Fixing the validation of the SSL CA Certificate (#2346)

* Fixing the validation of the SSL CA Certificate

* Update CachedSchemaRegistryClient.cs

* Update RestService.cs

---------

Co-authored-by: Daniel Bojczuk <[email protected]>

Author: rayokota

src/Confluent.SchemaRegistry/CachedSchemaRegistryClient.cs

@@ -351,8 +351,14 @@ public CachedSchemaRegistryClient(IEnumerable<KeyValuePair<string, string>> conf
                     $"Configured value for {SchemaRegistryConfig.PropertyNames.EnableSslCertificateVerification} must be a bool.");
             }
 
-            this.restService = new RestService(schemaRegistryUris, timeoutMs, authenticationHeaderValueProvider,
-                SetSslConfig(config), sslVerify);
+            var sslCaLocation = config.FirstOrDefault(prop => prop.Key.ToLower() == SchemaRegistryConfig.PropertyNames.SslCaLocation).Value;
+            if (string.IsNullOrEmpty(sslCaLocation))
+            {
+                this.restService = new RestService(schemaRegistryUris, timeoutMs, authenticationHeaderValueProvider, SetSslConfig(config), sslVerify);
+            } else
+            {
+                this.restService = new RestService(schemaRegistryUris, timeoutMs, authenticationHeaderValueProvider, SetSslConfig(config), sslVerify, new X509Certificate2(sslCaLocation));
+            }
         }
 
         /// <summary>
@@ -408,14 +414,6 @@ private List<X509Certificate2> SetSslConfig(IEnumerable<KeyValuePair<string, str
                 certificates.Add(new X509Certificate2(certificateLocation, certificatePassword));
             }
 
-            var caLocation =
-                config.FirstOrDefault(prop => prop.Key.ToLower() == SchemaRegistryConfig.PropertyNames.SslCaLocation)
-                    .Value ?? "";
-            if (!String.IsNullOrEmpty(caLocation))
-            {
-                certificates.Add(new X509Certificate2(caLocation));
-            }
-
             return certificates;
         }
 

src/Confluent.SchemaRegistry/Rest/RestService.cs

@@ -22,7 +22,10 @@
 using System.Net;
 using System.Net.Http;
 using System.Threading.Tasks;
+using X509Certificate2 = System.Security.Cryptography.X509Certificates.X509Certificate2;
+
 using System.Security.Cryptography.X509Certificates;
+using System.Net.Security;
 
 namespace Confluent.SchemaRegistry
 {
@@ -55,7 +58,7 @@ public class RestService : IRestService
         /// </summary>
         public RestService(string schemaRegistryUrl, int timeoutMs,
             IAuthenticationHeaderValueProvider authenticationHeaderValueProvider, List<X509Certificate2> certificates,
-            bool enableSslCertificateVerification)
+            bool enableSslCertificateVerification, X509Certificate2 sslCaCertificate = null)
         {
             this.authenticationHeaderValueProvider = authenticationHeaderValueProvider;
 
@@ -67,7 +70,7 @@ public RestService(string schemaRegistryUrl, int timeoutMs,
                     HttpClient client;
                     if (certificates.Count > 0)
                     {
-                        client = new HttpClient(CreateHandler(certificates, enableSslCertificateVerification))
+                        client = new HttpClient(CreateHandler(certificates, enableSslCertificateVerification, sslCaCertificate))
                         {
                             BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs)
                         };
@@ -92,19 +95,54 @@ private static string SanitizeUri(string uri)
         }
 
         private static HttpClientHandler CreateHandler(List<X509Certificate2> certificates,
-            bool enableSslCertificateVerification)
+            bool enableSslCertificateVerification, X509Certificate2 sslCaCertificate)
         {
             var handler = new HttpClientHandler();
             handler.ClientCertificateOptions = ClientCertificateOption.Manual;
 
+            certificates.ForEach(c => handler.ClientCertificates.Add(c));
+
             if (!enableSslCertificateVerification)
             {
-                handler.ServerCertificateCustomValidationCallback =
-                    (httpRequestMessage, cert, certChain, policyErrors) => { return true; };
-            }
+                handler.ServerCertificateCustomValidationCallback = (_, __, ___, ____) => { return true; };
+            } 
+            else  if (sslCaCertificate != null)
+            {
+                handler.ServerCertificateCustomValidationCallback = (_, __, chain, policyErrors) => { 
+                    
+                    if (policyErrors == SslPolicyErrors.None)
+                    {
+                        return true;
+                    }
+
+                    
+                    //The second element of the chain should be the issuer of the certificate
+                    if (chain.ChainElements.Count < 2)
+                    {
+                        return false;
+                    }                 
+                    var connectionCertHash = chain.ChainElements[1].Certificate.GetCertHash();
+
+
+                    var expectedCertHash = sslCaCertificate.GetCertHash();
 
-            certificates.ForEach(c => handler.ClientCertificates.Add(c));
-            return handler;
+                    if (connectionCertHash.Length != expectedCertHash.Length)
+                    {
+                        return false;
+                    }
+
+                    for (int i = 0; i < connectionCertHash.Length; i++)
+                    {
+                        if (connectionCertHash[i] != expectedCertHash[i])
+                        {
+                            return false;
+                        }
+                    }
+                    return true; 
+                };
+            }
+        
+            return handler;
         }
 
         private RegisteredSchema SanitizeRegisteredSchema(RegisteredSchema schema)