Update certificate validation to use custom trust store for .NET 5.0 and greater

tg123 · tg123 · commit 65d84f0b455d · 2025-08-26T14:35:40.000-07:00
diff --git a/src/KubernetesClient/Kubernetes.ConfigInit.cs b/src/KubernetesClient/Kubernetes.ConfigInit.cs
@@ -213,11 +213,13 @@ public static bool CertificateValidationCallBack(
             {
                 chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
 
-                // Added our trusted certificates to the chain
-                //
-                chain.ChainPolicy.ExtraStore.AddRange(caCerts);
-
-                chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
+#if NET5_0_OR_GREATER
+                // Use custom trust store only, ignore system root CA
+                chain.ChainPolicy.CustomTrustStore.AddRange(caCerts);
+                chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+#else
+                throw new NotSupportedException("Custom trust store is not supported on this platform.");
+#endif
                 var isValid = chain.Build((X509Certificate2)certificate);
 
                 var isTrusted = false;
diff --git a/tests/KubernetesClient.Tests/CertificateValidationTests.cs b/tests/KubernetesClient.Tests/CertificateValidationTests.cs
@@ -1,3 +1,5 @@
+using System;
+using System.Security.Cryptography;
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
 using Xunit;
@@ -6,6 +8,61 @@ namespace k8s.Tests
 {
     public class CertificateValidationTests
     {
+        [Fact]
+        public void ShouldRejectCertFromDifferentCA()
+        {
+            // Load our "trusted" Kubernetes CA
+            var trustedCaCert = CertUtils.LoadPemFileCert("assets/ca.crt");
+
+            // Generate a completely different CA and server cert in memory
+            var differentCA = CreateSelfSignedCA("CN=Different CA");
+            var untrustedServerCert = CreateServerCert(differentCA, "CN=fake-server.com");
+
+            var chain = new X509Chain();
+
+            // Pre-populate the chain like SSL validation would do
+            // This will likely succeed because we allow unknown CAs in the validation
+            chain.Build(untrustedServerCert);
+
+            var errors = SslPolicyErrors.RemoteCertificateChainErrors;
+
+            var result = Kubernetes.CertificateValidationCallBack(this, trustedCaCert, untrustedServerCert, chain, errors);
+
+            // This SHOULD be false because the server cert wasn't signed by our trusted CA
+            // But the current K8s validation logic might incorrectly return true
+            Assert.False(result, "Should reject certificates not signed by trusted CA");
+
+            // Cleanup
+            differentCA.Dispose();
+            untrustedServerCert.Dispose();
+        }
+
+        // Helper methods to create test certificates
+        private static X509Certificate2 CreateSelfSignedCA(string subject)
+        {
+            using (var rsa = RSA.Create(2048))
+            {
+                var req = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+                req.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
+                req.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));
+
+                return req.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(365));
+            }
+        }
+
+        private static X509Certificate2 CreateServerCert(X509Certificate2 issuerCA, string subject)
+        {
+            using (var rsa = RSA.Create(2048))
+            {
+                var req = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+                req.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true));
+                req.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true));
+                req.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, true));
+
+                return req.Create(issuerCA, DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(90), new byte[] { 1, 2, 3, 4 });
+            }
+        }
+
         [Fact]
         public void ValidCert()
         {
