change to cert collection

dotnet · Oct 16, 2023 · 0b5dff5 · 0b5dff5
1 parent 8b22637
commit 0b5dff5
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 37 deletions.
diff --git a/Samples/Client/Client_Connection_Samples.cs b/Samples/Client/Client_Connection_Samples.cs
@@ -7,6 +7,7 @@
 // ReSharper disable InconsistentNaming
 
 using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
 using MQTTnet.Client;
 using MQTTnet.Extensions.WebSocket4Net;
 using MQTTnet.Formatter;
@@ -439,19 +440,51 @@ public static void Reconnect_Using_Timer()
     public static async Task ConnectTls_WithCaFile()
     {
         var mqttFactory = new MqttFactory();
+
+        X509Certificate2Collection caChain = new X509Certificate2Collection();
+        caChain.ImportFromPem(mosquitto_org); // from https://test.mosquitto.org/ssl/mosquitto.org.crt
+
         using (var mqttClient = mqttFactory.CreateMqttClient())
         {
             var mqttClientOptions = new MqttClientOptionsBuilder()
                 .WithTcpServer("test.mosquitto.org", 8883)
                 .WithTlsOptions(new MqttClientTlsOptionsBuilder()
-                    .WithCertificationAuthoritiesFile("mosquitto.org.crt") // from https://test.mosquitto.org/ssl/mosquitto.org.crt
+                    .WithTrustChain(caChain) 
                     .WithRevocationMode(System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck) // no check, since this CA does not include CRL/OCSP endpoints
                     .Build())
                 .Build();
 
             var connAck = await mqttClient.ConnectAsync(mqttClientOptions);
             Console.WriteLine("Connected to test.moquitto.org:8883 with CaFile mosquitto.org.crt: " + connAck.ResultCode);
         }
+
+
     }
+    const string mosquitto_org = @"
+-----BEGIN CERTIFICATE-----
+MIIEAzCCAuugAwIBAgIUBY1hlCGvdj4NhBXkZ/uLUZNILAwwDQYJKoZIhvcNAQEL
+BQAwgZAxCzAJBgNVBAYTAkdCMRcwFQYDVQQIDA5Vbml0ZWQgS2luZ2RvbTEOMAwG
+A1UEBwwFRGVyYnkxEjAQBgNVBAoMCU1vc3F1aXR0bzELMAkGA1UECwwCQ0ExFjAU
+BgNVBAMMDW1vc3F1aXR0by5vcmcxHzAdBgkqhkiG9w0BCQEWEHJvZ2VyQGF0Y2hv
+by5vcmcwHhcNMjAwNjA5MTEwNjM5WhcNMzAwNjA3MTEwNjM5WjCBkDELMAkGA1UE
+BhMCR0IxFzAVBgNVBAgMDlVuaXRlZCBLaW5nZG9tMQ4wDAYDVQQHDAVEZXJieTES
+MBAGA1UECgwJTW9zcXVpdHRvMQswCQYDVQQLDAJDQTEWMBQGA1UEAwwNbW9zcXVp
+dHRvLm9yZzEfMB0GCSqGSIb3DQEJARYQcm9nZXJAYXRjaG9vLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAME0HKmIzfTOwkKLT3THHe+ObdizamPg
+UZmD64Tf3zJdNeYGYn4CEXbyP6fy3tWc8S2boW6dzrH8SdFf9uo320GJA9B7U1FW
+Te3xda/Lm3JFfaHjkWw7jBwcauQZjpGINHapHRlpiCZsquAthOgxW9SgDgYlGzEA
+s06pkEFiMw+qDfLo/sxFKB6vQlFekMeCymjLCbNwPJyqyhFmPWwio/PDMruBTzPH
+3cioBnrJWKXc3OjXdLGFJOfj7pP0j/dr2LH72eSvv3PQQFl90CZPFhrCUcRHSSxo
+E6yjGOdnz7f6PveLIB574kQORwt8ePn0yidrTC1ictikED3nHYhMUOUCAwEAAaNT
+MFEwHQYDVR0OBBYEFPVV6xBUFPiGKDyo5V3+Hbh4N9YSMB8GA1UdIwQYMBaAFPVV
+6xBUFPiGKDyo5V3+Hbh4N9YSMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggEBAGa9kS21N70ThM6/Hj9D7mbVxKLBjVWe2TPsGfbl3rEDfZ+OKRZ2j6AC
+6r7jb4TZO3dzF2p6dgbrlU71Y/4K0TdzIjRj3cQ3KSm41JvUQ0hZ/c04iGDg/xWf
++pp58nfPAYwuerruPNWmlStWAXf0UTqRtg4hQDWBuUFDJTuWuuBvEXudz74eh/wK
+sMwfu1HFvjy5Z0iMDU8PUDepjVolOCue9ashlS4EB5IECdSR2TItnAIiIwimx839
+LdUdRudafMu5T5Xma182OC0/u/xRlEm+tvKGGmfFcN0piqVl8OrSPBgIlb+1IKJE
+m/XriWr/Cq4h/JfB7NTsezVslgkBaoU=
+-----END CERTIFICATE-----
+";
 
 }
diff --git a/Samples/MQTTnet.Samples.csproj b/Samples/MQTTnet.Samples.csproj
@@ -21,10 +21,4 @@
         <ProjectReference Include="..\Source\MQTTnet\MQTTnet.csproj" />
     </ItemGroup>
 
-    <ItemGroup>
-      <None Update="mosquitto.org.crt">
-        <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-      </None>
-    </ItemGroup>
-
 </Project>
diff --git a/Samples/mosquitto.org.crt b/Samples/mosquitto.org.crt
diff --git a/Source/MQTTnet/Client/Options/MqttClientTlsOptions.cs b/Source/MQTTnet/Client/Options/MqttClientTlsOptions.cs
@@ -56,7 +56,7 @@ public sealed class MqttClientTlsOptions
 #endif
 
 #if NET7_0_OR_GREATER
-        public string CertificationAuthoritiesFile { get; set; }
+        public X509Certificate2Collection TrustChain { get; set; }
 #endif
     }
 }
diff --git a/Source/MQTTnet/Client/Options/MqttClientTlsOptionsBuilder.cs b/Source/MQTTnet/Client/Options/MqttClientTlsOptionsBuilder.cs
@@ -134,11 +134,12 @@ public MqttClientTlsOptionsBuilder WithCipherSuitesPolicy(EncryptionPolicy encry
 #endif
 
 #if NET7_0_OR_GREATER
-        public MqttClientTlsOptionsBuilder WithCertificationAuthoritiesFile(string pemFile)
+        public MqttClientTlsOptionsBuilder WithTrustChain(X509Certificate2Collection chain)
         {
-            _tlsOptions.CertificationAuthoritiesFile = pemFile;
+            _tlsOptions.TrustChain = chain;
             return this;
         }
+
 #endif
     }
 }
diff --git a/Source/MQTTnet/Implementations/MqttTcpChannel.cs b/Source/MQTTnet/Implementations/MqttTcpChannel.cs
@@ -124,10 +124,9 @@ public async Task ConnectAsync(CancellationToken cancellationToken)
                             AllowRenegotiation = _tcpOptions.TlsOptions.AllowRenegotiation
                         };
 #if NET7_0_OR_GREATER
-                        if (!string.IsNullOrEmpty(_tcpOptions.TlsOptions.CertificationAuthoritiesFile))
+                        if (_tcpOptions.TlsOptions.TrustChain?.Count > 0)
                         {
-                            X509Certificate2Collection caCerts = new X509Certificate2Collection();
-                            caCerts.ImportFromPemFile(_tcpOptions.TlsOptions.CertificationAuthoritiesFile);
+                            X509Certificate2Collection caCerts = _tcpOptions.TlsOptions.TrustChain;
                             sslOptions.CertificateChainPolicy = new X509ChainPolicy();
                             sslOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
                             sslOptions.CertificateChainPolicy.RevocationMode = _tcpOptions.TlsOptions.RevocationMode;