Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LoadPemFileCert() does not handle bundle certificates #234

Closed
etchang opened this issue Jan 30, 2019 · 3 comments
Closed

LoadPemFileCert() does not handle bundle certificates #234

etchang opened this issue Jan 30, 2019 · 3 comments
Assignees
@tg123
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@etchang
Copy link
Contributor

etchang commented Jan 30, 2019

We currently working with a customer who is running the C# Kubernetes Client from within their cluster. They are providing their own CA certificate in a PEM file that contains the entire Certificate Trust Chain in it as well as comments
i.e.

-----BEGIN CERTIFICATE-----
<base 64 string>

-----END CERTIFICATE-----

subject=/CN=<subject>
issuer=/CN=<issuer>

-----BEGIN CERTIFICATE-----
<base 64 string>

-----END CERTIFICATE-----

subject=/CN=<subject>
issuer=/CN=<issuer>

-----BEGIN CERTIFICATE-----
<base 64 string>

-----END CERTIFICATE-----

Calling KubernetesClientConfiguration.InClusterConfig() results in the following stack:


System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding charcters, or an illegal character among the padding characters,
    at System.Convert.FromBase64_ComputeResultLength(Char* inputPtr, Int32 inputLength)
	at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
	at System.Convert.FromBase64String(String s)
	at k8s.CertUtils.LoadPemFileCert(String file)
	at k8s.KubernetesClientConfiguration.InClusterConfig()

It looks like the client's certificate parsing currently only handles comment-less cert files with a single certificate in them.
https://github.com/kubernetes-client/csharp/blob/master/src/KubernetesClient/CertUtils.cs

        /// <summary>
        /// Load pem encoded cert file
        /// </summary>
        /// <param name="file">Path to pem encoded cert file</param>
        /// <returns>x509 instance.</returns>
        public static X509Certificate2 LoadPemFileCert(string file)
        {
            var certdata = File.ReadAllText(file)
                .Replace("-----BEGIN CERTIFICATE-----", "")
                .Replace("-----END CERTIFICATE-----", "")
                .Replace("\r", "")
                .Replace("\n", "");

            return new X509Certificate2(Convert.FromBase64String(certdata));
        }

Since Kubernetes supports supplying custom certs to the cluster, the client should also be able to handle certificates formats allowed by OpenSSL.
@tg123
Copy link
Member

tg123 commented Jan 30, 2019

I will take a look

@tg123 tg123 self-assigned this Jan 30, 2019
@tg123 tg123 added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 30, 2019
@brendandburns
Copy link
Contributor

@tg123 are you working on this? I have some cycles and thought I might take a crack at it if you haven't already started.

Thanks!

@tg123 tg123 mentioned this issue Feb 15, 2019
Merged
@tg123
Copy link
Member

tg123 commented Feb 15, 2019

@brendandburns please check#245 and my concern.
I think I only fix part of this issue. I did not find an elegant way to address it without rewriting https part.
We need to think about supporting chain or not.

@etchang etchang mentioned this issue Mar 7, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tg123 tg123

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tg123 @brendandburns @etchang