CA5403: Do not hard-code certificate
| Property | Value |
|---|---|
| Rule ID | CA5403 |
| Title | Do not hard-code certificate |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
The data or rawData parameter of a X509Certificate or X509Certificate2 constructor is hard-coded by one of the following:
- Byte array.
- Char array.
- System.Convert.FromBase64String(String).
- All the overloads of System.Text.Encoding.GetBytes.
Rule description
A hard-coded certificate's private key is easily discovered. Even with compiled binaries, it is easy for malicious users to extract a hard-coded certificate's private key. Once the private key is compromised, an attacker can impersonate that certificate, and any resources or operations protected by that certificate will be available to the attacker.
How to fix violations
- Consider redesigning your application to use a secure key management system, such as Azure Key Vault.
- Keep credentials and certificates in a secure location separate from your source code.
When to suppress warnings
It's safe to suppress a warning from this rule if the hard-coded data doesn't contain the certificate's private key. For example, the data is from a .cer file. Hard-coding public certificate information may still create a challenge for rotating certificates as they expire or get revoked.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5403
// The code that's violating the rule is on this line.
#pragma warning restore CA5403
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5403.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Hard-coded by byte array
using System.IO;
using System.Security.Cryptography.X509Certificates;
class ExampleClass
{
public void ExampleMethod(string path)
{
byte[] bytes = new byte[] {1, 2, 3};
File.WriteAllBytes(path, bytes);
new X509Certificate2(path);
}
}
Hard-coded by char array
using System.IO;
using System.Security.Cryptography.X509Certificates;
using System.Text;
class ExampleClass
{
public void ExampleMethod(byte[] bytes, string path)
{
char[] chars = new char[] { '1', '2', '3' };
Encoding.ASCII.GetBytes(chars, 0, 3, bytes, 0);
File.WriteAllBytes(path, bytes);
new X509Certificate2(path);
}
}
Hard-coded by FromBase64String
using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
class ExampleClass
{
public void ExampleMethod(string path)
{
byte[] bytes = Convert.FromBase64String("AAAAAaazaoensuth");
File.WriteAllBytes(path, bytes);
new X509Certificate2(path);
}
}
Hard-coded by GetBytes
using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
using System.Text;
class ExampleClass
{
public void ExampleMethod(string path)
{
byte[] bytes = Encoding.ASCII.GetBytes("AAAAAaazaoensuth");
File.WriteAllBytes(path, bytes);
new X509Certificate2(path);
}
}
Solution
using System.IO;
using System.Security.Cryptography.X509Certificates;
class ExampleClass
{
public void ExampleMethod(string path)
{
new X509Certificate2("Certificate.cer");
}
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for