Copilot commented on code in PR #60:
URL:
https://github.com/apache/iotdb-client-csharp/pull/60#discussion_r3511243511
##########
src/Apache.IoTDB/SessionPool.Builder.cs:
##########
@@ -100,9 +102,21 @@ public Builder SetUseSsl(bool useSsl)
return this;
}
- public Builder SetCertificatePath(string certificatePath)
+ public Builder SetClientCertificatePath(string clientCertificatePath)
{
- _certificatePath = certificatePath;
+ _clientCertificatePath = clientCertificatePath;
+ return this;
+ }
Review Comment:
`SetCertificatePath` was removed/renamed to `SetClientCertificatePath`,
which is a breaking change for existing consumers. Consider keeping
`SetCertificatePath` as an `[Obsolete]` forwarding shim so older code keeps
compiling while guiding users to the new API.
##########
src/Apache.IoTDB/TableSessionPool.Builder.cs:
##########
@@ -103,9 +105,21 @@ public Builder SetUseSsl(bool useSsl)
return this;
}
- public Builder SetCertificatePath(string certificatePath)
+ public Builder SetClientCertificatePath(string clientCertificatePath)
{
- _certificatePath = certificatePath;
+ _clientCertificatePath = clientCertificatePath;
+ return this;
+ }
Review Comment:
`SetCertificatePath` was removed/renamed to `SetClientCertificatePath`,
which is a breaking change for existing consumers. Consider keeping
`SetCertificatePath` as an `[Obsolete]` forwarding shim so older code keeps
compiling while guiding users to the new API.
##########
README.md:
##########
@@ -63,6 +63,52 @@ Users can quickly get started by referring to the use cases
under the Apache-IoT
For those who wish to delve deeper into the client's usage and explore more
advanced features, the samples directory contains additional code samples.
+## TLS and mTLS
+
+Enable TLS by calling `SetUseSsl(true)`. The C# client uses the .NET
certificate model and does not read Java truststores directly. If your
certificates were generated with the JDK 17 Java/keytool workflow,
`client.keystore` is PKCS#12 by default and can be used directly as the client
certificate file; use `ca.crt` directly as the trusted root.
+
+| keytool artifact | C# client usage |
+| --- | --- |
+| `ca.crt` | Pass to `SetRootCertificatePath` / `RootCertificatePath` to trust
the server certificate |
+| `client.keystore` | Contains the client private key and certificate chain;
JDK 17 creates PKCS#12 by default, so pass it directly to
`SetClientCertificatePath` |
Review Comment:
The docs say `client.keystore` contains the client private key **and
certificate chain**, but the current implementation loads a single
`X509Certificate2` (leaf only). This wording may mislead users when their
PKCS#12 includes intermediates that need to be sent/trusted separately.
##########
README_ZH.md:
##########
@@ -61,6 +61,51 @@ dotnet add package Apache.IoTDB
对于希望深入了解客户端用法并探索更高级特性的用户,samples目录包含了额外的代码示例。
+## TLS 和 mTLS
+
+通过 `SetUseSsl(true)` 开启 TLS。C# 客户端使用 .NET 的证书模型,不直接读取 Java truststore;如果证书按
JDK 17 的 Java/keytool 文档生成,`client.keystore` 默认就是 PKCS#12,可以直接作为客户端证书文件使用,并直接使用
`ca.crt` 作为信任根。
+
+| keytool 产物 | C# 客户端用法 |
+| --- | --- |
+| `ca.crt` | 传给 `SetRootCertificatePath` / `RootCertificatePath`,用于信任服务端证书 |
+| `client.keystore` | 包含客户端私钥和证书链;JDK 17 默认是 PKCS#12,直接传给
`SetClientCertificatePath` |
Review Comment:
文档中提到 `client.keystore` 包含客户端私钥和**证书链**,但当前实现只加载单个
`X509Certificate2`(通常是叶子证书)。这里的表述可能会让用户误以为中间证书会自动随 mTLS 握手发送。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]