Skip to content

feat(csharp/src/Drivers/Apache): Load certificate bundle from pem file #3303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+54 −8
Open

feat(csharp/src/Drivers/Apache): Load certificate bundle from pem file #3303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
66bb674
Load certificate bundle from pem file
Aug 18, 2025
3dcce31
Fix mixed line endings
Aug 18, 2025
ad08376
Add AllowUnknownCertificateAuthority
Aug 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions csharp/src/Drivers/Apache/Hive2/HiveServer2StandardConnection.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,19 +112,15 @@ protected override TTransport CreateTransport()
TTransport baseTransport;
if (TlsOptions.IsTlsEnabled)
{
X509Certificate2? trustedCert = !string.IsNullOrEmpty(TlsOptions.TrustedCertificatePath)
? new X509Certificate2(TlsOptions.TrustedCertificatePath!)
: null;

RemoteCertificateValidationCallback certValidator = (sender, cert, chain, errors) => HiveServer2TlsImpl.ValidateCertificate(cert, errors, TlsOptions);

if (IPAddress.TryParse(hostName!, out var ipAddress))
{
baseTransport = new TTlsSocketTransport(ipAddress, portValue, config: new(), 0, trustedCert, certValidator);
baseTransport = new TTlsSocketTransport(ipAddress, portValue, config: new(), 0, null, certValidator);
}
else
{
baseTransport = new TTlsSocketTransport(hostName!, portValue, config: new(), 0, trustedCert, certValidator);
baseTransport = new TTlsSocketTransport(hostName!, portValue, config: new(), 0, null, certValidator);
}
}
else
Expand Down
54 changes: 52 additions & 2 deletions csharp/src/Drivers/Apache/Hive2/HiveServer2TlsImpl.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
using System.Net.Http;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.Text.RegularExpressions;

namespace Apache.Arrow.Adbc.Drivers.Apache.Hive2
{
Expand Down Expand Up @@ -138,6 +139,30 @@ static internal TlsProperties GetStandardTlsOptions(IReadOnlyDictionary<string,
return tlsProperties;
}

public static List<X509Certificate2> LoadPemCertificates(string pemPath)
Copy link
Contributor

@CurtHagenlocher CurtHagenlocher Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How big is this file typically, and how long does it take to read and parse? Does it make sense to keep a cache of these by file path and size/last update time so that it doesn't need to be reloaded regularly?

The standard ~cacert.pem is about 220kb.

{
List<X509Certificate2> certs = new();
string pemContent = File.ReadAllText(pemPath);

MatchCollection matches = Regex.Matches(
pemContent,
"-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----",
RegexOptions.Singleline);

foreach (Match match in matches)
{
string base64 = match.Groups[1].Value
.Replace("\r", "")
.Replace("\n", "")
.Trim();

byte[] rawData = Convert.FromBase64String(base64);
certs.Add(new X509Certificate2(rawData));
}

return certs;
}

static internal bool ValidateCertificate(X509Certificate? cert, SslPolicyErrors policyErrors, TlsProperties tlsProperties)
{
if (policyErrors == SslPolicyErrors.None || tlsProperties.DisableServerCertificateValidation)
Expand All @@ -155,14 +180,39 @@ static internal bool ValidateCertificate(X509Certificate? cert, SslPolicyErrors
return !policyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors) || (tlsProperties.AllowSelfSigned && IsSelfSigned(cert2));
}

X509Certificate2 trustedRoot = new X509Certificate2(tlsProperties.TrustedCertificatePath);
X509Chain customChain = new();
customChain.ChainPolicy.ExtraStore.Add(trustedRoot);
// "tell the X509Chain class that I do trust this root certs and it should check just the certs in the chain and nothing else"
customChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
var collection = LoadPemCertificates(tlsProperties.TrustedCertificatePath!);

foreach (var trustedCert in collection)
{
customChain.ChainPolicy.ExtraStore.Add(trustedCert);
}
customChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;

bool chainValid = customChain.Build(cert2);
if (chainValid)
{
bool trustedBy = false;
foreach (X509ChainElement element in customChain.ChainElements)
{
foreach (X509Certificate2 ca in collection)
Copy link
Contributor

@CurtHagenlocher CurtHagenlocher Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that cert chains typically aren't that long, but this is n^2 behavior. Is it worth loading the certificates as a dictionary keyed by thumbprint in order to speed up the search?

{
if (element.Certificate.Thumbprint == ca.Thumbprint)
Copy link
Contributor

@CurtHagenlocher CurtHagenlocher Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a case-insensitive comparison or are thumbprints always normalized to a specific case? Is comparing just the thumbprint enough for good security?

{
trustedBy = true;
break;
}
}
if (trustedBy)
{
break;
}
}
chainValid = chainValid && trustedBy;
}

return chainValid || (tlsProperties.AllowSelfSigned && IsSelfSigned(cert2));
Copy link
Contributor

@CurtHagenlocher CurtHagenlocher Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider modifying the check around line 178 to return early for a self-signed certificate even if TrustedCertificatePath is not null. There's no reason to go to the trouble of loading the additional certificates if we already know we have a self-signed cert. Then the check here becomes superfluous and can be removed.

}
}
Expand Down
Loading