Skip to content

Add CurveAllowedClients: server-side CURVE client public key whitelist#1156

Draft
drewnoakes with Copilot wants to merge 5 commits into
masterfrom
copilot/add-client-public-key-logging
Draft

Add CurveAllowedClients: server-side CURVE client public key whitelist#1156
drewnoakes with Copilot wants to merge 5 commits into
masterfrom
copilot/add-client-public-key-logging

Conversation

Copilot AI commented May 1, 2026

Copy link
Copy Markdown
Contributor

CURVE server sockets had no built-in way to restrict which clients could connect based on their long-term public key, making it impossible to implement a client whitelist without an external ZAP handler.

Changes

  • OptionsHashSet<byte[]> CurveAllowedClients (backed by ByteArrayEqualityComparer)
  • SocketBase — Internal CurveAllowedClients property that exposes m_options.CurveAllowedClients directly, without routing through the ZMQ socket option infrastructure
  • CurveServerMechanism.ProcessInitiate() — After vouch verification, rejects the connection if CurveAllowedClients is non-empty and the client's long-term public key is absent. Uses Span<byte> to stay zero-allocation when no whitelist is configured; allocates byte[] only for the HashSet lookup when needed
  • SocketOptions / ThreadSafeSocketOptions — Exposes HashSet<byte[]> CurveAllowedClients property, backed by the SocketBase internal property

Usage

var serverCert = new NetMQCertificate();
using var server = new DealerSocket();
server.Options.CurveServer = true;
server.Options.CurveCertificate = serverCert;

// Permit only known clients — leave empty to allow all (existing behaviour)
var trustedClient = new NetMQCertificate();
server.Options.CurveAllowedClients.Add(trustedClient.PublicKey);

server.BindRandomPort("tcp://127.0.0.1");

Clients whose long-term public key is not in the set are rejected during the CURVE handshake before any application messages are exchanged.

Copilot AI and others added 3 commits May 1, 2026 23:07
…ey whitelist

Agent-Logs-Url: https://github.com/zeromq/netmq/sessions/f166bdbe-9fb4-4148-ad85-7eb065157838

Co-authored-by: drewnoakes <350947+drewnoakes@users.noreply.github.com>
… ToArray() allocation

Agent-Logs-Url: https://github.com/zeromq/netmq/sessions/f166bdbe-9fb4-4148-ad85-7eb065157838

Co-authored-by: drewnoakes <350947+drewnoakes@users.noreply.github.com>
…non-empty

Agent-Logs-Url: https://github.com/zeromq/netmq/sessions/f166bdbe-9fb4-4148-ad85-7eb065157838

Co-authored-by: drewnoakes <350947+drewnoakes@users.noreply.github.com>
Copilot AI changed the title [WIP] Add logging for client public keys presented to server Add CurveAllowedClients: server-side CURVE client public key whitelist May 1, 2026
Copilot AI requested a review from drewnoakes May 1, 2026 23:13
Comment thread src/NetMQ/Core/ZmqSocketOption.cs Outdated
Comment on lines +365 to +369
/// <summary>
/// The set of allowed client public keys for a CURVE server socket.
/// When non-empty, only clients whose long-term public key is present in this set will be allowed to connect.
/// </summary>
CurveAllowedClients = 61

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot I don't think we can just add this here. These are standardised across ZeroMQ libraries.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. CurveAllowedClients has been removed from ZmqSocketOption entirely. It is now a NetMQ-specific internal property on SocketBase (backed directly by m_options.CurveAllowedClients), and SocketOptions/ThreadSafeSocketOptions expose it by accessing that property directly without routing through the ZMQ option infrastructure. (commit 2f44dd2)

…SocketBase

Agent-Logs-Url: https://github.com/zeromq/netmq/sessions/4c5608bd-8fa2-4db2-af6d-711ce7c90b0e

Co-authored-by: drewnoakes <350947+drewnoakes@users.noreply.github.com>
Copilot AI requested a review from drewnoakes May 2, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Question: is there a way to view the client public key presented to server?

2 participants