@ -74,7 +74,13 @@ namespace k8s
             }
 
             var cert = new X509CertificateParser().ReadCertificate(new MemoryStream(certData));
-
+            // key usage is a bit string, zero-th bit is 'digitalSignature'
+            // See https://www.alvestrand.no/objectid/2.5.29.15.html for more details.
+            if (cert != null && cert.GetKeyUsage() != null && !cert.GetKeyUsage()[0]) {
+                throw new Exception(
+                    "Client certificates must be marked for digital signing. " +
+                    "See https://github.com/kubernetes-client/csharp/issues/319");
+            }
             object obj;
             using (var reader = new StreamReader(new MemoryStream(keyData)))
             {