add CA Certificate validation

Author: caleblloyd

src/MySqlConnector/MySqlClient/MySqlConnectionStringBuilder.cs

@@ -66,6 +66,12 @@ public string CertificatePassword
 			set => MySqlConnectionStringOption.CertificatePassword.SetValue(this, value);
 		}
 
+		public string CACertificateFile
+		{
+			get => MySqlConnectionStringOption.CACertificateFile.GetValue(this);
+			set => MySqlConnectionStringOption.CACertificateFile.SetValue(this, value);
+		}
+
 		// Connection Pooling Options
 		public bool Pooling
 		{
@@ -238,6 +244,7 @@ internal abstract class MySqlConnectionStringOption
 		public static readonly MySqlConnectionStringOption<MySqlSslMode> SslMode;
 		public static readonly MySqlConnectionStringOption<string> CertificateFile;
 		public static readonly MySqlConnectionStringOption<string> CertificatePassword;
+		public static readonly MySqlConnectionStringOption<string> CACertificateFile;
 
 		// Connection Pooling Options
 		public static readonly MySqlConnectionStringOption<bool> Pooling;
@@ -322,6 +329,10 @@ static MySqlConnectionStringOption()
 				keys: new[] { "CertificatePassword", "Certificate Password" },
 				defaultValue: null));
 
+			AddOption(CACertificateFile = new MySqlConnectionStringOption<string>(
+				keys: new[] { "CACertificateFile", "CA Certificate File" },
+				defaultValue: null));
+
 			// Connection Pooling Options
 			AddOption(Pooling = new MySqlConnectionStringOption<bool>(
 				keys: new[] { "Pooling" },

src/MySqlConnector/Serialization/ConnectionSettings.cs

@@ -33,6 +33,7 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 			SslMode = csb.SslMode;
 			CertificateFile = csb.CertificateFile;
 			CertificatePassword = csb.CertificatePassword;
+			CACertificateFile = csb.CACertificateFile;
 
 			// Connection Pooling Options
 			Pooling = csb.Pooling;
@@ -73,6 +74,7 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 		public MySqlSslMode SslMode { get; }
 		public string CertificateFile { get; }
 		public string CertificatePassword { get; }
+		public string CACertificateFile { get; }
 
 		// Connection Pooling Options
 		public bool Pooling { get; }

src/MySqlConnector/Serialization/MySqlSession.cs

@@ -537,36 +537,66 @@ private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, Connect
 				catch (CryptographicException ex)
 				{
 					if (!File.Exists(cs.CertificateFile))
-						throw new MySqlException("Cannot find SSL Certificate File", ex);
-					throw new MySqlException("Either the SSL Certificate Password is incorrect or the SSL Certificate File is invalid", ex);
+						throw new MySqlException("Cannot find Certificate File", ex);
+					throw new MySqlException("Either the Certificate Password is incorrect or the Certificate File is invalid", ex);
 				}
 			}
 
-			Func<object, string, X509CertificateCollection, X509Certificate, string[], X509Certificate> localCertificateCb =
-				(lcbSender, lcbTargetHost, lcbLocalCertificates, lcbRemoteCertificate, lcbAcceptableIssuers) => lcbLocalCertificates[0];
+			X509Chain caCertificateChain = null;
+			if (cs.CACertificateFile != null)
+			{
+				try
+				{
+					var caCertificate = new X509Certificate2(cs.CACertificateFile);
+					caCertificateChain = new X509Chain
+					{
+						ChainPolicy =
+						{
+							RevocationMode = X509RevocationMode.NoCheck,
+							VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority
+						}
+					};
+					caCertificateChain.ChainPolicy.ExtraStore.Add(caCertificate);
+				}
+				catch (CryptographicException ex)
+				{
+					if (!File.Exists(cs.CACertificateFile))
+						throw new MySqlException("Cannot find CA Certificate File", ex);
+					throw new MySqlException("The CA Certificate File is invalid", ex);
+				}
+			}
+
+			X509Certificate LocalCertificateCb(object lcbSender, string lcbTargetHost, X509CertificateCollection lcbLocalCertificates, X509Certificate lcbRemoteCertificate, string[] lcbAcceptableIssuers) => lcbLocalCertificates[0];
+
+			bool RemoteCertificateCb(object rcbSender, X509Certificate rcbCertificate, X509Chain rcbChain, SslPolicyErrors rcbPolicyErrors)
+			{
+				if (cs.SslMode == MySqlSslMode.Preferred || cs.SslMode == MySqlSslMode.Required)
+					return true;
 
-			Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool> remoteCertificateCb =
-				(rcbSender, rcbCertificate, rcbChain, rcbPolicyErrors) =>
+				if ((rcbPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0 && caCertificateChain != null)
 				{
-					switch (rcbPolicyErrors)
+					if (caCertificateChain.Build((X509Certificate2) rcbCertificate))
 					{
-						case SslPolicyErrors.None:
-							return true;
-						case SslPolicyErrors.RemoteCertificateNameMismatch:
-							return cs.SslMode != MySqlSslMode.VerifyFull;
-						default:
-							return cs.SslMode == MySqlSslMode.Preferred || cs.SslMode == MySqlSslMode.Required;
+						var chainStatus = caCertificateChain.ChainStatus[0].Status & ~X509ChainStatusFlags.UntrustedRoot;
+						if (chainStatus == X509ChainStatusFlags.NoError)
+							rcbPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
 					}
-				};
+				}
+
+				if (cs.SslMode == MySqlSslMode.VerifyCA)
+					rcbPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
+
+				return rcbPolicyErrors == SslPolicyErrors.None;
+			}
 
 			SslStream sslStream;
 			if (clientCertificates == null)
 				sslStream = new SslStream(m_networkStream, false,
-					new RemoteCertificateValidationCallback(remoteCertificateCb));
+					new RemoteCertificateValidationCallback((Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool>) RemoteCertificateCb));
 			else
 				sslStream = new SslStream(m_networkStream, false,
-					new RemoteCertificateValidationCallback(remoteCertificateCb),
-					new LocalCertificateSelectionCallback(localCertificateCb));
+					new RemoteCertificateValidationCallback((Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool>) RemoteCertificateCb),
+					new LocalCertificateSelectionCallback((Func<object, string, X509CertificateCollection, X509Certificate, string[], X509Certificate>) LocalCertificateCb));
 
 			// SslProtocols.Tls1.2 throws an exception in Windows, see https://github.com/mysql-net/MySqlConnector/pull/101
 			var sslProtocols = SslProtocols.Tls | SslProtocols.Tls11;