TLS: Using CA and Credentials files

[EtienneLaneville]

I am trying to set up a TLS Authentication using 4 files provided by the administrators of a NATS server:

1. Credentials file: contains a NATS USER JWT string and a USER NKEY SEED string.
2. TLS cert file: contains a CERTIFICATE string.
3. TLS key file: contains a RSA PRIVATE KEY string.
4. TLS ca file: contains a CERTIFICATE string.

The code samples in the README.md file mention converting the key and cert files into a pfx which I have done using OpenSSL. This doesn't include the ca and credentials files though:

Options opts = ConnectionFactory.GetDefaultOptions();

X509Certificate2 cert = new X509Certificate2("C:\\Temp\\test.pfx", "password");
opts.AddCertificate(cert);

I have an equivalent Python sample (using nats-py) that uses all 4 files. When creating the TLS context, it uses load_verify_locations to add the ca file to the context and uses the user_credentials parameter in the connect method to supply the remaining files:

tls_ctx = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
    tls_ctx.load_verify_locations(args.tlsca)
    tls_ctx.load_cert_chain(
        certfile=args.tlscert,
        keyfile=args.tlskey)

    print_info(f'Attempting to connect to: {args.server}')
    nc = NATS()
    await nc.connect(servers=args.server, tls=tls_ctx, user_credentials=args.creds)
    print_info(f'Successfully connected to: {args.server}')

To match what this Python script does, I am thinking I need to use:

opts.AddCertificate("C:\\Temp\\ca_file");
opts.SetUserCredentials(C:\\Temp\\user.creds");

Is this the correct corresponding code in C#? I there an equivalent to load_cert_chain to bypass the pfx (just trying to eliminate that in my troubleshooting)?

[scottf]

Can you have a look at the integration tests for examples: https://github.com/nats-io/nats.net/blob/master/src/Tests/IntegrationTests/TestTLS.cs

[EtienneLaneville]

Thanks and sorry for the delay in responding, the NATS server I am testing with has been offline for a while. It is back online now.

[EtienneLaneville]

I have 4 files to use for authentication but in CreateConnection, I only see two ways to use them and in each case, I am only using two:

1. Using the 2nd overload (Options opts): I use GetDefaultOptions and AddCertificate (as in my above example), I am only using the PFX file (made from key and cert files).
2. Using the 5th overload (string url, string jwt, string privateNKey)

I tried both approaches and get a TLS Authentication error:

The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

I will continue digging through the TLS samples, I suspect I need to compare the server certificate with the ca_file using something like private bool verifyServerCert does in the samples.

[EtienneLaneville]

Got this to work and all 4 files are used:

1. key and cert files are used to create a pfx file using OpenSSL: openssl pkcs12 -export -out client.pfx -inkey client-key.pem -in client-cert.pem.
2. ca file is used in the RemoteCertificateValidationCallback (see private bool verifyServerCert in TestTLS.cs). It is used to create a new X509Certificate object that is compared to the certificate object passed to the callback function.
3. Credentials file is used with SetUserCredentials on Options object.

TestTlsSuccessWithCert in TestTLS.cs only needs the Credentials file added to the opts object using SetUserCredentials(filepath)