Add ProvideClientCertificatesCallback.

Signed-off-by: Bradley Grainger <bgrainger@gmail.com>

Author: bgrainger

docs/content/api/MySqlConnector/MySqlConnection/ProvideClientCertificatesCallback.md

@@ -107,7 +107,10 @@ These are the options that need to be used in order to configure a connection to
   <tr id="CertificateFile">
     <td>Certificate File, CertificateFile</td>
     <td></td>
-    <td>The path to a certificate file in PKCS #12 (.pfx) format containing a bundled Certificate and Private Key used for mutual authentication. To create a PKCS #12 bundle from a PEM encoded Certificate and Key, use <code>openssl pkcs12 -in cert.pem -inkey key.pem -export -out bundle.pfx</code>. This option should not be specified if <code>SslCert</code> and <code>SslKey</code> are used.</td>
+    <td>
+      <p>The path to a certificate file in PKCS #12 (.pfx) format containing a bundled Certificate and Private Key used for mutual authentication. To create a PKCS #12 bundle from a PEM encoded Certificate and Key, use <code>openssl pkcs12 -in cert.pem -inkey key.pem -export -out bundle.pfx</code>. This option should not be specified if <code>SslCert</code> and <code>SslKey</code> are used.</p>
+      <p>If the certificate can't be loaded from a file path, leave this value empty and set <a href="/api/mysqlconnector/mysqlconnection/provideclientcertificatescallback/"><code>MySqlConnection.ProvideClientCertificatesCallback</code></a> before calling <a href="/api/mysqlconnector/mysqlconnection/open/"><code>MySqlConnection.Open</code></a>. The property should be set to an async delegate that will populate a <code>X509CertificateCollection</code> with the client certificate(s) needed to connect.</p>
+    </td>
   </tr>
   <tr id="CertificatePassword">
     <td>Certificate Password, CertificatePassword</td>

docs/content/api/MySqlConnector/MySqlConnectionType.md

@@ -218,9 +218,9 @@ public async Task PrepareAsync(IMySqlCommand command, IOBehavior ioBehavior, Can
 			{
 				payload = await ReceiveReplyAsync(ioBehavior, cancellationToken).ConfigureAwait(false);
 			}
-			catch (MySqlException exception)
+			catch (MySqlException ex)
 			{
-				ThrowIfStatementContainsDelimiter(exception, command);
+				ThrowIfStatementContainsDelimiter(ex, command);
 				throw;
 			}
 
@@ -482,7 +482,7 @@ public async Task DisposeAsync(IOBehavior ioBehavior, CancellationToken cancella
 
 					try
 					{
-						await InitSslAsync(initialHandshake.ProtocolCapabilities, cs, sslProtocols, ioBehavior, cancellationToken).ConfigureAwait(false);
+						await InitSslAsync(initialHandshake.ProtocolCapabilities, cs, connection, sslProtocols, ioBehavior, cancellationToken).ConfigureAwait(false);
 						shouldRetrySsl = false;
 					}
 					catch (ArgumentException ex) when (ex.ParamName == "sslProtocolType" && sslProtocols == SslProtocols.None)
@@ -1185,7 +1185,7 @@ private async Task<bool> OpenNamedPipeAsync(ConnectionSettings cs, int startTick
 		return false;
 	}
 
-	private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, ConnectionSettings cs, SslProtocols sslProtocols, IOBehavior ioBehavior, CancellationToken cancellationToken)
+	private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, ConnectionSettings cs, MySqlConnection connection, SslProtocols sslProtocols, IOBehavior ioBehavior, CancellationToken cancellationToken)
 	{
 		Log.Trace("Session{0} initializing TLS connection", m_logArguments);
 		X509CertificateCollection? clientCertificates = null;
@@ -1264,6 +1264,21 @@ private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, Connect
 			}
 		}
 
+		if (clientCertificates is null && connection.ProvideClientCertificatesCallback is { } clientCertificatesProvider)
+		{
+			clientCertificates = new();
+			try
+			{
+				await clientCertificatesProvider(clientCertificates).ConfigureAwait(false);
+			}
+			catch (Exception ex)
+			{
+				m_logArguments[1] = ex.Message;
+				Log.Error(ex, "Session{0} failed to obtain client certificates via ProvideClientCertificatesCallback: {1}", m_logArguments);
+				throw new MySqlException("Failed to obtain client certificates via ProvideClientCertificatesCallback", ex);
+			}
+		}
+
 		X509Chain? caCertificateChain = null;
 		if (cs.CACertificateFile.Length != 0)
 		{
@@ -1767,11 +1782,11 @@ private string GetPassword(ConnectionSettings cs, MySqlConnection connection)
 				Log.Trace("Session{0} obtaining password via ProvidePasswordCallback", m_logArguments);
 				return passwordProvider(new(HostName, cs.Port, cs.UserID, cs.Database));
 			}
-			catch (Exception e)
+			catch (Exception ex)
 			{
-				m_logArguments[1] = e.Message;
-				Log.Error("Session{0} failed to obtain password via ProvidePasswordCallback: {1}", m_logArguments);
-				throw new MySqlException(MySqlErrorCode.ProvidePasswordCallbackFailed, "Failed to obtain password via ProvidePasswordCallback", e);
+				m_logArguments[1] = ex.Message;
+				Log.Error(ex, "Session{0} failed to obtain password via ProvidePasswordCallback: {1}", m_logArguments);
+				throw new MySqlException(MySqlErrorCode.ProvidePasswordCallbackFailed, "Failed to obtain password via ProvidePasswordCallback", ex);
 			}
 		}
 

docs/content/connection-options.md

@@ -3,6 +3,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Net.Sockets;
 using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
 using MySqlConnector.Core;
 using MySqlConnector.Logging;
 using MySqlConnector.Protocol.Payloads;
@@ -496,6 +497,16 @@ public override string ConnectionString
 	/// </summary>
 	public int ServerThread => Session.ConnectionId;
 
+	/// <summary>
+	/// Gets or sets the delegate used to provide client certificates for connecting to a server.
+	/// </summary>
+	/// <remarks>The provided <see cref="X509CertificateCollection"/> should be filled with the client certificate(s) needed to connect to the server.</remarks>
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+	public Func<X509CertificateCollection, ValueTask>? ProvideClientCertificatesCallback { get; set; }
+#else
+	public Func<X509CertificateCollection, Task>? ProvideClientCertificatesCallback { get; set; }
+#endif
+
 	/// <summary>
 	/// Gets or sets the delegate used to generate a password for new database connections.
 	/// </summary>
@@ -674,6 +685,7 @@ public async Task DisposeAsync()
 
 	public MySqlConnection Clone() => new(m_connectionString, m_hasBeenOpened)
 	{
+		ProvideClientCertificatesCallback = ProvideClientCertificatesCallback,
 		ProvidePasswordCallback = ProvidePasswordCallback,
 	};
 
@@ -697,6 +709,7 @@ public MySqlConnection CloneWith(string connectionString)
 			newBuilder.Password = currentBuilder.Password;
 		return new MySqlConnection(newBuilder.ConnectionString, m_hasBeenOpened && shouldCopyPassword && !currentBuilder.PersistSecurityInfo)
 		{
+			ProvideClientCertificatesCallback = ProvideClientCertificatesCallback,
 			ProvidePasswordCallback = ProvidePasswordCallback,
 		};
 	}

src/MySqlConnector/Core/ServerSession.cs

@@ -52,7 +52,36 @@ public async Task ConnectSslClientCertificate(string certFile, string certFilePa
 		await DoTestSsl(csb.ConnectionString);
 	}
 
+#if !BASELINE
 	[SkippableTheory(ConfigSettings.RequiresSsl | ConfigSettings.KnownClientCertificate)]
+	[InlineData("ssl-client.pfx", null)]
+	[InlineData("ssl-client-pw-test.pfx", "test")]
+	public async Task ConnectSslClientCertificateCallback(string certificateFile, string certificateFilePassword)
+	{
+		var csb = AppConfig.CreateConnectionStringBuilder();
+		var certificateFilePath = Path.Combine(AppConfig.CertsPath, certificateFile);
+
+		using var connection = new MySqlConnection(csb.ConnectionString);
+#if NETFRAMEWORK
+		connection.ProvideClientCertificatesCallback = x =>
+		{
+			x.Add(new X509Certificate2(certificateFilePath, certificateFilePassword));
+			return MySqlConnector.Utilities.Utility.CompletedTask;
+		};
+#else
+		connection.ProvideClientCertificatesCallback = async x =>
+		{
+			var certificateBytes = await File.ReadAllBytesAsync(certificateFilePath);
+			x.Add(new X509Certificate2(certificateBytes, certificateFilePassword));
+		};
+#endif
+
+		await connection.OpenAsync();
+		Assert.True(connection.SslIsEncrypted);
+	}
+#endif
+
+			[SkippableTheory(ConfigSettings.RequiresSsl | ConfigSettings.KnownClientCertificate)]
 	[InlineData("ssl-client-cert.pem", "ssl-client-key.pem", null)]
 	[InlineData("ssl-client-cert.pem", "ssl-client-key-null.pem", null)]
 #if !BASELINE