add mTLS support#60
Open
HTHou wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds TLS/mTLS configuration to the IoTDB C# client, exposing client certificate + custom root CA options through both the fluent SessionPool/TableSessionPool builders and ADO.NET connection strings, and documenting how to map Java/keytool outputs to the .NET certificate model.
Changes:
- Extend
SessionPooland both builders to acceptClientCertificatePath,ClientCertificatePassword, andRootCertificatePath, and wire these into TLS transport creation and validation. - Add ADO.NET connection string keywords (
UseSsl,ClientCertificatePath,ClientCertificatePassword,RootCertificatePath) and update session creation to use the builder pipeline. - Add documentation (EN/ZH) and configuration-focused tests for the new options.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Apache.IoTDB.Tests/MtlsConfigurationTests.cs | Adds tests asserting the new builder and connection-string configuration surfaces accept mTLS/TLS options. |
| tests/Apache.IoTDB.Tests/Apache.IoTDB.Tests.csproj | References Apache.IoTDB.Data to enable testing the ADO.NET connection string builder. |
| src/Apache.IoTDB/TableSessionPool.Builder.cs | Adds client/root certificate configuration to the table session pool builder and forwards into SessionPool. |
| src/Apache.IoTDB/SessionPool.cs | Implements certificate loading, custom root CA validation callback, and client cert selection for TLS sockets. |
| src/Apache.IoTDB/SessionPool.Builder.cs | Adds client/root certificate configuration to the main session pool builder and forwards into SessionPool. |
| src/Apache.IoTDB.Data/IoTDBConnectionStringBuilder.cs | Adds new connection string keywords/properties for TLS/mTLS, and fixes TimeOut setter serialization. |
| src/Apache.IoTDB.Data/DataReaderExtensions.cs | Routes ADO.NET session creation through SessionPool.Builder() so TLS/mTLS options are applied. |
| README.md | Documents TLS/mTLS usage and keytool artifact mapping; provides builder + connection string examples. |
| README_ZH.md | Chinese version of the TLS/mTLS documentation and examples. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+618
to
+620
| using var customChain = new X509Chain(); | ||
| customChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; | ||
| customChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; |
Comment on lines
+548
to
+550
| return clientCertificatePassword == null | ||
| ? new X509Certificate2(clientCertificatePath) | ||
| : new X509Certificate2(clientCertificatePath, clientCertificatePassword); |
Comment on lines
+467
to
+470
| var clientCertificate = LoadClientCertificate(clientCertificatePath, clientCertificatePassword); | ||
| var rootCertificates = LoadRootCertificates(rootCertificatePath); | ||
| var remoteCertificateValidationCallback = CreateRemoteCertificateValidationCallback(rootCertificates); | ||
| var localCertificateSelectionCallback = CreateLocalCertificateSelectionCallback(clientCertificate); |
Comment on lines
+105
to
+109
| public Builder SetClientCertificatePath(string clientCertificatePath) | ||
| { | ||
| _certificatePath = certificatePath; | ||
| _clientCertificatePath = clientCertificatePath; | ||
| return this; | ||
| } |
Comment on lines
+108
to
+112
| public Builder SetClientCertificatePath(string clientCertificatePath) | ||
| { | ||
| _certificatePath = certificatePath; | ||
| _clientCertificatePath = clientCertificatePath; | ||
| return this; | ||
| } |
|
|
||
| ```csharp | ||
| var sessionPool = new SessionPool.Builder() | ||
| .SetHost("127.0.0.1") |
| The ADO.NET connection string supports the same options: | ||
|
|
||
| ```text | ||
| DataSource=127.0.0.1;Port=6667;UseSsl=True;RootCertificatePath=tls-certs/ca.crt;ClientCertificatePath=tls-certs/client.keystore;ClientCertificatePassword=IoTDB |
|
|
||
| ```csharp | ||
| var sessionPool = new SessionPool.Builder() | ||
| .SetHost("127.0.0.1") |
| ADO.NET 连接字符串也支持相同配置: | ||
|
|
||
| ```text | ||
| DataSource=127.0.0.1;Port=6667;UseSsl=True;RootCertificatePath=tls-certs/ca.crt;ClientCertificatePath=tls-certs/client.keystore;ClientCertificatePassword=IoTDB |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ClientCertificatePath,ClientCertificatePassword, andRootCertificatePathoptions.SessionPool, including ADO.NET connection string support.client.keystoreandca.crt.Impact
Users can now configure one-way TLS with a private CA and mTLS client certificates through both the fluent builders and ADO.NET connection strings. The documented Java/keytool workflow now maps directly to the C# parameters.
Validation
git diff --checkdotnet build tests/Apache.IoTDB.Tests/Apache.IoTDB.Tests.csproj -f net5.0 --no-restore -v:minimal -clp:ErrorsOnly