From b318e7f365d5e405d84a62ab5164add4fde4ee64 Mon Sep 17 00:00:00 2001 From: Neil Dorin Date: Mon, 11 May 2026 09:55:27 -0600 Subject: [PATCH] fix: validate certificate for private key presence in DebugWebsocketSink Co-authored-by: Copilot --- src/PepperDash.Core/Logging/DebugWebsocketSink.cs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/PepperDash.Core/Logging/DebugWebsocketSink.cs b/src/PepperDash.Core/Logging/DebugWebsocketSink.cs index 99910ec9..eeba5772 100644 --- a/src/PepperDash.Core/Logging/DebugWebsocketSink.cs +++ b/src/PepperDash.Core/Logging/DebugWebsocketSink.cs @@ -262,7 +262,13 @@ namespace PepperDash.Core using (var ms = new MemoryStream()) { store.Save(ms, passwordChars, new SecureRandom()); - return new X509Certificate2(ms.ToArray(), certPassword); + var cert = new X509Certificate2(ms.ToArray(), certPassword); + + if (!cert.HasPrivateKey) + throw new InvalidOperationException( + string.Format("Certificate loaded from '{0}' does not contain a private key and cannot be used as a server certificate.", certPath)); + + return cert; } } }