fix: add custom server certificates

Author: KirillKurdyukov

examples/src/YC/Program.cs

@@ -11,8 +11,6 @@ await Parser.Default.ParseArguments<CmdOptions>(args).WithParsedAsync(async cmd
     var saProvider = new ServiceAccountProvider(saFilePath: cmd.SaFilePath, loggerFactory: loggerFactory);
     await saProvider.Initialize();
 
-    var cert = YcCerts.GetDefaultServerCertificate();
-
     var builder = new YdbConnectionStringBuilder
     {
         UseTls = true,
@@ -21,11 +19,12 @@ await Parser.Default.ParseArguments<CmdOptions>(args).WithParsedAsync(async cmd
         Database = cmd.Database,
         CredentialsProvider = saProvider,
         LoggerFactory = loggerFactory,
-        CustomCertificate = cert
+        ServerCertificates = YcCerts.GetYcServerCertificates()
     };
 
     await using var ydbConnection = new YdbConnection(builder);
     await ydbConnection.OpenAsync();
 
-    Console.WriteLine(await new YdbCommand(ydbConnection) { CommandText = "SELECT 'Hello YDB!'u" }.ExecuteScalarAsync());
+    Console.WriteLine(await new YdbCommand(ydbConnection) { CommandText = "SELECT 'Hello Dedicated YDB!'u" }
+        .ExecuteScalarAsync());
 });

examples/src/YC/YC.csproj

@@ -13,9 +13,9 @@
         <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="5.0.0" />
         <PackageReference Include="Microsoft.Extensions.Logging" Version="5.0.0" />
         <PackageReference Include="Ydb.Protos" Version="1.1.1" />
+        <PackageReference Include="Ydb.Sdk.Yc.Auth" Version="0.1.0" />
     </ItemGroup>
     <ItemGroup>
         <ProjectReference Include="..\..\..\src\Ydb.Sdk\src\Ydb.Sdk.csproj" />
-        <ProjectReference Include="..\..\..\..\ydb-dotnet-yc\src\Ydb.Sdk.Yc.Auth\src\Ydb.Sdk.Yc.Auth.csproj" />
     </ItemGroup>
 </Project>

src/Ydb.Sdk/src/Ado/YdbConnectionStringBuilder.cs

@@ -137,22 +137,11 @@ public string? RootCertificate
 
     private string? _rootCertificate;
 
-    public ILoggerFactory? LoggerFactory { get; set; }
+    public ILoggerFactory? LoggerFactory { get; init; }
 
-    public ICredentialsProvider? CredentialsProvider { get; set; }
+    public ICredentialsProvider? CredentialsProvider { get; init; }
 
-    public X509Certificate? CustomCertificate
-    {
-        get => _customCertificate;
-        set
-        {
-            RootCertificate = null;
-
-            _customCertificate = value;
-        }
-    }
-
-    private X509Certificate? _customCertificate;
+    public X509Certificate2Collection? ServerCertificates { get; init; }
 
     private void SaveValue(string propertyName, object? value)
     {
@@ -196,14 +185,14 @@ internal Task<Driver> BuildDriver()
     {
         var credentialsProvider = CredentialsProvider ??
                                   (User != null ? new StaticCredentialsProvider(User, Password) : null);
-        var cert = CustomCertificate ??
-                   (RootCertificate != null ? X509Certificate.CreateFromCertFile(RootCertificate) : null);
+        var cert = RootCertificate != null ? X509Certificate.CreateFromCertFile(RootCertificate) : null;
 
         return Driver.CreateInitialized(new DriverConfig(
             endpoint: Endpoint,
             database: Database,
             credentials: credentialsProvider,
-            customServerCertificate: cert
+            customServerCertificate: cert,
+            customServerCertificates: ServerCertificates
         ), LoggerFactory);
     }
 

src/Ydb.Sdk/src/DriverConfig.cs

@@ -8,21 +8,31 @@ public class DriverConfig
     public string Endpoint { get; }
     public string Database { get; }
     public ICredentialsProvider Credentials { get; }
-    public X509Certificate? CustomServerCertificate { get; }
-
+    
+    internal X509Certificate2Collection CustomServerCertificates { get; } = new();
     internal TimeSpan EndpointDiscoveryInterval = TimeSpan.FromMinutes(1);
     internal TimeSpan EndpointDiscoveryTimeout = TimeSpan.FromSeconds(10);
 
     public DriverConfig(
         string endpoint,
         string database,
         ICredentialsProvider? credentials = null,
-        X509Certificate? customServerCertificate = null)
+        X509Certificate? customServerCertificate = null,
+        X509Certificate2Collection? customServerCertificates = null)
     {
         Endpoint = FormatEndpoint(endpoint);
         Database = database;
         Credentials = credentials ?? new AnonymousProvider();
-        CustomServerCertificate = customServerCertificate;
+
+        if (customServerCertificate != null)
+        {
+            CustomServerCertificates.Add(new X509Certificate2(customServerCertificate));
+        }
+
+        if (customServerCertificates != null)
+        {
+            CustomServerCertificates.AddRange(customServerCertificates);
+        }
     }
 
     private static string FormatEndpoint(string endpoint)

src/Ydb.Sdk/src/Pool/ChannelPool.cs

@@ -5,7 +5,6 @@
 using Grpc.Core;
 using Grpc.Net.Client;
 using Microsoft.Extensions.Logging;
-using Org.BouncyCastle.Security;
 
 namespace Ydb.Sdk.Pool;
 
@@ -79,14 +78,14 @@ public interface IChannelFactory<out T> where T : ChannelBase, IDisposable
 internal class GrpcChannelFactory : IChannelFactory<GrpcChannel>
 {
     private readonly ILoggerFactory _loggerFactory;
-    private readonly X509Certificate? _x509Certificate;
     private readonly ILogger<GrpcChannelFactory> _logger;
+    private readonly X509Certificate2Collection _x509Certificate2Collection;
 
     internal GrpcChannelFactory(ILoggerFactory loggerFactory, DriverConfig config)
     {
         _loggerFactory = loggerFactory;
-        _x509Certificate = config.CustomServerCertificate;
         _logger = loggerFactory.CreateLogger<GrpcChannelFactory>();
+        _x509Certificate2Collection = config.CustomServerCertificates;
     }
 
     public GrpcChannel CreateChannel(string endpoint)
@@ -98,47 +97,48 @@ public GrpcChannel CreateChannel(string endpoint)
             LoggerFactory = _loggerFactory
         };
 
-        if (_x509Certificate == null)
+        var httpHandler = new SocketsHttpHandler();
+
+        // https://github.com/grpc/grpc-dotnet/issues/2312#issuecomment-1790661801
+        httpHandler.Properties["__GrpcLoadBalancingDisabled"] = true;
+
+        channelOptions.HttpHandler = httpHandler;
+        channelOptions.DisposeHttpClient = true;
+
+        if (_x509Certificate2Collection.Count == 0)
         {
             return GrpcChannel.ForAddress(endpoint, channelOptions);
         }
 
-        var httpHandler = new SocketsHttpHandler();
-
-        var customCertificate = DotNetUtilities.FromX509Certificate(_x509Certificate);
-
-        httpHandler.SslOptions.RemoteCertificateValidationCallback =
-            (_, certificate, _, sslPolicyErrors) =>
+        httpHandler.SslOptions.RemoteCertificateValidationCallback +=
+            (_, certificate, chain, sslPolicyErrors) =>
             {
                 if (sslPolicyErrors == SslPolicyErrors.None)
                 {
                     return true;
                 }
 
-                if (certificate is null)
+                if (certificate is null || chain is null)
                 {
                     return false;
                 }
 
                 try
                 {
-                    var cert = DotNetUtilities.FromX509Certificate(certificate);
-                    cert.Verify(customCertificate.GetPublicKey());
+                    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
+                    chain.ChainPolicy.ExtraStore.AddRange(_x509Certificate2Collection);
+
+                    return chain.Build(new X509Certificate2(certificate)) && chain.ChainElements.Any(chainElement =>
+                        _x509Certificate2Collection.Any(trustedCert =>
+                            chainElement.Certificate.Thumbprint == trustedCert.Thumbprint));
                 }
                 catch (Exception e)
                 {
                     _logger.LogError(e, "Failed to verify remote certificate!");
 
                     return false;
                 }
-
-                return true;
             };
-        // https://github.com/grpc/grpc-dotnet/issues/2312#issuecomment-1790661801
-        httpHandler.Properties["__GrpcLoadBalancingDisabled"] = true;
-
-        channelOptions.HttpHandler = httpHandler;
-        channelOptions.DisposeHttpClient = true;
 
         return GrpcChannel.ForAddress(endpoint, channelOptions);
     }

src/Ydb.Sdk/src/Transport/AuthGrpcChannelDriver.cs

@@ -17,7 +17,7 @@ ILoggerFactory loggerFactory
         new DriverConfig(
             endpoint: driverConfig.Endpoint,
             database: driverConfig.Database,
-            customServerCertificate: driverConfig.CustomServerCertificate
+            customServerCertificates: driverConfig.CustomServerCertificates
         ), loggerFactory, loggerFactory.CreateLogger<AuthGrpcChannelDriver>())
     {
         _channel = grpcChannelFactory.CreateChannel(Config.Endpoint);