SSL Client Authentication with certificate using c#

Question

I need to create a c# application that has to send API request to a server using SSL. I need to create the Client authentication. I already have the server CA certificate, the client certificate (cer), the client private key (pem) and passphrase. I can't find an example on how to create the client connection. Can someone suggest me where to start with a small code well explained? In my hand I have the client certificate (PEM), the Client Provate Key and the Passphrase for the Client Key. I have no idea where to start to write the code to send a request to the server

Answer 1

Some time ago I've created this POC for client authentication with certificate in .Net Core. It uses idunno.Authentication package that is now build-in in .Net Core. My POC probably is bit outdated now, but it can be a good starting point for you.

First create an extension method to add certificate to HttpClientHandler:

public static class HttpClientHandlerExtensions
{
    public static HttpClientHandler AddClientCertificate(this HttpClientHandler handler, X509Certificate2 certificate)
    {
        handler.ClientCertificateOptions = ClientCertificateOption.Manual;
        handler.ClientCertificates.Add(certificate);

        return handler;
    }
}

Then another extension method to add certificate to IHttpClientBuilder

    public static IHttpClientBuilder AddClientCertificate(this IHttpClientBuilder httpClientBuilder, X509Certificate2 certificate)
    {
        httpClientBuilder.ConfigureHttpMessageHandlerBuilder(builder =>
        {
            if (builder.PrimaryHandler is HttpClientHandler handler)
            {
                handler.AddClientCertificate(certificate);
            }
            else
            {
                throw new InvalidOperationException($"Only {typeof(HttpClientHandler).FullName} handler type is supported. Actual type: {builder.PrimaryHandler.GetType().FullName}");
            }
        });

        return httpClientBuilder;
    }

Then load the certificate and register HttpClient in HttpClientFactory

        var cert = CertificateFinder.FindBySubject("your-subject");
        services
            .AddHttpClient("ClientWithCertificate", client => { client.BaseAddress = new Uri(ServerUrl); })
            .AddClientCertificate(cert);

Now when you will use client created by factory it will automatically send your certificate with the request;

public async Task SendRequest()
{
    var client = _httpClientFactory.CreateClient("ClientWithCertificate");
    ....
}

Answer 2

There are A LOT of options here, so I am not 100% sure which way to go based on the succinctness of the question. I created a basic aspnet.core WebApi project which has the "weather forecast" controller as a test. There is a lot of error checking not shown here, and there are a lot of assumptions about how keys and certificates are or are not being stored, or even what OS this is intended for (not that the OS matters as much, but the key stores are different).

Also note that certificates created with OpenSsl do not contain the private key in the certificate for the web server. You'd have to combine the certificate and private key into a Pkcs12/PFX format for that.

For example (for the web server, not necessarily the client, but you could use the PFX anywhere really...).

openssl pkcs12 -export -out so-selfsigned-ca-root-x509.pfx -inkey so-root-ca-rsa-private-key.pem -in so-selfsigned-ca-root-x509.pem

Consider this Main method in a console app. The only non-BCL package I added to this (for the private PEM key) was Portable.BouncyCastle. If you are using .NET Core 5.0 (released just a few days ago) there are PEM options there. Assuming you are not there yet, this sample is using NetCoreApp 3.1.

The appSettings.json example file:
{
  "HttpClientRsaArtifacts": {
    "ClientCertificateFilename": "so-x509-client-cert.pem",
    "ClientPrivateKeyFilename": "so-client-private-key.pem"
  }
}


private static async Task Main(string[] args)
{
    IConfiguration config = new ConfigurationBuilder().AddJsonFile("appSettings.json").Build();

    const string mainAppSettingsKey = "HttpClientRsaArtifacts";
    var clientCertificateFileName = config[$"{mainAppSettingsKey}:ClientCertificateFilename"];
    var clientPrivKeyFileName = config[$"{mainAppSettingsKey}:ClientPrivateKeyFilename"];

    var clientCertificate = new X509Certificate2(clientCertificateFileName);
    var httpClientHandler = new HttpClientHandler();
    httpClientHandler.ClientCertificates.Add(clientCertificate);
    httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
    httpClientHandler.ServerCertificateCustomValidationCallback = ByPassCertErrorsForTestPurposesDoNotDoThisInTheWild;
    httpClientHandler.CheckCertificateRevocationList = false;

    var httpClient = new HttpClient(httpClientHandler);
    httpClient.BaseAddress = new Uri("https://localhost:5001/");

    var httpRequestMessage = new HttpRequestMessage(
        HttpMethod.Get,
        "weatherforecast");

    // This is "the connection" (and API call)
    using var response = await httpClient.SendAsync(
        httpRequestMessage,
        HttpCompletionOption.ResponseHeadersRead);

    var stream = await response.Content.ReadAsStreamAsync();
    var jsonDocument = await JsonDocument.ParseAsync(stream);

    var options = new JsonSerializerOptions
    {
        WriteIndented = true,
    };

    Console.WriteLine(
        JsonSerializer.Serialize(
            jsonDocument,
            options));
}


private static bool ByPassCertErrorsForTestPurposesDoNotDoThisInTheWild(
    HttpRequestMessage httpRequestMsg,
    X509Certificate2 certificate,
    X509Chain x509Chain,
    SslPolicyErrors policyErrors)
{
    var certificateIsTestCert = certificate.Subject.Equals("O=Internet Widgits Pty Ltd, S=Silicon Valley, C=US");

    return certificateIsTestCert && x509Chain.ChainElements.Count == 1 &&
           x509Chain.ChainStatus[0].Status == X509ChainStatusFlags.UntrustedRoot;
}

If you want to load a private key from a PEM file, you can use Bouncy Castle to easily do that. For example, to import a private key from a PEM file and then use it to create an RSA instance for signing data or a hash, you can get the RSA instance like this:

private static RSA LoadClientPrivateKeyFromPemFile(string clientPrivateKeyFileName)
{
    if (!File.Exists(clientPrivateKeyFileName))
    {
        throw new FileNotFoundException(
            "The client private key PEM file could not be found",
            clientPrivateKeyFileName);
    }

    var clientPrivateKeyPemText = File.ReadAllText(clientPrivateKeyFileName);
    using var reader = new StringReader(clientPrivateKeyPemText);

    var pemReader = new PemReader(reader);
    var keyParam = pemReader.ReadObject();

    // GET THE PRIVATE KEY PARAMETERS
    RsaPrivateCrtKeyParameters privateKeyParams = null;

    // This is the case if the PEM file has is a "traditional" RSA PKCS#1 content
    // The private key file with begin and end with -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
    if (keyParam is AsymmetricCipherKeyPair asymmetricCipherKeyPair)
    {
        privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricCipherKeyPair.Private;
    }

    // This is to check if it is a Pkcs#8 PRIVATE KEY ONLY or a public key (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
    if (keyParam is AsymmetricKeyParameter asymmetricKeyParameter)
    {
        privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricKeyParameter;
    }

    var rsaPrivateKeyParameters = DotNetUtilities.ToRSAParameters(privateKeyParams);

    // CREATE A NEW RSA INSTANCE WITH THE PRIVATE KEY PARAMETERS (THIS IS THE PRIVATE KEY)
    return RSA.Create(rsaPrivateKeyParameters);
}

Lastly, if you want to sign data with the private key (obtained using the sample above from a PEM file), you can use the standard encryption and signing methods on the System.Security.Cryptography.RSA class. E.g.

var signedData = rsaInstanceWithPrivateKey.SignData(
    data,
    HashAlgorithmName.SHA256,
    RSASignaturePadding.Pkcs1);

...and then add that to an HttpRequestMessage as ByteArrayContent before invoking SendAsync with the HttpRequestMessage.

var byteArrayContent = new ByteArrayContent(signedData);

var httpRequestMessage = new HttpRequestMessage(
    HttpMethod.Post,
    "/myapiuri");

httpRequestMessage.Content = byteArrayContent;

You had mentioned that you used the same private key to create everything, so if that is the case on the webserver side you'd be able to verify the signature and and decrypt what you sent from the client in this example.

Again, there are a lot of options and nuances here.

With the Bouncy Castle PEM reader you can inject an IPasswordFinder implementation with the password.

For example:

/// <summary>
/// Required when using the Bouncy Castle PEM reader for PEM artifacts with passwords.
/// </summary>
class BcPemPasswordFinder : IPasswordFinder
{
    private readonly string m_password;

    public BcPemPasswordFinder(string password)
    {
        m_password = password;
    }

    /// <summary>
    /// Required by the IPasswordFinder interface
    /// </summary>
    /// <returns>System.Char[].</returns>
    public char[] GetPassword()
    {
        return m_password.ToCharArray();
    }
}

Here is a modified version of the LoadClientPrivateKeyFromPemFile I originally posted (the password is hard-coded for brevity in this example) where you can inject the IPasswordFinder into the instance.

private static RSA LoadClientPrivateKeyFromPemFile(string clientPrivateKeyFileName)
{
    if (!File.Exists(clientPrivateKeyFileName))
    {
        throw new FileNotFoundException(
            "The client private key PEM file could not be found",
            clientPrivateKeyFileName);
    }

    var clientPrivateKeyPemText = File.ReadAllText(clientPrivateKeyFileName);
    using var reader = new StringReader(clientPrivateKeyPemText);

    // Instantiate password finder here
    var passwordFinder = new BcPemPasswordFinder("P@ssword");

    // Pass the IPasswordFinder instance into the PEM PemReader...
    var pemReader = new PemReader(reader, passwordFinder);
    var keyParam = pemReader.ReadObject();

    // GET THE PRIVATE KEY PARAMETERS
    RsaPrivateCrtKeyParameters privateKeyParams = null;

    // This is the case if the PEM file has is a "traditional" RSA PKCS#1 content
    // The private key file with begin and end with -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
    if (keyParam is AsymmetricCipherKeyPair asymmetricCipherKeyPair)
    {
        privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricCipherKeyPair.Private;
    }

    // This is to check if it is a Pkcs#8 PRIVATE KEY ONLY or a public key (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
    if (keyParam is AsymmetricKeyParameter asymmetricKeyParameter)
    {
        privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricKeyParameter;
    }

    var rsaPrivateKeyParameters = DotNetUtilities.ToRSAParameters(privateKeyParams);

    // CREATE A NEW RSA INSTANCE WITH THE PRIVATE KEY PARAMETERS (THIS IS THE PRIVATE KEY)
    return RSA.Create(rsaPrivateKeyParameters);
}