CA5403: Do not hard-code certificate

Property Value
Rule ID CA5403
Title Do not hard-code certificate
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

The data or rawData parameter of a X509Certificate or X509Certificate2 constructor is hard-coded by one of the following:

Rule description

A hard-coded certificate's private key is easily discovered. Even with compiled binaries, it is easy for malicious users to extract a hard-coded certificate's private key. Once the private key is compromised, an attacker can impersonate that certificate, and any resources or operations protected by that certificate will be available to the attacker.

How to fix violations

  • Consider redesigning your application to use a secure key management system, such as Azure Key Vault.
  • Keep credentials and certificates in a secure location separate from your source code.

When to suppress warnings

It's safe to suppress a warning from this rule if the hard-coded data doesn't contain the certificate's private key. For example, the data is from a .cer file. Hard-coding public certificate information may still create a challenge for rotating certificates as they expire or get revoked.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5403
// The code that's violating the rule is on this line.
#pragma warning restore CA5403

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5403.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Hard-coded by byte array

using System.IO;
using System.Security.Cryptography.X509Certificates;

class ExampleClass
{
    public void ExampleMethod(string path)
    {
        byte[] bytes = new byte[] {1, 2, 3};
        File.WriteAllBytes(path, bytes);
        new X509Certificate2(path);
    }
}

Hard-coded by char array

using System.IO;
using System.Security.Cryptography.X509Certificates;
using System.Text;

class ExampleClass
{
    public void ExampleMethod(byte[] bytes, string path)
    {
        char[] chars = new char[] { '1', '2', '3' };
        Encoding.ASCII.GetBytes(chars, 0, 3, bytes, 0);
        File.WriteAllBytes(path, bytes);
        new X509Certificate2(path);
    }
}

Hard-coded by FromBase64String

using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;

class ExampleClass
{
    public void ExampleMethod(string path)
    {
        byte[] bytes = Convert.FromBase64String("AAAAAaazaoensuth");
        File.WriteAllBytes(path, bytes);
        new X509Certificate2(path);
    }
}

Hard-coded by GetBytes

using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
using System.Text;

class ExampleClass
{
    public void ExampleMethod(string path)
    {
        byte[] bytes = Encoding.ASCII.GetBytes("AAAAAaazaoensuth");
        File.WriteAllBytes(path, bytes);
        new X509Certificate2(path);
    }
}

Solution

using System.IO;
using System.Security.Cryptography.X509Certificates;

class ExampleClass
{
    public void ExampleMethod(string path)
    {
        new X509Certificate2("Certificate.cer");
    }
}