CA5403: Do not hard-code certificate
| Property | Value |
|---|---|
| Rule ID | CA5403 |
| Title | Do not hard-code certificate |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 9 | No |
The data or rawData parameter of a X509Certificate or X509Certificate2 constructor is hard-coded by one of the following:
- Byte array.
- Char array.
- System.Convert.FromBase64String(String).
- All the overloads of System.Text.Encoding.GetBytes.
A hard-coded certificate's private key is easily discovered. Even with compiled binaries, it is easy for malicious users to extract a hard-coded certificate's private key. Once the private key is compromised, an attacker can impersonate that certificate, and any resources or operations protected by that certificate will be available to the attacker.
- Consider redesigning your application to use a secure key management system, such as Azure Key Vault.
- Keep credentials and certificates in a secure location separate from your source code.
It's safe to suppress a warning from this rule if the hard-coded data doesn't contain the certificate's private key. For example, the data is from a .cer file. Hard-coding public certificate information may still create a challenge for rotating certificates as they expire or get revoked.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5403
// The code that's violating the rule is on this line.
#pragma warning restore CA5403
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5403.severity = none
For more information, see How to suppress code analysis warnings.
using System.IO;
using System.Security.Cryptography.X509Certificates;
class ExampleClass
{
public void ExampleMethod(string path)
{
byte[] bytes = new byte[] {1, 2, 3};
File.WriteAllBytes(path, bytes);
new X509Certificate2(path);
}
}
using System.IO;
using System.Security.Cryptography.X509Certificates;
using System.Text;
class ExampleClass
{
public void ExampleMethod(byte[] bytes, string path)
{
char[] chars = new char[] { '1', '2', '3' };
Encoding.ASCII.GetBytes(chars, 0, 3, bytes, 0);
File.WriteAllBytes(path, bytes);
new X509Certificate2(path);
}
}
using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
class ExampleClass
{
public void ExampleMethod(string path)
{
byte[] bytes = Convert.FromBase64String("AAAAAaazaoensuth");
File.WriteAllBytes(path, bytes);
new X509Certificate2(path);
}
}
using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
using System.Text;
class ExampleClass
{
public void ExampleMethod(string path)
{
byte[] bytes = Encoding.ASCII.GetBytes("AAAAAaazaoensuth");
File.WriteAllBytes(path, bytes);
new X509Certificate2(path);
}
}
using System.IO;
using System.Security.Cryptography.X509Certificates;
class ExampleClass
{
public void ExampleMethod(string path)
{
new X509Certificate2("Certificate.cer");
}
}
.NET feedback
.NET is an open source project. Select a link to provide feedback: