Add SslCert and SslKey connection string options. Fixes #641

Author: bgrainger

docs/content/connection-options.md

@@ -93,17 +93,27 @@ These are the options that need to be used in order to configure a connection to
   <tr>
     <td>Certificate File, CertificateFile</td>
     <td></td>
-    <td>Specifies the path to a certificate file in PKCS #12 (.pfx) format containing a bundled Certificate and Private Key used for Mutual Authentication.  To create a PKCS #12 bundle from a PEM encoded Certificate and Key, use <code>openssl pkcs12 -in cert.pem -inkey key.pem -export -out bundle.pfx</code></td>
+    <td>Specifies the path to a certificate file in PKCS #12 (.pfx) format containing a bundled Certificate and Private Key used for Mutual Authentication.  To create a PKCS #12 bundle from a PEM encoded Certificate and Key, use <code>openssl pkcs12 -in cert.pem -inkey key.pem -export -out bundle.pfx</code>. This option should not be specified if <code>SslCert</code> and <code>SslKey</code> are used.</td>
   </tr>
   <tr>
     <td>Certificate Password, CertificatePassword</td>
     <td></td>
     <td>Specifies the password for the certificate specified using the <code>CertificateFile</code> option. Not required if the certificate file is not password protected.</td>
   </tr>
+  <tr>
+    <td>SslCert, Ssl-Cert</td>
+    <td></td>
+    <td>Specifies the path to the client’s SSL certificate file in PEM format. <code>SslKey</code> must also be specified, and <code>CertificateFile</code> should not be.</td>
+  </tr>
+  <tr>
+    <td>SslKey, Ssl-Key</td>
+    <td></td>
+    <td>Specifies the path to the client’s SSL private key in PEM format. <code>SslCert</code> must also be specified, and <code>CertificateFile</code> should not be.</td>
+  </tr>
   <tr>
     <td>CA Certificate File, CACertificateFile, SslCa, Ssl-Ca</td>
     <td></td>
-    <td>This option specifies the path to a CA certificate file in a PEM Encoded (.pem) format. This should be used in with <code>SslMode=VerifyCA</code> or <code>SslMode=VerifyFull</code> to enable verification of a CA certificate that is not trusted by the Operating System’s certificate store.</td>
+    <td>This option specifies the path to a CA certificate file in a PEM Encoded (.pem) format. This should be used with <code>SslMode=VerifyCA</code> or <code>SslMode=VerifyFull</code> to enable verification of a CA certificate that is not trusted by the Operating System’s certificate store.</td>
   </tr>
   <tr>
     <td>Certificate Store Location, CertificateStoreLocation</td>

docs/content/tutorials/migrating-from-connector-net.md

@@ -165,3 +165,4 @@ The following bugs in Connector/NET are fixed by switching to MySqlConnector. (~
 * [#94075](https://bugs.mysql.com/bug.php?id=94075): `MySqlCommand.Cancel` throws exception
 * [#94760](https://bugs.mysql.com/bug.php?id=94760): `MySqlConnection.OpenAsync(CancellationToken)` doesn’t respect cancellation token
 * [#95348](https://bugs.mysql.com/bug.php?id=95348): Inefficient query when executing stored procedures
+* [#95436](https://bugs.mysql.com/bug.php?id=95436): Client doesn't authenticate with PEM certificate

src/MySqlConnector/Core/ConnectionSettings.cs

@@ -46,6 +46,8 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 			SslMode = csb.SslMode;
 			CertificateFile = csb.CertificateFile;
 			CertificatePassword = csb.CertificatePassword;
+			SslCertificateFile = csb.SslCert;
+			SslKeyFile = csb.SslKey;
 			CACertificateFile = csb.SslCa;
 			CertificateStoreLocation = csb.CertificateStoreLocation;
 			CertificateThumbprint = csb.CertificateThumbprint;
@@ -129,6 +131,8 @@ private static MySqlGuidFormat GetEffectiveGuidFormat(MySqlGuidFormat guidFormat
 		public string CertificateFile { get; }
 		public string CertificatePassword { get; }
 		public string CACertificateFile { get; }
+		public string SslCertificateFile { get; }
+		public string SslKeyFile { get; }
 		public MySqlCertificateStoreLocation CertificateStoreLocation { get; }
 		public string CertificateThumbprint { get; }
 

src/MySqlConnector/Core/ServerSession.cs

@@ -545,10 +545,10 @@ private async Task<PayloadData> SendEncryptedPasswordAsync(
 			CancellationToken cancellationToken)
 		{
 			// load the RSA public key
-			RSA rsa;
+			RSAParameters rsaParameters;
 			try
 			{
-				rsa = Utility.DecodeX509PublicKey(rsaPublicKey);
+				rsaParameters = Utility.GetRsaParameters(rsaPublicKey);
 			}
 			catch (Exception ex)
 			{
@@ -560,8 +560,10 @@ private async Task<PayloadData> SendEncryptedPasswordAsync(
 			var passwordBytes = Encoding.UTF8.GetBytes(cs.Password);
 			Array.Resize(ref passwordBytes, passwordBytes.Length + 1);
 
-			using (rsa)
+			using (var rsa = RSA.Create())
 			{
+				rsa.ImportParameters(rsaParameters);
+
 				// XOR the password bytes with the challenge
 				AuthPluginData = Utility.TrimZeroByte(switchRequest.Data);
 				for (var i = 0; i < passwordBytes.Length; i++)
@@ -957,7 +959,81 @@ private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, Connect
 				}
 			}
 
-			if (cs.CertificateFile != null)
+			if (cs.SslCertificateFile is object && cs.SslKeyFile is object)
+			{
+#if !NETSTANDARD1_3 && !NETSTANDARD2_0
+				m_logArguments[1] = cs.SslKeyFile;
+				Log.Debug("Session{0} loading client key from KeyFile '{1}'", m_logArguments);
+				string keyPem;
+				try
+				{
+					keyPem = File.ReadAllText(cs.SslKeyFile);
+				}
+				catch (Exception ex)
+				{
+					Log.Error(ex, "Session{0} couldn't load client key from KeyFile '{1}'", m_logArguments);
+					throw new MySqlException("Could not load client key file: " + cs.SslKeyFile, ex);
+				}
+
+				RSAParameters rsaParameters;
+				try
+				{
+					rsaParameters = Utility.GetRsaParameters(keyPem);
+				}
+				catch (FormatException ex)
+				{
+					Log.Error(ex, "Session{0} couldn't load client key from KeyFile '{1}'", m_logArguments);
+					throw new MySqlException("Could not load the client key from " + cs.SslKeyFile, ex);
+				}
+
+				try
+				{
+					RSA rsa;
+					try
+					{
+						// SslStream on Windows needs a KeyContainerName to be set
+						var csp = new CspParameters
+						{
+							KeyContainerName = new Guid().ToString(),
+						};
+						rsa = new RSACryptoServiceProvider(csp)
+						{
+							PersistKeyInCsp = true,
+						};
+					}
+					catch (PlatformNotSupportedException)
+					{
+						rsa = RSA.Create();
+					}
+					rsa.ImportParameters(rsaParameters);
+
+#if !NETCOREAPP2_1
+					var certificate = new X509Certificate2(cs.SslCertificateFile, "", X509KeyStorageFlags.MachineKeySet)
+					{
+						PrivateKey = rsa,
+					};
+#else
+					X509Certificate2 certificate;
+					using (var publicCertificate = new X509Certificate2(cs.SslCertificateFile))
+						certificate = publicCertificate.CopyWithPrivateKey(rsa);
+#endif
+
+					m_clientCertificate = certificate;
+					clientCertificates = new X509CertificateCollection { certificate };
+				}
+
+				catch (CryptographicException ex)
+				{
+					Log.Error(ex, "Session{0} couldn't load client key from KeyFile '{1}'", m_logArguments);
+					if (!File.Exists(cs.SslCertificateFile))
+						throw new MySqlException("Cannot find client certificate file: " + cs.SslCertificateFile, ex);
+					throw new MySqlException("Could not load the client key from " + cs.SslKeyFile, ex);
+				}
+#else
+				throw new NotSupportedException("SslCert and SslKey connection string options are not supported in netstandard1.3 or netstandard2.0.");
+#endif
+			}
+			else if (cs.CertificateFile != null)
 			{
 				try
 				{

src/MySqlConnector/MySql.Data.MySqlClient/MySqlConnectionStringBuilder.cs

@@ -85,6 +85,18 @@ public string CertificatePassword
 			set => MySqlConnectionStringOption.CertificatePassword.SetValue(this, value);
 		}
 
+		public string SslCert
+		{
+			get => MySqlConnectionStringOption.SslCert.GetValue(this);
+			set => MySqlConnectionStringOption.SslCert.SetValue(this, value);
+		}
+
+		public string SslKey
+		{
+			get => MySqlConnectionStringOption.SslKey.GetValue(this);
+			set => MySqlConnectionStringOption.SslKey.SetValue(this, value);
+		}
+
 		[Obsolete("Use SslCa instead.")]
 		public string CACertificateFile
 		{
@@ -360,6 +372,8 @@ internal abstract class MySqlConnectionStringOption
 		public static readonly MySqlConnectionStringOption<MySqlCertificateStoreLocation> CertificateStoreLocation;
 		public static readonly MySqlConnectionStringOption<string> CertificateThumbprint;
 		public static readonly MySqlConnectionStringOption<string> SslCa;
+		public static readonly MySqlConnectionStringOption<string> SslCert;
+		public static readonly MySqlConnectionStringOption<string> SslKey;
 
 		// Connection Pooling Options
 		public static readonly MySqlConnectionStringOption<bool> Pooling;
@@ -472,6 +486,14 @@ static MySqlConnectionStringOption()
 				keys: new[] { "CACertificateFile", "CA Certificate File", "SslCa", "Ssl-Ca" },
 				defaultValue: null));
 
+			AddOption(SslCert = new MySqlConnectionStringOption<string>(
+				keys: new[] { "SslCert", "Ssl-Cert" },
+				defaultValue: null));
+
+			AddOption(SslKey = new MySqlConnectionStringOption<string>(
+				keys: new[] { "SslKey", "Ssl-Key" },
+				defaultValue: null));
+
 			AddOption(CertificateStoreLocation = new MySqlConnectionStringOption<MySqlCertificateStoreLocation>(
 				keys: new[] { "CertificateStoreLocation", "Certificate Store Location" },
 				defaultValue: MySqlCertificateStoreLocation.None));

src/MySqlConnector/Utilities/Utility.cs

@@ -67,21 +67,33 @@ public static unsafe void Convert(this Encoder encoder, ReadOnlySpan<char> chars
 #endif
 
 		/// <summary>
-		/// Loads a RSA public key from a PEM string.
+		/// Loads a RSA key from a PEM string.
 		/// </summary>
-		/// <param name="publicKey">The public key, in PEM format.</param>
-		/// <returns>An RSA public key, or <c>null</c> on failure.</returns>
-		public static RSA DecodeX509PublicKey(string publicKey)
+		/// <param name="key">The key, in PEM format.</param>
+		/// <returns>An RSA key.</returns>
+		public static RSAParameters GetRsaParameters(string key)
 		{
-			var x509Key = System.Convert.FromBase64String(publicKey.Replace("-----BEGIN PUBLIC KEY-----", "").Replace("-----END PUBLIC KEY-----", ""));
-			var parameters = GetKeyParameters(x509Key, false);
-			var rsa = RSA.Create();
-			rsa.ImportParameters(parameters);
-			return rsa;
+			bool isPrivate;
+			if (key.StartsWith("-----BEGIN RSA PRIVATE KEY-----", StringComparison.Ordinal))
+			{
+				key = key.Replace("-----BEGIN RSA PRIVATE KEY-----", "").Replace("-----END RSA PRIVATE KEY-----", "");
+				isPrivate = true;
+			}
+			else if (key.StartsWith("-----BEGIN PUBLIC KEY-----", StringComparison.Ordinal))
+			{
+				key = key.Replace("-----BEGIN PUBLIC KEY-----", "").Replace("-----END PUBLIC KEY-----", "");
+				isPrivate = false;
+			}
+			else
+			{
+				throw new FormatException("Unrecognized PEM header: " + key.Substring(0, Math.Min(key.Length, 80)));
+			}
+
+			return GetRsaParameters(System.Convert.FromBase64String(key), isPrivate);
 		}
 
 		// Derived from: https://stackoverflow.com/a/32243171/, https://stackoverflow.com/a/26978561/, http://luca.ntop.org/Teaching/Appunti/asn1.html
-		internal static RSAParameters GetKeyParameters(ReadOnlySpan<byte> data, bool isPrivate)
+		private static RSAParameters GetRsaParameters(ReadOnlySpan<byte> data, bool isPrivate)
 		{
 			// read header (30 81 xx, or 30 82 xx xx)
 			if (data[0] != 0x30)

tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs

@@ -59,6 +59,8 @@ public void Defaults()
 			Assert.Null(csb.ServerSPN);
 #endif
 			Assert.Null(csb.SslCa);
+			Assert.Null(csb.SslCert);
+			Assert.Null(csb.SslKey);
 			Assert.Equal(MySqlSslMode.Preferred, csb.SslMode);
 			Assert.True(csb.TreatTinyAsBoolean);
 			Assert.False(csb.UseCompression);
@@ -120,6 +122,8 @@ public void ParseConnectionString()
 					"pwd=Pass1234;" +
 					"Treat Tiny As Boolean=false;" +
 					"ssl-ca=ca.pem;" +
+					"ssl-cert=client-cert.pem;" +
+					"ssl-key=client-key.pem;" +
 					"ssl mode=verifyca;" +
 					"Uid=username;" +
 					"useaffectedrows=true"
@@ -172,6 +176,8 @@ public void ParseConnectionString()
 			Assert.Equal("db-server", csb.Server);
 			Assert.False(csb.TreatTinyAsBoolean);
 			Assert.Equal("ca.pem", csb.SslCa);
+			Assert.Equal("client-cert.pem", csb.SslCert);
+			Assert.Equal("client-key.pem", csb.SslKey);
 			Assert.Equal(MySqlSslMode.VerifyCA, csb.SslMode);
 			Assert.True(csb.UseAffectedRows);
 			Assert.True(csb.UseCompression);

tests/MySqlConnector.Tests/UtilityTests.cs

@@ -60,8 +60,7 @@ public void ParseTimeSpanFails(string input)
 		[Fact]
 		public void DecodePublicKey()
 		{
-			var publicKey = Convert.FromBase64String(c_publicKey.Replace("-----BEGIN PUBLIC KEY-----", "").Replace("-----END PUBLIC KEY-----", ""));
-			var parameters = Utility.GetKeyParameters(publicKey, isPrivate: false);
+			var parameters = Utility.GetRsaParameters(c_publicKey);
 			Console.WriteLine(BitConverter.ToString(parameters.Modulus));
 			Assert.Equal(s_modulus, parameters.Modulus);
 			Assert.Equal(s_exponent, parameters.Exponent);
@@ -70,8 +69,7 @@ public void DecodePublicKey()
 		[Fact]
 		public void DecodePrivateKey()
 		{
-			var privateKey = Convert.FromBase64String(c_privateKey.Replace("-----BEGIN RSA PRIVATE KEY-----", "").Replace("-----END RSA PRIVATE KEY-----", ""));
-			var parameters = Utility.GetKeyParameters(privateKey, isPrivate: true);
+			var parameters = Utility.GetRsaParameters(c_privateKey);
 			Console.WriteLine(BitConverter.ToString(parameters.Modulus));
 			Assert.Equal(s_modulus, parameters.Modulus);
 			Assert.Equal(s_exponent, parameters.Exponent);

tests/SideBySide/SslTests.cs

@@ -56,7 +56,33 @@ public async Task ConnectSslClientCertificate(string certFile, string certFilePa
 				csb.SslMode = MySqlSslMode.VerifyCA;
 				csb.SslCa = Path.Combine(AppConfig.CertsPath, caCertFile);
 			}
-			using (var connection = new MySqlConnection(csb.ConnectionString))
+			await DoTestSsl(csb.ConnectionString);
+		}
+
+#if !NETCOREAPP1_1_2 && !NETCOREAPP2_0
+		[SkippableTheory(ConfigSettings.RequiresSsl | ConfigSettings.KnownClientCertificate)]
+		[InlineData("ssl-client-cert.pem", "ssl-client-key.pem", null)]
+#if !BASELINE
+		[InlineData("ssl-client-cert.pem", "ssl-client-key.pem", "ssl-ca-cert.pem")] // https://bugs.mysql.com/bug.php?id=95436
+#endif
+		public async Task ConnectSslClientCertificatePem(string certFile, string keyFile, string caCertFile)
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.CertificateFile = null;
+			csb.SslCert = Path.Combine(AppConfig.CertsPath, certFile);
+			csb.SslKey = Path.Combine(AppConfig.CertsPath, keyFile);
+			if (caCertFile != null)
+			{
+				csb.SslMode = MySqlSslMode.VerifyCA;
+				csb.SslCa = Path.Combine(AppConfig.CertsPath, caCertFile);
+			}
+			await DoTestSsl(csb.ConnectionString);
+		}
+#endif
+
+		private async Task DoTestSsl(string connectionString)
+		{
+			using (var connection = new MySqlConnection(connectionString))
 			{
 				using (var cmd = connection.CreateCommand())
 				{
@@ -68,7 +94,7 @@ public async Task ConnectSslClientCertificate(string certFile, string certFilePa
 					Assert.True(connection.SslIsMutuallyAuthenticated);
 #endif
 					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					var sslVersion = (string)await cmd.ExecuteScalarAsync();
+					var sslVersion = (string) await cmd.ExecuteScalarAsync();
 					Assert.False(string.IsNullOrWhiteSpace(sslVersion));
 				}
 			}

tests/SideBySide/TestUtilities.cs

@@ -85,8 +85,11 @@ public static string GetSkipReason(ServerFeatures serverFeatures, ConfigSettings
 				return "Requires SslMode=Required or lower in connection string";
 			}
 
-			if (configSettings.HasFlag(ConfigSettings.KnownClientCertificate) && !(csb.CertificateFile?.EndsWith("ssl-client.pfx", StringComparison.OrdinalIgnoreCase) ?? false))
-				return "Requires CertificateFile=client.pfx in connection string";
+			if (configSettings.HasFlag(ConfigSettings.KnownClientCertificate))
+			{
+				if (!((csb.CertificateFile?.EndsWith("ssl-client.pfx", StringComparison.OrdinalIgnoreCase) ?? false) || (csb.SslKey?.EndsWith("ssl-client-key.pem", StringComparison.OrdinalIgnoreCase) ?? false)))
+					return "Requires CertificateFile=client.pfx in connection string";
+			}
 
 			if (configSettings.HasFlag(ConfigSettings.PasswordlessUser) && string.IsNullOrWhiteSpace(AppConfig.PasswordlessUser))
 				return "Requires PasswordlessUser in config.json";