Skip to content

add mTLS support#60

Open
HTHou wants to merge 1 commit into
mainfrom
codex/add-mtls-support
Open

add mTLS support#60
HTHou wants to merge 1 commit into
mainfrom
codex/add-mtls-support

Conversation

@HTHou

@HTHou HTHou commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add mTLS configuration to the C# client with ClientCertificatePath, ClientCertificatePassword, and RootCertificatePath options.
  • Wire TLS certificate loading and custom CA validation into SessionPool, including ADO.NET connection string support.
  • Document the JDK 17/keytool artifact mapping for C# users, including direct use of client.keystore and ca.crt.
  • Add configuration tests for the new builder and connection string options.

Impact

Users can now configure one-way TLS with a private CA and mTLS client certificates through both the fluent builders and ADO.NET connection strings. The documented Java/keytool workflow now maps directly to the C# parameters.

Validation

  • git diff --check
  • dotnet build tests/Apache.IoTDB.Tests/Apache.IoTDB.Tests.csproj -f net5.0 --no-restore -v:minimal -clp:ErrorsOnly

@HTHou HTHou changed the title [codex] add mTLS support add mTLS support Jun 26, 2026
@HTHou HTHou marked this pull request as ready for review June 29, 2026 09:34
@HTHou HTHou requested a review from Copilot June 30, 2026 10:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds TLS/mTLS configuration to the IoTDB C# client, exposing client certificate + custom root CA options through both the fluent SessionPool/TableSessionPool builders and ADO.NET connection strings, and documenting how to map Java/keytool outputs to the .NET certificate model.

Changes:

  • Extend SessionPool and both builders to accept ClientCertificatePath, ClientCertificatePassword, and RootCertificatePath, and wire these into TLS transport creation and validation.
  • Add ADO.NET connection string keywords (UseSsl, ClientCertificatePath, ClientCertificatePassword, RootCertificatePath) and update session creation to use the builder pipeline.
  • Add documentation (EN/ZH) and configuration-focused tests for the new options.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
tests/Apache.IoTDB.Tests/MtlsConfigurationTests.cs Adds tests asserting the new builder and connection-string configuration surfaces accept mTLS/TLS options.
tests/Apache.IoTDB.Tests/Apache.IoTDB.Tests.csproj References Apache.IoTDB.Data to enable testing the ADO.NET connection string builder.
src/Apache.IoTDB/TableSessionPool.Builder.cs Adds client/root certificate configuration to the table session pool builder and forwards into SessionPool.
src/Apache.IoTDB/SessionPool.cs Implements certificate loading, custom root CA validation callback, and client cert selection for TLS sockets.
src/Apache.IoTDB/SessionPool.Builder.cs Adds client/root certificate configuration to the main session pool builder and forwards into SessionPool.
src/Apache.IoTDB.Data/IoTDBConnectionStringBuilder.cs Adds new connection string keywords/properties for TLS/mTLS, and fixes TimeOut setter serialization.
src/Apache.IoTDB.Data/DataReaderExtensions.cs Routes ADO.NET session creation through SessionPool.Builder() so TLS/mTLS options are applied.
README.md Documents TLS/mTLS usage and keytool artifact mapping; provides builder + connection string examples.
README_ZH.md Chinese version of the TLS/mTLS documentation and examples.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +618 to +620
using var customChain = new X509Chain();
customChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
customChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
Comment on lines +548 to +550
return clientCertificatePassword == null
? new X509Certificate2(clientCertificatePath)
: new X509Certificate2(clientCertificatePath, clientCertificatePassword);
Comment on lines +467 to +470
var clientCertificate = LoadClientCertificate(clientCertificatePath, clientCertificatePassword);
var rootCertificates = LoadRootCertificates(rootCertificatePath);
var remoteCertificateValidationCallback = CreateRemoteCertificateValidationCallback(rootCertificates);
var localCertificateSelectionCallback = CreateLocalCertificateSelectionCallback(clientCertificate);
Comment on lines +105 to +109
public Builder SetClientCertificatePath(string clientCertificatePath)
{
_certificatePath = certificatePath;
_clientCertificatePath = clientCertificatePath;
return this;
}
Comment on lines +108 to +112
public Builder SetClientCertificatePath(string clientCertificatePath)
{
_certificatePath = certificatePath;
_clientCertificatePath = clientCertificatePath;
return this;
}
Comment thread README.md

```csharp
var sessionPool = new SessionPool.Builder()
.SetHost("127.0.0.1")
Comment thread README.md
The ADO.NET connection string supports the same options:

```text
DataSource=127.0.0.1;Port=6667;UseSsl=True;RootCertificatePath=tls-certs/ca.crt;ClientCertificatePath=tls-certs/client.keystore;ClientCertificatePassword=IoTDB
Comment thread README_ZH.md

```csharp
var sessionPool = new SessionPool.Builder()
.SetHost("127.0.0.1")
Comment thread README_ZH.md
ADO.NET 连接字符串也支持相同配置:

```text
DataSource=127.0.0.1;Port=6667;UseSsl=True;RootCertificatePath=tls-certs/ca.crt;ClientCertificatePath=tls-certs/client.keystore;ClientCertificatePassword=IoTDB
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants