Class MtlsConfig

Namespace

Kuestenlogik.Bowire.Auth

Assembly

Kuestenlogik.Bowire.dll

Decoded mTLS client-cert configuration carried inline in the request metadata dict via MtlsMarkerKey. Shared between the REST plugin (HttpClientHandler) and the gRPC plugin (SocketsHttpHandler) so every TLS-capable transport speaks the same wire format and only one PEM parser exists in the codebase.

public sealed record MtlsConfig : IEquatable<MtlsConfig>

Inheritance

object

MtlsConfig

Implements

IEquatable<MtlsConfig>

Inherited Members

object.GetType()

object.Equals(object, object)

object.ReferenceEquals(object, object)

Constructors

MtlsConfig(string, string, string?, string?, bool)

Decoded mTLS client-cert configuration carried inline in the request metadata dict via MtlsMarkerKey. Shared between the REST plugin (HttpClientHandler) and the gRPC plugin (SocketsHttpHandler) so every TLS-capable transport speaks the same wire format and only one PEM parser exists in the codebase.

public MtlsConfig(string CertificatePem, string PrivateKeyPem, string? Passphrase, string? CaCertificatePem, bool AllowSelfSigned)

Parameters

CertificatePem string

PrivateKeyPem string

Passphrase string

CaCertificatePem string

AllowSelfSigned bool

Fields

MtlsMarkerKey

Magic metadata key the JS mtls auth helper uses to ship its PEM material to plugin invokers. Plugins strip the marker before forwarding the rest of the metadata as protocol-level headers.

public const string MtlsMarkerKey = "__bowireMtls__"

Field Value

string

Properties

AllowSelfSigned

public bool AllowSelfSigned { get; init; }

Property Value

bool

CaCertificatePem

public string? CaCertificatePem { get; init; }

Property Value

string

CertificatePem

public string CertificatePem { get; init; }

Property Value

string

Passphrase

public string? Passphrase { get; init; }

Property Value

string

PrivateKeyPem

public string PrivateKeyPem { get; init; }

Property Value

string

Methods

BuildServerValidator(X509Certificate2?)

Build the server-cert validation callback that REST and gRPC handlers can install on their respective TLS layers. AllowSelfSigned=true returns a no-op accept-anything; otherwise, when caCert is supplied, a CA-pinning validator that only forgives UntrustedRoot / PartialChain errors. Returns null when neither override applies (system trust store handles validation).

public Func<object?, X509Certificate2?, X509Chain?, SslPolicyErrors, bool>? BuildServerValidator(X509Certificate2? caCert)

Parameters

caCert X509Certificate2

Returns

Func<object, X509Certificate2, X509Chain, SslPolicyErrors, bool>

Deconstruct(out string, out string, out string?, out string?, out bool)

public void Deconstruct(out string CertificatePem, out string PrivateKeyPem, out string? Passphrase, out string? CaCertificatePem, out bool AllowSelfSigned)

Parameters

CertificatePem string

PrivateKeyPem string

Passphrase string

CaCertificatePem string

AllowSelfSigned bool

Equals(MtlsConfig?)

public bool Equals(MtlsConfig? other)

Parameters

other MtlsConfig

Returns

bool

Equals(object?)

public override bool Equals(object? obj)

Parameters

obj object

Returns

bool

GetHashCode()

public override int GetHashCode()

Returns

int

StripMarker(IReadOnlyDictionary<string, string>?)

Returns a copy of the metadata dict with the magic mTLS marker removed — plugins call this before forwarding metadata as protocol headers (gRPC Metadata, HTTP request headers, ...).

public static Dictionary<string, string>? StripMarker(IReadOnlyDictionary<string, string>? metadata)

Parameters

metadata IReadOnlyDictionary<string, string>

Returns

Dictionary<string, string>

ToString()

public override string ToString()

Returns

string

TryLoadCertificates(out X509Certificate2?, out X509Certificate2?, out string?)

Decode the PEM material into ready-to-use X509 resources. Returns null if anything fails to parse — caller surfaces a clean error to the user. Caller owns disposal of the returned certificates (or wraps them in a dedicated handler-owner — see MtlsHandlerOwner).

public bool TryLoadCertificates(out X509Certificate2? clientCert, out X509Certificate2? caCert, out string? error)

Parameters

clientCert X509Certificate2

caCert X509Certificate2

error string

Returns

bool

TryParse(string)

Parse the JSON shape produced by the JS auth.js layer: { certificate, privateKey, passphrase?, caCertificate?, allowSelfSigned? }. Empty strings on optional fields collapse to null so the encrypted-PEM path is only taken when a real passphrase was supplied.

public static MtlsConfig? TryParse(string json)

Parameters

json string

Returns

MtlsConfig

TryParseFromMetadata(IReadOnlyDictionary<string, string>?)

Look up and parse the marker entry in metadata. Returns null when the marker is absent or its JSON is malformed.

public static MtlsConfig? TryParseFromMetadata(IReadOnlyDictionary<string, string>? metadata)

Parameters

metadata IReadOnlyDictionary<string, string>

Returns

MtlsConfig

Operators

operator ==(MtlsConfig?, MtlsConfig?)

public static bool operator ==(MtlsConfig? left, MtlsConfig? right)

Parameters

left MtlsConfig

right MtlsConfig

Returns

bool

operator !=(MtlsConfig?, MtlsConfig?)

public static bool operator !=(MtlsConfig? left, MtlsConfig? right)

Parameters

left MtlsConfig

right MtlsConfig

Returns

bool