Merge pull request #280 from caleblloyd/f_ssl_ca

Add CA Certificate validation. Fixes #278

Author: bgrainger

.ci/server/certs/ssl-client-pw-test.pfx

@@ -12,3 +12,5 @@
 *.ttf binary
 *.woff binary
 *.woff2 binary
+*.pfx binary
+

.gitattributes

@@ -78,13 +78,18 @@ These are the options that need to be used in order to configure a connection to
   <tr>
     <td>Certificate File, CertificateFile</td>
     <td></td>
-    <td>This option specifies the path to a certificate file in PKCS #12 format (.pfx). </td>
+    <td>This option specifies the path to a certificate file in a PEM Encoded (.pem) or PKCS #12 (.pfx) format. </td>
   </tr>
   <tr>
     <td>Certificate Password, CertificatePassword	</td>
     <td></td>
     <td>Specifies a password that is used in conjunction with a certificate specified using the option CertificateFile.  Not required if the certificate file is not password protected.</td>
   </tr>
+  <tr>
+    <td>CA Certificate File, CACertificateFile</td>
+    <td></td>
+    <td>This option specifies the path to a CA certificate file in a PEM Encoded (.pem) format.  This should be used in with <code>SslMode=VerifyCA</code> or <code>SslMode=VerifyFull</code> to enable verification of a CA certificate that is not trusted by the Operating System's certificate store.</td>
+  </tr>
 </table>
 
 Connection Pooling Options

docs/content/connection-options.md

@@ -66,6 +66,12 @@ public string CertificatePassword
 			set => MySqlConnectionStringOption.CertificatePassword.SetValue(this, value);
 		}
 
+		public string CACertificateFile
+		{
+			get => MySqlConnectionStringOption.CACertificateFile.GetValue(this);
+			set => MySqlConnectionStringOption.CACertificateFile.SetValue(this, value);
+		}
+
 		// Connection Pooling Options
 		public bool Pooling
 		{
@@ -238,6 +244,7 @@ internal abstract class MySqlConnectionStringOption
 		public static readonly MySqlConnectionStringOption<MySqlSslMode> SslMode;
 		public static readonly MySqlConnectionStringOption<string> CertificateFile;
 		public static readonly MySqlConnectionStringOption<string> CertificatePassword;
+		public static readonly MySqlConnectionStringOption<string> CACertificateFile;
 
 		// Connection Pooling Options
 		public static readonly MySqlConnectionStringOption<bool> Pooling;
@@ -322,6 +329,10 @@ static MySqlConnectionStringOption()
 				keys: new[] { "CertificatePassword", "Certificate Password" },
 				defaultValue: null));
 
+			AddOption(CACertificateFile = new MySqlConnectionStringOption<string>(
+				keys: new[] { "CACertificateFile", "CA Certificate File" },
+				defaultValue: null));
+
 			// Connection Pooling Options
 			AddOption(Pooling = new MySqlConnectionStringOption<bool>(
 				keys: new[] { "Pooling" },

src/MySqlConnector/MySqlClient/MySqlConnectionStringBuilder.cs

@@ -33,6 +33,7 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 			SslMode = csb.SslMode;
 			CertificateFile = csb.CertificateFile;
 			CertificatePassword = csb.CertificatePassword;
+			CACertificateFile = csb.CACertificateFile;
 
 			// Connection Pooling Options
 			Pooling = csb.Pooling;
@@ -73,6 +74,7 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 		public MySqlSslMode SslMode { get; }
 		public string CertificateFile { get; }
 		public string CertificatePassword { get; }
+		public string CACertificateFile { get; }
 
 		// Connection Pooling Options
 		public bool Pooling { get; }

src/MySqlConnector/Serialization/ConnectionSettings.cs

@@ -537,36 +537,66 @@ private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, Connect
 				catch (CryptographicException ex)
 				{
 					if (!File.Exists(cs.CertificateFile))
-						throw new MySqlException("Cannot find SSL Certificate File", ex);
-					throw new MySqlException("Either the SSL Certificate Password is incorrect or the SSL Certificate File is invalid", ex);
+						throw new MySqlException("Cannot find Certificate File", ex);
+					throw new MySqlException("Either the Certificate Password is incorrect or the Certificate File is invalid", ex);
 				}
 			}
 
-			Func<object, string, X509CertificateCollection, X509Certificate, string[], X509Certificate> localCertificateCb =
-				(lcbSender, lcbTargetHost, lcbLocalCertificates, lcbRemoteCertificate, lcbAcceptableIssuers) => lcbLocalCertificates[0];
+			X509Chain caCertificateChain = null;
+			if (cs.CACertificateFile != null)
+			{
+				try
+				{
+					var caCertificate = new X509Certificate2(cs.CACertificateFile);
+					caCertificateChain = new X509Chain
+					{
+						ChainPolicy =
+						{
+							RevocationMode = X509RevocationMode.NoCheck,
+							VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority
+						}
+					};
+					caCertificateChain.ChainPolicy.ExtraStore.Add(caCertificate);
+				}
+				catch (CryptographicException ex)
+				{
+					if (!File.Exists(cs.CACertificateFile))
+						throw new MySqlException("Cannot find CA Certificate File", ex);
+					throw new MySqlException("The CA Certificate File is invalid", ex);
+				}
+			}
+
+			X509Certificate LocalCertificateCb(object lcbSender, string lcbTargetHost, X509CertificateCollection lcbLocalCertificates, X509Certificate lcbRemoteCertificate, string[] lcbAcceptableIssuers) => lcbLocalCertificates[0];
+
+			bool RemoteCertificateCb(object rcbSender, X509Certificate rcbCertificate, X509Chain rcbChain, SslPolicyErrors rcbPolicyErrors)
+			{
+				if (cs.SslMode == MySqlSslMode.Preferred || cs.SslMode == MySqlSslMode.Required)
+					return true;
 
-			Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool> remoteCertificateCb =
-				(rcbSender, rcbCertificate, rcbChain, rcbPolicyErrors) =>
+				if ((rcbPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0 && caCertificateChain != null)
 				{
-					switch (rcbPolicyErrors)
+					if (caCertificateChain.Build((X509Certificate2) rcbCertificate))
 					{
-						case SslPolicyErrors.None:
-							return true;
-						case SslPolicyErrors.RemoteCertificateNameMismatch:
-							return cs.SslMode != MySqlSslMode.VerifyFull;
-						default:
-							return cs.SslMode == MySqlSslMode.Preferred || cs.SslMode == MySqlSslMode.Required;
+						var chainStatus = caCertificateChain.ChainStatus[0].Status & ~X509ChainStatusFlags.UntrustedRoot;
+						if (chainStatus == X509ChainStatusFlags.NoError)
+							rcbPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
 					}
-				};
+				}
+
+				if (cs.SslMode == MySqlSslMode.VerifyCA)
+					rcbPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
+
+				return rcbPolicyErrors == SslPolicyErrors.None;
+			}
 
 			SslStream sslStream;
 			if (clientCertificates == null)
 				sslStream = new SslStream(m_networkStream, false,
-					new RemoteCertificateValidationCallback(remoteCertificateCb));
+					new RemoteCertificateValidationCallback((Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool>) RemoteCertificateCb));
 			else
 				sslStream = new SslStream(m_networkStream, false,
-					new RemoteCertificateValidationCallback(remoteCertificateCb),
-					new LocalCertificateSelectionCallback(localCertificateCb));
+					new RemoteCertificateValidationCallback((Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool>) RemoteCertificateCb),
+					new LocalCertificateSelectionCallback((Func<object, string, X509CertificateCollection, X509Certificate, string[], X509Certificate>) LocalCertificateCb));
 
 			// SslProtocols.Tls1.2 throws an exception in Windows, see https://github.com/mysql-net/MySqlConnector/pull/101
 			var sslProtocols = SslProtocols.Tls | SslProtocols.Tls11;

src/MySqlConnector/Serialization/MySqlSession.cs

@@ -28,6 +28,7 @@ public void Defaults()
 			Assert.Equal(false, csb.BufferResultSets);
 			Assert.Equal(180u, csb.ConnectionIdleTimeout);
 			Assert.Equal(false, csb.ForceSynchronous);
+			Assert.Equal(null, csb.CACertificateFile);
 #endif
 			Assert.Equal(0u, csb.Keepalive);
 			Assert.Equal(100u, csb.MaximumPoolSize);
@@ -70,6 +71,7 @@ public void ParseConnectionString()
 					"connectionidletimeout=30;" +
 					"bufferresultsets=true;" +
 					"forcesynchronous=true;" +
+				    "ca certificate file=ca.pem;" +
 #endif
 					"Keep Alive=90;" +
 					"minpoolsize=5;" +
@@ -98,6 +100,7 @@ public void ParseConnectionString()
 			Assert.Equal(true, csb.BufferResultSets);
 			Assert.Equal(30u, csb.ConnectionIdleTimeout);
 			Assert.Equal(true, csb.ForceSynchronous);
+			Assert.Equal("ca.pem", csb.CACertificateFile);
 #endif
 			Assert.Equal(90u, csb.Keepalive);
 			Assert.Equal(15u, csb.MaximumPoolSize);

tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs

@@ -107,4 +107,14 @@ public SslRequiredConnectionFactAttribute()
 				Skip = "SSL not explicitly required";
 		}
 	}
+
+	public class SslRequiredConnectionTheoryAttribute : TheoryAttribute
+	{
+		public SslRequiredConnectionTheoryAttribute()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			if(csb.SslMode == MySqlSslMode.None || csb.SslMode == MySqlSslMode.Preferred)
+				Skip = "SSL not explicitly required";
+		}
+	}
 }

tests/SideBySide/Attributes.cs

@@ -115,70 +115,6 @@ public async Task ConnectKeepAlive()
 			}
 		}
 
-		[SslRequiredConnectionFact]
-		public async Task ConnectSslPreferred()
-		{
-			var csb = AppConfig.CreateConnectionStringBuilder();
-			string requiredSslVersion;
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-				using (var cmd = connection.CreateCommand())
-				{
-					await connection.OpenAsync();
-					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					requiredSslVersion = (string)await cmd.ExecuteScalarAsync();
-				}
-			}
-			Assert.False(string.IsNullOrWhiteSpace(requiredSslVersion));
-
-			csb.SslMode = MySqlSslMode.Preferred;
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-				using (var cmd = connection.CreateCommand())
-				{
-					await connection.OpenAsync();
-					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					var preferredSslVersion = (string)await cmd.ExecuteScalarAsync();
-					Assert.Equal(requiredSslVersion, preferredSslVersion);
-				}
-			}
-		}
-
-		[SslRequiredConnectionFact]
-		public async Task ConnectSslClientCertificate()
-		{
-			var csb = AppConfig.CreateConnectionStringBuilder();
-			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "ssl-client.pfx");
-			csb.CertificatePassword = "";
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-				using (var cmd = connection.CreateCommand())
-				{
-					await connection.OpenAsync();
-					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					var sslVersion = (string)await cmd.ExecuteScalarAsync();
-					Assert.False(string.IsNullOrWhiteSpace(sslVersion));
-				}
-			}
-		}
-
-		[SslRequiredConnectionFact]
-		public async Task ConnectSslBadClientCertificate()
-		{
-			var csb = AppConfig.CreateConnectionStringBuilder();
-			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "non-ca-client.pfx");
-			csb.CertificatePassword = "";
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-#if BASELINE
-				var exType = typeof(IOException);
-#else
-				var exType = typeof(MySqlException);
-#endif
-				await Assert.ThrowsAsync(exType, async () => await connection.OpenAsync());
-			}
-		}
-
 		[Fact]
 		public async Task ConnectionDatabase()
 		{

tests/SideBySide/ConnectAsync.cs

@@ -0,0 +1,118 @@
+using System;
+using System.Data;
+using System.IO;
+using System.Threading.Tasks;
+using MySql.Data.MySqlClient;
+using Xunit;
+
+namespace SideBySide
+{
+	public class SslTests : IClassFixture<DatabaseFixture>
+	{
+		public SslTests(DatabaseFixture database)
+		{
+			m_database = database;
+		}
+
+		[SslRequiredConnectionFact]
+		public async Task ConnectSslPreferred()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			string requiredSslVersion;
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				using (var cmd = connection.CreateCommand())
+				{
+					await connection.OpenAsync();
+					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
+					requiredSslVersion = (string)await cmd.ExecuteScalarAsync();
+				}
+			}
+			Assert.False(string.IsNullOrWhiteSpace(requiredSslVersion));
+
+			csb.SslMode = MySqlSslMode.Preferred;
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				using (var cmd = connection.CreateCommand())
+				{
+					await connection.OpenAsync();
+					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
+					var preferredSslVersion = (string)await cmd.ExecuteScalarAsync();
+					Assert.Equal(requiredSslVersion, preferredSslVersion);
+				}
+			}
+		}
+
+		[SslRequiredConnectionTheory]
+		[InlineData("ssl-client.pfx", null, null)]
+		[InlineData("ssl-client-pw-test.pfx", "test", null)]
+		[InlineData("ssl-client-cert.pem", null, null)]
+#if !BASELINE
+		[InlineData("ssl-client.pfx", null, "ssl-ca-cert.pem")]
+		[InlineData("ssl-client-pw-test.pfx", "test", "ssl-ca-cert.pem")]
+		[InlineData("ssl-client-cert.pem", null, "ssl-ca-cert.pem")]
+#endif
+		public async Task ConnectSslClientCertificate(string certFile, string certFilePassword, string caCertFile)
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, certFile);
+			csb.CertificatePassword = certFilePassword;
+			if (caCertFile != null)
+			{
+				csb.SslMode = MySqlSslMode.VerifyCA;
+#if !BASELINE
+				csb.CACertificateFile = Path.Combine(AppConfig.CertsPath, caCertFile);
+#endif
+			}
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				using (var cmd = connection.CreateCommand())
+				{
+					await connection.OpenAsync();
+					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
+					var sslVersion = (string)await cmd.ExecuteScalarAsync();
+					Assert.False(string.IsNullOrWhiteSpace(sslVersion));
+				}
+			}
+		}
+
+		[SslRequiredConnectionFact]
+		public async Task ConnectSslBadClientCertificate()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "non-ca-client.pfx");
+			csb.CertificatePassword = "";
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+#if BASELINE
+				var exType = typeof(IOException);
+#else
+				var exType = typeof(MySqlException);
+#endif
+				await Assert.ThrowsAsync(exType, async () => await connection.OpenAsync());
+			}
+		}
+
+#if BASELINE
+		[Fact(Skip = "MySql.Data does not support CACertificateFile")]
+#else
+		[SslRequiredConnectionFact]
+#endif
+		public async Task ConnectSslBadCaCertificate()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "ssl-client-cert.pem");
+			csb.SslMode = MySqlSslMode.VerifyCA;
+#if !BASELINE
+			csb.CACertificateFile = Path.Combine(AppConfig.CertsPath, "non-ca-client-cert.pem");
+#endif
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				await Assert.ThrowsAsync(typeof(MySqlException), async () => await connection.OpenAsync());
+			}
+		}
+
+		readonly DatabaseFixture m_database;
+	}
+
+}