Cert Authentication .Net Framework 4.6 Not Working with WebRequestHandler

[amoberoi]

Describe the bug
Not able to pass client certificate with WebRequestHandler

VaultSharp Version
The version of VaultSharp package being used 1.6.2.5

Vault Version
The version of Vault server being used Vault v0.11.1

Does this work with Vault CLI?
Yes

Sample Code Snippet

1. Install NuGet package System.Net.Http.WinHttpHandler

2. Replace var handler = new WebRequestHandler(); with var handler = new WinHttpHandler(); since WinHttpHandler is working fine and able to pass client cert to Vault and get the kv from vault.

3. Do other fixes in Polymath.cs file to fix for WinHttpHandler implementation.

4. Sample cert Code
   string vaultUrl = "xxxx";
   string certificateThumbprint = "xxxxx";
   string secretPath = "xxxxxx";
   var clientcertificate = GetCertificate(certificateThumbprint);
   IAuthMethodInfo authMethod = new CertAuthMethodInfo(clientcertificate);
   var vaultClientSettings = new VaultClientSettings(vaultUrl, authMethod);
   IVaultClient _vaultClient = new VaultClient(vaultClientSettings);

        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
    
        //Parse Mount Point and Path
        var parsedPath = ParseSecretPath(secretPath);
        string mountPoint = parsedPath.Item1, _path = parsedPath.Item2;
   
        var kvSecret = await _vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(_path, mountPoint: mountPoint);
   

Exception Details/Stack Trace/Error Message
Error comes when using WebRequestHandler is "client certificate must be supplied"

Any additional info
Helpful info

[rajanadar]

thanks @amoberoi

I'll make the proper fix and release a new version in the coming days. (less than 7)

The HttpHandler and proxy possibilities are so diverse in .NET with 4.5, 4.6, .Net Standard etc. that I have a couple of delegates that allow 100% customization (including renewal) of the handler and even the http client if needed.

So, you can get unblocked as follows:

   var vaultClientSettings = new VaultClientSettings(vaultUrl, authMethod);

    // change the original handler to the one you need.

    vaultClientSettings.PostProcessHttpClientHandlerAction = (HttpClientHandler originalHttpClientHandler) =>
    {
        originalHttpClientHandler = new WinHttpHandler();
        originalHttpClientHandler.ClientCertificates.Add(clientcertificate);
    };

   IVaultClient _vaultClient = new VaultClient(vaultClientSettings);

The above snippet ensures you can still use the official nuget package for VaultSharp and proceed.

I'll make the changes in the coming days. Let me know if any issues.

[amoberoi]

Thanks rajanadar, but assignment of winHttpHandler to HttpClientHandler is not working since casting is not allowed. "Cannot implicitly convert type "System.Net.Http.WinHttpHandler" to "System.Net.Http.HttpClientHander", so I did the temporary fixes in Polymath.cs and added block of #NET46 to instantiate WinHttpHandler for cert based authentication. Once you will share the updated package we will switch on that. Thanks.

[rajanadar]

Got it. @amoberoi

Cool. I incorporated your suggestion. Also, took the opportunity to make VaultSharp 4.6.x, 4.7.x, 4.8 and .NET 5. compatible.
New package is already published: https://www.nuget.org/packages/VaultSharp/1.6.5

Please let me know if any issues.

[amoberoi]

Thanks. It works now.