(sdk-dotnet): fix ca cert server validation in dotnet client (#1056)

Create validation method to trust CA server certificate in dotnet client

.gitignore

@@ -32,6 +32,7 @@ lhctl/lhctl
 # Others
 local-dev/certs/
 build/
+.config
 
 # Python
 __pycache__

sdk-dotnet/Examples/BasicExample/BasicExample.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
   </PropertyGroup>

sdk-dotnet/LittleHorse.Sdk.Tests/LHInputVariablesTest.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.IO;
 using Xunit;
 
 namespace LittleHorse.Sdk.Tests.Internal
@@ -169,7 +168,7 @@ public void LHConfigVariables_WithSomeLHOptionsCommentedInFile_ShouldReturnSetOp
             Assert.Equal(int.Parse(keyValueLHConfigs["LHC_API_PORT"]), inputVariables.LHC_API_PORT);
             Assert.Equal(DefaultLHConfigVariables.LHC_API_PROTOCOL, inputVariables.LHC_API_PROTOCOL);
             Assert.Null(inputVariables.LHC_CA_CERT);
-            Assert.Equal(string.Empty, inputVariables.LHW_TASK_WORKER_VERSION);
+            Assert.Equal(DefaultLHConfigVariables.LHW_TASK_WORKER_VERSION, inputVariables.LHW_TASK_WORKER_VERSION);
         }
 
         [Fact]

sdk-dotnet/LittleHorse.Sdk/LHConfig.cs

@@ -5,6 +5,9 @@
 using LittleHorse.Sdk.Internal;
 using LittleHorse.Sdk.Utils;
 using Microsoft.Extensions.Logging;
+using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
+using System.Net.Security;
 using static LittleHorse.Common.Proto.LittleHorse;
 
 namespace LittleHorse.Sdk {
@@ -136,11 +139,7 @@ private GrpcChannel CreateChannel(string host, int port)
         {
             var httpHandler = new HttpClientHandler();
             var address = $"{BootstrapProtocol}://{host}:{port}";
-
-            if (_inputVariables.LHC_CA_CERT != null)
-            {
-                httpHandler = CertificatesHandler.GetHttpHandlerFrom(_inputVariables.LHC_CA_CERT);
-            }
+            httpHandler.ServerCertificateCustomValidationCallback = ServerCertificateCustomValidation;
 
             if (_inputVariables.LHC_CLIENT_CERT != null && _inputVariables.LHC_CLIENT_KEY != null)
             {
@@ -150,7 +149,7 @@ private GrpcChannel CreateChannel(string host, int port)
 
                 httpHandler.ClientCertificates.Add(cert);
             }
-            
+
             if (IsOAuth)
             {
                 return CreateGrpcChannelWithOauthCredentials(address, httpHandler);
@@ -162,6 +161,21 @@ private GrpcChannel CreateChannel(string host, int port)
             });
         }
 
+        private bool ServerCertificateCustomValidation(HttpRequestMessage requestMessage, X509Certificate2? certificate, X509Chain? certChain, SslPolicyErrors sslErrors)
+        {
+            var pathCaCert = _inputVariables.LHC_CA_CERT;
+            if (pathCaCert != null)
+            {
+                var caCert = new X509Certificate2(File.ReadAllBytes(pathCaCert));
+
+                certChain!.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                certChain.ChainPolicy.CustomTrustStore.Add(caCert);
+            }
+
+            var certChainBuilder = certificate != null && certChain != null && certChain.Build(certificate);
+            return certChainBuilder;
+        }
+
         private GrpcChannel CreateGrpcChannelWithOauthCredentials(string address, HttpClientHandler httpHandler)
         {
             InitializeOAuth();

sdk-dotnet/LittleHorse.Sdk/Utils/CertificatesHandler.cs

@@ -1,39 +1,16 @@
+using System.Net.Security;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
+using LittleHorse.Sdk.Internal;
+using Microsoft.Extensions.Logging;
 
 [assembly: InternalsVisibleTo("LittleHorse.Sdk.Tests")]
 
 namespace LittleHorse.Sdk.Utils { 
     internal class CertificatesHandler
     {
-        internal static HttpClientHandler GetHttpHandlerFrom(string pathCaCert)
-        {
-            try
-            {
-                var caCert = new X509Certificate2(File.ReadAllBytes(pathCaCert));
-                var handler = new HttpClientHandler();
-
-                handler.ServerCertificateCustomValidationCallback =
-                    (httpRequestMessage, cert, certChain, sslPolicyErrors) =>
-                    {
-                        return certChain!.ChainElements.Any(element =>
-                            element.Certificate.Thumbprint == caCert.Thumbprint);
-                    };
-
-                return handler;
-            }
-            catch (System.Security.Cryptography.CryptographicException)
-            {
-                throw new Exception($"Certificate file {pathCaCert} has corrupted data.");
-            }
-            catch (Exception ex)
-            {
-                throw new FileNotFoundException($"Certificate file {pathCaCert} does not exist.", 
-                    ex.Message);
-            }
-        }
-
         internal static X509Certificate2 GetX509CertificateFrom(string pathPrivateCert, string pathRequestedCert)
         {
             string certificatePem = File.ReadAllText(pathRequestedCert);