Add support for reading certificates from the Certificate Store (#537)

Fixes #536.

Signed-off-by: Jan Hajek <[email protected]>

Author: hajekj

docs/content/connection-options.md

@@ -105,6 +105,16 @@ These are the options that need to be used in order to configure a connection to
     <td></td>
     <td>This option specifies the path to a CA certificate file in a PEM Encoded (.pem) format. This should be used in with <code>SslMode=VerifyCA</code> or <code>SslMode=VerifyFull</code> to enable verification of a CA certificate that is not trusted by the Operating System's certificate store.</td>
   </tr>
+  <tr>
+    <td>Certificate Store Location, CertificateStoreLocation</td>
+    <td>None</td>
+    <td>Specifies whether the connection should be encrypted with a certificate from the Certificate Store on the machine, you can specify either <code>CurrentUser</code> or <code>LocalMachine</code> as valid locations, defaults to None which results in the certificate store not being used.</td>
+  </tr>
+  <tr>
+    <td>Certificate Thumbprint, CertificateThumbprint</td>
+    <td></td>
+    <td>Specifies which specific certificate should be used from the Certificate Store specified in the setting above. If none is specified and Certificate Store is chosen, all certificates from the store will be used to attempt to make the connection.</td>
+  </tr>
 </table>
 
 Connection Pooling Options

src/MySqlConnector/Core/ConnectionSettings.cs

@@ -47,6 +47,8 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 			CertificateFile = csb.CertificateFile;
 			CertificatePassword = csb.CertificatePassword;
 			CACertificateFile = csb.CACertificateFile;
+			CertificateStoreLocation = csb.CertificateStoreLocation;
+			CertificateThumbprint = csb.CertificateThumbprint;
 
 			// Connection Pooling Options
 			Pooling = csb.Pooling;
@@ -124,6 +126,8 @@ private static MySqlGuidFormat GetEffectiveGuidFormat(MySqlGuidFormat guidFormat
 		public string CertificateFile { get; }
 		public string CertificatePassword { get; }
 		public string CACertificateFile { get; }
+		public MySqlCertificateStoreLocation CertificateStoreLocation { get; }
+		public string CertificateThumbprint { get; }
 
 		// Connection Pooling Options
 		public bool Pooling { get; }

src/MySqlConnector/Core/ServerSession.cs

@@ -876,6 +876,47 @@ private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, Connect
 		{
 			Log.Info("Session{0} initializing TLS connection", m_logArguments);
 			X509CertificateCollection clientCertificates = null;
+
+			if (cs.CertificateStoreLocation != MySqlCertificateStoreLocation.None)
+			{
+				try
+				{
+					var storeLocation = (cs.CertificateStoreLocation == MySqlCertificateStoreLocation.CurrentUser) ? StoreLocation.CurrentUser : StoreLocation.LocalMachine;
+					var store = new X509Store(StoreName.My, storeLocation);
+					store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
+
+					if (cs.CertificateThumbprint == null)
+					{
+						if (store.Certificates.Count == 0)
+						{
+							Log.Error("Session{0} no certificates were found in the certificate store", m_logArguments);
+							throw new MySqlException("No certificates were found in the certifcate store");
+						}
+
+						clientCertificates = new X509CertificateCollection(store.Certificates);
+					}
+					else
+					{
+						var requireValid = (cs.SslMode == MySqlSslMode.VerifyCA || cs.SslMode == MySqlSslMode.VerifyFull) ? true : false;
+						var foundCertificates = store.Certificates.Find(X509FindType.FindByThumbprint, cs.CertificateThumbprint, requireValid);
+						if (foundCertificates.Count == 0)
+						{
+							m_logArguments[1] = cs.CertificateThumbprint;
+							Log.Error("Session{0} certificate with specified thumbprint not found in store '{1}'", m_logArguments);
+							throw new MySqlException("Certificate with Thumbprint " + cs.CertificateThumbprint + " not found");
+						}
+
+						clientCertificates = new X509CertificateCollection(foundCertificates);
+					}
+				}
+				catch (CryptographicException ex)
+				{
+					m_logArguments[1] = cs.CertificateStoreLocation;
+					Log.Error(ex, "Session{0} couldn't load certificate from CertificateStoreLocation '{1}'", m_logArguments);
+					throw new MySqlException("Certificate couldn't be loaded from the CertificateStoreLocation", ex);
+				}
+			}
+
 			if (cs.CertificateFile != null)
 			{
 				try

src/MySqlConnector/MySql.Data.MySqlClient/MySqlCertificateStoreLocation.cs

@@ -0,0 +1,24 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace MySql.Data.MySqlClient
+{
+	public enum MySqlCertificateStoreLocation
+	{
+		/// <summary>
+		/// Do not use certificate store
+		/// </summary>
+		None,
+		/// <summary>
+		/// Use certificate store for the current user
+		/// </summary>
+		CurrentUser,
+		/// <summary>
+		/// User certificate store for the machine
+		/// </summary>
+		LocalMachine
+	}
+}

src/MySqlConnector/MySql.Data.MySqlClient/MySqlConnectionStringBuilder.cs

@@ -91,6 +91,18 @@ public string CACertificateFile
 			set => MySqlConnectionStringOption.CACertificateFile.SetValue(this, value);
 		}
 
+		public MySqlCertificateStoreLocation CertificateStoreLocation
+		{
+			get => MySqlConnectionStringOption.CertificateStoreLocation.GetValue(this);
+			set => MySqlConnectionStringOption.CertificateStoreLocation.SetValue(this, value);
+		}
+
+		public string CertificateThumbprint
+		{
+			get => MySqlConnectionStringOption.CertificateThumbprint.GetValue(this);
+			set => MySqlConnectionStringOption.CertificateThumbprint.SetValue(this, value);
+		}
+
 		// Connection Pooling Options
 		public bool Pooling
 		{
@@ -320,6 +332,8 @@ internal abstract class MySqlConnectionStringOption
 		public static readonly MySqlConnectionStringOption<MySqlSslMode> SslMode;
 		public static readonly MySqlConnectionStringOption<string> CertificateFile;
 		public static readonly MySqlConnectionStringOption<string> CertificatePassword;
+		public static readonly MySqlConnectionStringOption<MySqlCertificateStoreLocation> CertificateStoreLocation;
+		public static readonly MySqlConnectionStringOption<string> CertificateThumbprint;
 		public static readonly MySqlConnectionStringOption<string> CACertificateFile;
 
 		// Connection Pooling Options
@@ -430,6 +444,14 @@ static MySqlConnectionStringOption()
 				keys: new[] { "CACertificateFile", "CA Certificate File" },
 				defaultValue: null));
 
+			AddOption(CertificateStoreLocation = new MySqlConnectionStringOption<MySqlCertificateStoreLocation>(
+				keys: new[] { "CertificateStoreLocation", "Certificate Store Location" },
+				defaultValue: MySqlCertificateStoreLocation.None));
+
+			AddOption(CertificateThumbprint = new MySqlConnectionStringOption<string>(
+				keys: new[] { "CertificateThumbprint", "Certificate Thumbprint", "Certificate Thumb Print" },
+				defaultValue: null));
+
 			// Connection Pooling Options
 			AddOption(Pooling = new MySqlConnectionStringOption<bool>(
 				keys: new[] { "Pooling" },
@@ -582,7 +604,7 @@ private static T ChangeType(object objectValue)
 					return (T) (object) false;
 			}
 
-			if ((typeof(T) == typeof(MySqlLoadBalance) || typeof(T) == typeof(MySqlSslMode) || typeof(T) == typeof(MySqlDateTimeKind) || typeof(T) == typeof(MySqlGuidFormat) || typeof(T) == typeof(MySqlConnectionProtocol)) && objectValue is string enumString)
+			if ((typeof(T) == typeof(MySqlLoadBalance) || typeof(T) == typeof(MySqlSslMode) || typeof(T) == typeof(MySqlDateTimeKind) || typeof(T) == typeof(MySqlGuidFormat) || typeof(T) == typeof(MySqlConnectionProtocol) || typeof(T) == typeof(MySqlCertificateStoreLocation)) && objectValue is string enumString)
 			{
 				try
 				{

tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs

@@ -16,6 +16,8 @@ public void Defaults()
 			Assert.True(csb.AutoEnlist);
 			Assert.Null(csb.CertificateFile);
 			Assert.Null(csb.CertificatePassword);
+			Assert.Equal(MySqlCertificateStoreLocation.None, csb.CertificateStoreLocation);
+			Assert.Null(csb.CertificateThumbprint);
 			Assert.Equal("", csb.CharacterSet);
 			Assert.Equal(0u, csb.ConnectionLifeTime);
 			Assert.Equal(MySqlConnectionProtocol.Sockets, csb.ConnectionProtocol);
@@ -85,6 +87,8 @@ public void ParseConnectionString()
 					"auto enlist=False;" +
 					"certificate file=file.pfx;" +
 					"certificate password=Pass1234;" +
+					"certificate store location=CurrentUser;" +
+					"certificate thumb print=thumbprint123;" +
 					"Character Set=latin1;" +
 					"Compress=true;" +
 					"connect timeout=30;" +
@@ -128,6 +132,8 @@ public void ParseConnectionString()
 			Assert.False(csb.AutoEnlist);
 			Assert.Equal("file.pfx", csb.CertificateFile);
 			Assert.Equal("Pass1234", csb.CertificatePassword);
+			Assert.Equal(MySqlCertificateStoreLocation.CurrentUser, csb.CertificateStoreLocation);
+			Assert.Equal("thumbprint123", csb.CertificateThumbprint);
 			Assert.Equal("latin1", csb.CharacterSet);
 			Assert.Equal(15u, csb.ConnectionLifeTime);
 			Assert.Equal(MySqlConnectionProtocol.NamedPipe, csb.ConnectionProtocol);

tests/SideBySide/SslTests.cs

@@ -1,5 +1,6 @@
 using System.IO;
 using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using MySql.Data.MySqlClient;
 using Xunit;
@@ -75,6 +76,42 @@ public async Task ConnectSslClientCertificate(string certFile, string certFilePa
 			}
 		}
 
+		[SkippableTheory(ConfigSettings.RequiresSsl | ConfigSettings.KnownClientCertificate)]
+		[InlineData("ssl-client.pfx", MySqlCertificateStoreLocation.CurrentUser, null)]
+		public async Task ConnectSslClientCertificateFromCertificateStore(string certFile, MySqlCertificateStoreLocation storeLocation, string thumbprint)
+		{
+			// Create a mock of certificate store
+			X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
+			store.Open(OpenFlags.ReadWrite);
+			var certificate = new X509Certificate2(Path.Combine(AppConfig.CertsPath, certFile));
+			store.Add(certificate);
+
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			
+			csb.CertificateStoreLocation = storeLocation;
+			csb.CertificateThumbprint = thumbprint;
+
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				using (var cmd = connection.CreateCommand())
+				{
+					await connection.OpenAsync();
+#if !BASELINE
+					Assert.True(connection.SslIsEncrypted);
+					Assert.True(connection.SslIsSigned);
+					Assert.True(connection.SslIsAuthenticated);
+					Assert.True(connection.SslIsMutuallyAuthenticated);
+#endif
+					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
+					var sslVersion = (string) await cmd.ExecuteScalarAsync();
+					Assert.False(string.IsNullOrWhiteSpace(sslVersion));
+				}
+			}
+
+			// Remove the certificate from store
+			store.Remove(certificate);
+		}
+
 		[SkippableFact(ConfigSettings.RequiresSsl, Baseline = "MySql.Data does not check for a private key")]
 		public async Task ConnectSslClientCertificateNoPrivateKey()
 		{