Merge pull request #437 from caleblloyd/f_mutual_auth

Check for Private Key in CertificateFile.

Author: bgrainger

.ci/server/certs/non-ca-client.pfx

@@ -77,7 +77,7 @@ These are the options that need to be used in order to configure a connection to
   <tr>
     <td>Certificate File, CertificateFile</td>
     <td></td>
-    <td>Specifies the path to a certificate file in a PEM Encoded (.pem) or PKCS #12 (.pfx) format.</td>
+    <td>Specifies the path to a certificate file in PKCS #12 (.pfx) format containing a bundled Certificate and Private Key used for Mutual Authentication.  To create a PKCS #12 bundle from a PEM encoded Certificate and Key, use <code>openssl pkcs12 -in cert.pem -inkey key.pem -export -out bundle.pfx</code></td>
   </tr>
   <tr>
     <td>Certificate Password, CertificatePassword	</td>

.ci/server/certs/ssl-client-pw-test.pfx

@@ -772,6 +772,13 @@ private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, Connect
 				try
 				{
 					var certificate = new X509Certificate2(cs.CertificateFile, cs.CertificatePassword);
+					if (!certificate.HasPrivateKey)
+					{
+						m_logArguments[1] = cs.CertificateFile;
+						Log.Error("{0} no private key included with certificate '{1}'", m_logArguments);
+						throw new MySqlException("CertificateFile does not contain a private key. "+
+						                         "CertificateFile should be in PKCS #12 (.pfx) format and contain both a Certificate and Private Key");
+					}
 #if !NET45
 					m_clientCertificate = certificate;
 #endif
@@ -872,6 +879,7 @@ bool ValidateRemoteCertificate(object rcbSender, X509Certificate rcbCertificate,
 				var sslByteHandler = new StreamByteHandler(sslStream);
 				m_payloadHandler.ByteHandler = sslByteHandler;
 				m_isSecureConnection = true;
+				m_sslStream = sslStream;
 			}
 			catch (Exception ex)
 			{
@@ -1057,6 +1065,14 @@ private void VerifyState(State state1, State state2, State state3)
 			}
 		}
 
+		internal bool SslIsEncrypted => m_sslStream != null && m_sslStream.IsEncrypted;
+
+		internal bool SslIsSigned => m_sslStream != null && m_sslStream.IsSigned;
+
+		internal bool SslIsAuthenticated => m_sslStream != null && m_sslStream.IsAuthenticated;
+
+		internal bool SslIsMutuallyAuthenticated => m_sslStream != null && m_sslStream.IsMutuallyAuthenticated;
+
 		private byte[] CreateConnectionAttributes()
 		{
 			Log.Debug("{0} creating connection attributes", m_logArguments);
@@ -1143,6 +1159,7 @@ private enum State
 		TcpClient m_tcpClient;
 		Socket m_socket;
 		NetworkStream m_networkStream;
+		SslStream m_sslStream;
 #if !NET45
 		IDisposable m_clientCertificate;
 		IDisposable m_serverCertificate;

.ci/server/certs/ssl-client.pfx

@@ -405,6 +405,14 @@ private async Task<ServerSession> CreateSessionAsync(IOBehavior ioBehavior, Canc
 			}
 		}
 
+		internal bool SslIsEncrypted => m_session.SslIsEncrypted;
+
+		internal bool SslIsSigned => m_session.SslIsSigned;
+
+		internal bool SslIsAuthenticated => m_session.SslIsAuthenticated;
+
+		internal bool SslIsMutuallyAuthenticated => m_session.SslIsMutuallyAuthenticated;
+
 		internal void SetState(ConnectionState newState)
 		{
 			if (m_connectionState != newState)

docs/content/connection-options.md

@@ -16,39 +16,33 @@ public SslTests(DatabaseFixture database)
 		public async Task ConnectSslPreferred()
 		{
 			var csb = AppConfig.CreateConnectionStringBuilder();
-			string requiredSslVersion;
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-				using (var cmd = connection.CreateCommand())
-				{
-					await connection.OpenAsync();
-					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					requiredSslVersion = (string)await cmd.ExecuteScalarAsync();
-				}
-			}
-			Assert.False(string.IsNullOrWhiteSpace(requiredSslVersion));
-
 			csb.SslMode = MySqlSslMode.Preferred;
+			csb.CertificateFile = null;
+			csb.CertificatePassword = null;
 			using (var connection = new MySqlConnection(csb.ConnectionString))
 			{
 				using (var cmd = connection.CreateCommand())
 				{
 					await connection.OpenAsync();
+#if !BASELINE
+					Assert.True(connection.SslIsEncrypted);
+					Assert.True(connection.SslIsSigned);
+					Assert.True(connection.SslIsAuthenticated);
+					Assert.False(connection.SslIsMutuallyAuthenticated);
+#endif
 					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					var preferredSslVersion = (string)await cmd.ExecuteScalarAsync();
-					Assert.Equal(requiredSslVersion, preferredSslVersion);
+					var sslVersion = (string)await cmd.ExecuteScalarAsync();
+					Assert.False(string.IsNullOrWhiteSpace(sslVersion));
 				}
 			}
 		}
 
 		[SkippableTheory(ConfigSettings.RequiresSsl | ConfigSettings.KnownClientCertificate)]
 		[InlineData("ssl-client.pfx", null, null)]
 		[InlineData("ssl-client-pw-test.pfx", "test", null)]
-		[InlineData("ssl-client-cert.pem", null, null)]
 #if !BASELINE
 		[InlineData("ssl-client.pfx", null, "ssl-ca-cert.pem")]
 		[InlineData("ssl-client-pw-test.pfx", "test", "ssl-ca-cert.pem")]
-		[InlineData("ssl-client-cert.pem", null, "ssl-ca-cert.pem")]
 #endif
 		public async Task ConnectSslClientCertificate(string certFile, string certFilePassword, string caCertFile)
 		{
@@ -67,13 +61,31 @@ public async Task ConnectSslClientCertificate(string certFile, string certFilePa
 				using (var cmd = connection.CreateCommand())
 				{
 					await connection.OpenAsync();
+#if !BASELINE
+					Assert.True(connection.SslIsEncrypted);
+					Assert.True(connection.SslIsSigned);
+					Assert.True(connection.SslIsAuthenticated);
+					Assert.True(connection.SslIsMutuallyAuthenticated);
+#endif
 					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
 					var sslVersion = (string)await cmd.ExecuteScalarAsync();
 					Assert.False(string.IsNullOrWhiteSpace(sslVersion));
 				}
 			}
 		}
 
+		[SkippableFact(ConfigSettings.RequiresSsl, Baseline = "MySql.Data does not check for a private key")]
+		public async Task ConnectSslClientCertificateNoPrivateKey()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "ssl-client-cert.pem");
+			csb.SslMode = MySqlSslMode.Required;
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				await Assert.ThrowsAsync<MySqlException>(async () => await connection.OpenAsync());
+			}
+		}
+
 		[SkippableFact(ServerFeatures.KnownCertificateAuthority, ConfigSettings.RequiresSsl)]
 		public async Task ConnectSslBadClientCertificate()
 		{
@@ -95,7 +107,7 @@ public async Task ConnectSslBadClientCertificate()
 		public async Task ConnectSslBadCaCertificate()
 		{
 			var csb = AppConfig.CreateConnectionStringBuilder();
-			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "ssl-client-cert.pem");
+			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "ssl-client.pfx");
 			csb.SslMode = MySqlSslMode.VerifyCA;
 #if !BASELINE
 			csb.CACertificateFile = Path.Combine(AppConfig.CertsPath, "non-ca-client-cert.pem");