Skip to content

Support custom CA chain validation#1851

Merged
chkr1011 merged 3 commits intodotnet:masterfrom
ridomin:tls-cafile
Nov 1, 2023
Merged

Support custom CA chain validation#1851
chkr1011 merged 3 commits intodotnet:masterfrom
ridomin:tls-cafile

Conversation

@rido-min
Copy link
Copy Markdown
Member

@rido-min rido-min commented Sep 29, 2023

Summary

Most MQTT clients from Paho (python, Java, GO) and even mosquitto-clients, allow to specify a CaFile to connect to TLS endpoints protected with certificates issued by a private CA.

A good example is test.mosquitto.org:8883 that requires https://test.mosquitto.org/ssl/mosquitto.org.crt to validate the server connection

Details

  • Adds a CertificationAuthoritiesFile option to TlsOptions
  • Adds a WithCertificationAuthoritiesFile(string pemFile) to TlsOptionsBuilder
  • Configures SslStream with CustomTrust (.NET 7+ only)
  • Adds a new sample, including the test.mosquitto.org (this might require to be updated when it gets expired in 2030 :) )

Overseeds #1848

@rido-min
Copy link
Copy Markdown
Member Author

rido-min commented Oct 2, 2023

How can I fix the build error?

D:\a\MQTTnet\MQTTnet\certificate.snk' -- Invalid public key

krwq
krwq reviewed Oct 4, 2023
View reviewed changes
Comment thread Source/MQTTnet/Client/Options/MqttClientTlsOptions.cs Outdated
#endif

#if NET7_0_OR_GREATER
public string CertificationAuthoritiesFile { get; set; }
Copy link
Copy Markdown
Member

@krwq krwq Oct 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd recommend to make this API always visible but throw on the setter for <net7

Copy link
Copy Markdown
Collaborator

@chkr1011 chkr1011 Oct 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other properties in this project are usually not available because they are excluded by the compiler. I would like to stick to this approach and avoid changing the strategy here.

krwq
krwq reviewed Oct 4, 2023
View reviewed changes
Comment thread Source/MQTTnet/Implementations/MqttTcpChannel.cs Outdated
AllowRenegotiation = _tcpOptions.TlsOptions.AllowRenegotiation
};
#if NET7_0_OR_GREATER
if (!string.IsNullOrEmpty(_tcpOptions.TlsOptions.CertificationAuthoritiesFile))
Copy link
Copy Markdown
Member

@krwq krwq Oct 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

another option: File.Exists (error when doesn't exist would be nice but possibly just letting it error later is fine as well, follow existing conventions)

rido-min
rido-min commented Oct 6, 2023
View reviewed changes
Comment thread Source/MQTTnet/Client/Options/MqttClientTlsOptionsBuilder.cs Outdated
#endif

#if NET7_0_OR_GREATER
public MqttClientTlsOptionsBuilder WithCertificationAuthoritiesFile(string pemFile)
Copy link
Copy Markdown
Member Author

@rido-min rido-min Oct 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

another option will be WithCaFile is shorter -not as descriptive as the other methods in this class - but is aligned with other mqtt tooling.

Copy link
Copy Markdown
Collaborator

@chkr1011 chkr1011 Oct 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other methods and properties in this project usually take the "long" version or adopt the same name when it is simply mapped to a property in the .NET framework.

Copy link
Copy Markdown
Member Author

@rido-min rido-min Oct 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this comment is outdated, the last commit changed the signature to: public MqttClientTlsOptionsBuilder WithTrustChain(X509Certificate2Collection chain)

To align with .NET api this could be .WithCustomTrustChain

This was referenced Oct 10, 2023
Merged
Closed
@logicaloud
Copy link
Copy Markdown
Contributor

logicaloud commented Oct 14, 2023

I think it would be good to support handling of certificate authorities directly within the MQTTnet library.

Some observations and questions:

  1. Naming should probably be ...CertificateAuthorities... instead of ...CertificationAuthorities...?
  2. Should the target conditional be NET5_0_OR_GREATER? Or are there features used that are not available since .NET 5? I'm aware that .NET 5 is out of support, but this would be in keeping with other conditionals used elsewhere supporting older .NET versions (and .NET 6 is still in support).
  3. My preference would be to pass the certificate authorities as a list or collection of X509Certificate2 to keep things in memory. Certificates may originate from a configuration file, database, of otherwise different format not readily available as a .crt file on disk. If the certificate authority certificates are indeed already available as a suitable file, then it is a small burden for the MQTTnet library user to load the file into a list or collection of X509Certificate2 certificates for handover to WithCertificateAuthorities. If the the certificates are not already in a suitable file, then passing a filename could become a pain point, because the MQTTnet library user needs to convert the format into the .crt file format and ensure that a there is a writable file system location available just for handover.

@rido-min
Copy link
Copy Markdown
Member Author

rido-min commented Oct 15, 2023

thanks @logicaloud for you comments:

  1. The name was suggested by @CIPop, maybe we could use WithTrustChain ?
  2. IIRC The API we are using to use a custom trust store is available in .NET7+ only, but let me double check if this could also work in .NET5+
  3. Good point, I'm updating the PR to accept a X509CertCollection

@rido-min
Copy link
Copy Markdown
Member Author

rido-min commented Oct 16, 2023

@logicaloud with this 0b5dff5 I've addressed your comments:

  1. Renamed to public MqttClientTlsOptionsBuilder WithTrustChain(X509Certificate2Collection chain)
  2. Unfortunately SslClientAuthenticationOptions.CertificateChainPolicy requires .NET7
  3. Agree, the user should provide the caChain as a cert collection without imposing any crt/pem format in a file

@logicaloud
Copy link
Copy Markdown
Contributor

logicaloud commented Oct 16, 2023

Thank you for looking into this, @rido-min. Regarding naming, WithTrustChain seems more technical, WithCertificateAuthorities may need less explanation in the context of MQTT. Either way, it is not up to me to accept pull requests, so best to wait now until @chkr1011 has time to review and comment.

@rido-min
Copy link
Copy Markdown
Member Author

rido-min commented Oct 17, 2023

WithTrustChain seems more technical,

Well, keep in mind this is on top of MqttTlsOptions, so I guess the TrustChain concept will be easier to get.

@rido-min
Copy link
Copy Markdown
Member Author

rido-min commented Oct 26, 2023

apologies for adding another commit cc1ed2c

Now the chain validation uses X509VerificationFlags.IgnoreEndRevocationUnknown so users are not forced to completely disable revocation checks when using custom CAs.

@krwq do you mind taking another look?

@chkr1011 chkr1011 merged commit 01c90ba into dotnet:master Nov 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chkr1011 chkr1011 chkr1011 approved these changes

+1 more reviewer

@krwq krwq krwq approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rido-min @logicaloud @krwq @chkr1011