Work around ephemeral PEM bug on Windows. Fixes #1278

bgrainger · bgrainger · commit 3638c1199463 · 2023-01-09T09:41:46.000-08:00
diff --git a/src/MySqlConnector/Core/ServerSession.cs b/src/MySqlConnector/Core/ServerSession.cs
@@ -1585,6 +1585,14 @@ X509CertificateCollection LoadCertificate(string sslKeyFile, string sslCertifica
 			throw new NotSupportedException("SslCert and SslKey connection string options are not supported in netstandard2.0.");
 #elif NET5_0_OR_GREATER
 			m_clientCertificate = X509Certificate2.CreateFromPemFile(sslCertificateFile, sslKeyFile);
+			if (Utility.IsWindows())
+			{
+				// Schannel has a bug where ephemeral keys can't be loaded: https://github.com/dotnet/runtime/issues/23749#issuecomment-485947319
+				// The workaround is to export the key (which may make it "Perphemeral"): https://github.com/dotnet/runtime/issues/23749#issuecomment-739895373
+				var oldCertificate = m_clientCertificate;
+				m_clientCertificate = new X509Certificate2(m_clientCertificate.Export(X509ContentType.Pkcs12));
+				oldCertificate.Dispose();
+			}
 			return new() { m_clientCertificate };
 #else
 			m_logArguments[1] = sslKeyFile;
@@ -1616,7 +1624,6 @@ X509CertificateCollection LoadCertificate(string sslKeyFile, string sslCertifica
 				RSA rsa;
 				try
 				{
-#pragma warning disable CA1416
 					// SslStream on Windows needs a KeyContainerName to be set
 					var csp = new CspParameters
 					{
@@ -1626,7 +1633,6 @@ X509CertificateCollection LoadCertificate(string sslKeyFile, string sslCertifica
 					{
 						PersistKeyInCsp = true,
 					};
-#pragma warning restore
 				}
 				catch (PlatformNotSupportedException)
 				{

Original file line number	Diff line number	Diff line change
`@@ -1585,6 +1585,14 @@ X509CertificateCollection LoadCertificate(string sslKeyFile, string sslCertifica`
`1585`	`1585`	`throw new NotSupportedException("SslCert and SslKey connection string options are not supported in netstandard2.0.");`
`1586`	`1586`	`#elif NET5_0_OR_GREATER`
`1587`	`1587`	`m_clientCertificate = X509Certificate2.CreateFromPemFile(sslCertificateFile, sslKeyFile);`
	`1588`	`+ if (Utility.IsWindows())`
	`1589`	`+ {`
	`1590`	`+ // Schannel has a bug where ephemeral keys can't be loaded: https://github.com/dotnet/runtime/issues/23749#issuecomment-485947319`
	`1591`	`+ // The workaround is to export the key (which may make it "Perphemeral"): https://github.com/dotnet/runtime/issues/23749#issuecomment-739895373`
	`1592`	`+ var oldCertificate = m_clientCertificate;`
	`1593`	`+ m_clientCertificate = new X509Certificate2(m_clientCertificate.Export(X509ContentType.Pkcs12));`
	`1594`	`+ oldCertificate.Dispose();`
	`1595`	`+ }`
`1588`	`1596`	`return new() { m_clientCertificate };`
`1589`	`1597`	`#else`
`1590`	`1598`	`m_logArguments[1] = sslKeyFile;`
`@@ -1616,7 +1624,6 @@ X509CertificateCollection LoadCertificate(string sslKeyFile, string sslCertifica`
`1616`	`1624`	`RSA rsa;`
`1617`	`1625`	`try`
`1618`	`1626`	`{`
`1619`		`-#pragma warning disable CA1416`
`1620`	`1627`	`// SslStream on Windows needs a KeyContainerName to be set`
`1621`	`1628`	`var csp = new CspParameters`
`1622`	`1629`	`{`
`@@ -1626,7 +1633,6 @@ X509CertificateCollection LoadCertificate(string sslKeyFile, string sslCertifica`
`1626`	`1633`	`{`
`1627`	`1634`	`PersistKeyInCsp = true,`
`1628`	`1635`	`};`
`1629`		`-#pragma warning restore`
`1630`	`1636`	`}`
`1631`	`1637`	`catch (PlatformNotSupportedException)`
`1632`	`1638`	`{`