You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

337 lines
14 KiB

// Copyright (c) 2019, 2020 Oracle and/or its affiliates.
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License, version 2.0, as
// published by the Free Software Foundation.
//
// This program is also distributed with certain software (including
// but not limited to OpenSSL) that is licensed under separate terms,
// as designated in a particular file or component or in included license
// documentation. The authors of MySQL hereby grant you an
// additional permission to link the program and your derivative works
// with the separately licensed software that they have included with
// MySQL.
//
// Without limiting anything contained in the foregoing, this file,
// which is part of MySQL Connector/NET, is also subject to the
// Universal FOSS Exception, version 1.0, a copy of which can be found at
// http://oss.oracle.com/licenses/universal-foss-exception.
//
// This program is distributed in the hope that it will be useful, but
// WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
// See the GNU General Public License, version 2.0, for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.Security.Certificates;
using Org.BouncyCastle.Security;
using System;
using MySql.Data.MySqlClient;
using System.Net.Security;
using System.IO;
using Sog.Properties;
namespace MySql.Data.common
{
/// <summary>
/// Provides functionality to read SSL PEM certificates and to perform multiple validations via Bouncy Castle.
/// </summary>
internal static class SslPemCertificateValidator
{
public static void ValidateCertificate(
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
MySqlBaseConnectionStringBuilder settings)
{
if (settings.SslMode >= MySqlSslMode.VerifyCA)
{
VerifyEmptyOrWhitespaceSslConnectionOption(settings.SslCa, nameof(settings.SslCa));
#pragma warning disable CS0612 // 类型或成员已过时
var sslCA = ReadSslCertificate(settings.SslCa);
#pragma warning restore CS0612 // 类型或成员已过时
VerifyIssuer(sslCA, certificate);
VerifyDates(sslCA);
VerifyCAStatus(sslCA, true);
#if NET452
VerifySignature(sslCA, DotNetUtilities.FromX509Certificate(certificate));
#else
#pragma warning disable CS0612 // 类型或成员已过时
VerifySignature(sslCA, new X509CertificateParser().ReadCertificate(certificate.GetRawCertData()));
#pragma warning restore CS0612 // 类型或成员已过时
#endif
}
if (settings.SslMode == MySqlSslMode.VerifyFull)
{
VerifyEmptyOrWhitespaceSslConnectionOption(settings.SslCert, nameof(settings.SslCert));
#pragma warning disable CS0612 // 类型或成员已过时
var sslCert = ReadSslCertificate(settings.SslCert);
#pragma warning restore CS0612 // 类型或成员已过时
VerifyDates(sslCert);
VerifyCAStatus(sslCert, false);
VerifyEmptyOrWhitespaceSslConnectionOption(settings.SslKey, nameof(settings.SslKey));
#pragma warning disable CS0612 // 类型或成员已过时
var sslKey = ReadKey(settings.SslKey);
#pragma warning restore CS0612 // 类型或成员已过时
#pragma warning disable CS0612 // 类型或成员已过时
VerifyKeyCorrespondsToCertificateKey(sslCert, sslKey);
#pragma warning restore CS0612 // 类型或成员已过时
}
}
/// <summary>
/// Raises an exception if the specified connection option is null, empty or whitespace.
/// </summary>
/// <param name="connectionOption">The connection option to verify.</param>
/// <param name="connectionOptionName">The name of the connection option.</param>
private static void VerifyEmptyOrWhitespaceSslConnectionOption(string connectionOption, string connectionOptionName)
{
if (string.IsNullOrWhiteSpace(connectionOption))
{
throw new MySqlException(
Resources.SslConnectionError,
new FileNotFoundException(string.Format(Resources.FilePathNotSet, connectionOptionName)));
}
}
#region Certificate Readers
/// <summary>
/// Reads the specified file as a byte array.
/// </summary>
/// <param name="filePath">The path of the file to read.</param>
/// <returns>A byte array representing the read file.</returns>
private static byte[] GetBuffer(string filePath)
{
byte[] buffer;
if (filePath == null)
{
throw new ArgumentNullException(nameof(filePath));
}
try
{
FileStream stream = File.Open(filePath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite);
buffer = new byte[stream.Length];
int offset = stream.Read(buffer, 0, buffer.Length);
while (true)
{
if (offset >= stream.Length)
{
stream.Close();
break;
}
offset += stream.Read(buffer, offset, buffer.Length - offset);
}
}
catch (Exception)
{
throw new MySqlException(Resources.SslConnectionError, new FileNotFoundException(Resources.FileNotFound, filePath));
}
return buffer;
}
/// <summary>
/// Reads the SSL certificate file.
/// </summary>
/// <param name="filePath">The path to the certificate file.</param>
/// <returns>A <see cref="Org.BouncyCastle.X509.X509Certificate"/> instance representing the SSL certificate file.</returns>
[Obsolete]
private static Org.BouncyCastle.X509.X509Certificate ReadSslCertificate(string filePath)
{
byte[] buffer = GetBuffer(filePath);
var PR = new PemReader(new StreamReader(new MemoryStream(buffer)));
try
{
var certificate = (Org.BouncyCastle.X509.X509Certificate)PR.ReadObject();
if (certificate == null)
{
throw new InvalidCastException();
}
return certificate;
}
catch (InvalidCastException)
{
throw new MySqlException(Resources.SslConnectionError, new Exception(Resources.FileIsNotACertificate));
}
}
/// <summary>
/// Reads the SSL certificate key file.
/// </summary>
/// <param name="filePath">The path to the certificate key file.</param>
/// <returns>A <see cref="AsymmetricCipherKeyPair"/> instance representing the SSL certificate key file.</returns>
[Obsolete]
private static AsymmetricCipherKeyPair ReadKey(string filePath)
{
byte[] buffer = GetBuffer(filePath);
var PR = new PemReader(new StreamReader(new MemoryStream(buffer)));
try
{
var key = (AsymmetricCipherKeyPair)PR.ReadObject();
if (key == null)
{
throw new InvalidCastException();
}
return key;
}
catch (InvalidCastException)
{
throw new MySqlException(Resources.SslConnectionError, new Exception(Resources.FileIsNotAKey));
}
}
#endregion
#region Certificate Veryfiers
/// <summary>
/// Verifies that the certificate has not yet expired.
/// </summary>
/// <param name="certificate">The certificate to verify.</param>
private static void VerifyDates(Org.BouncyCastle.X509.X509Certificate certificate)
{
try
{
certificate.CheckValidity();
}
catch (CertificateExpiredException exception)
{
throw new MySqlException(Resources.SslConnectionError, exception);
}
catch (CertificateNotYetValidException exception)
{
throw new MySqlException(Resources.SslConnectionError, exception);
}
}
/// <summary>
/// Verifies a certificate CA status.
/// </summary>
/// <param name="certificate">The certificate to validate.</param>
/// <param name="expectedCAStatus">A flag indicating the expected CA status.</param>
private static void VerifyCAStatus(Org.BouncyCastle.X509.X509Certificate certificate, bool expectedCAStatus)
{
bool? isCA = IsCA(certificate, out var certificatePathLength);
if (isCA == true && !expectedCAStatus)
{
throw new MySqlException(Resources.SslConnectionError, new Exception(Resources.InvalidSslCertificate));
}
else if (expectedCAStatus && certificate.Version == 3 && (isCA == false || isCA == null))
{
throw new MySqlException(Resources.SslConnectionError, new Exception(Resources.SslCertificateIsNotCA));
}
}
/// <summary>
/// Verifies that the certificate was signed using the private key that corresponds to the specified public key
/// </summary>
/// <param name="certificate">The client side certificate containing the public key.</param>
/// <param name="serverCertificate">The server certificate.</param>
[Obsolete]
private static void VerifySignature(Org.BouncyCastle.X509.X509Certificate certificate, Org.BouncyCastle.X509.X509Certificate serverCertificate)
{
VerifySignature(serverCertificate, certificate.GetPublicKey());
}
private static void VerifySignatureUsingKey(Org.BouncyCastle.X509.X509Certificate certificate, AsymmetricCipherKeyPair key)
{
VerifySignature(certificate, key.Public);
}
private static void VerifySignature(Org.BouncyCastle.X509.X509Certificate certificate, AsymmetricKeyParameter key)
{
try
{
certificate.Verify(key);
}
catch (InvalidKeyException exception)
{
throw new Exception(Resources.InvalidCertificateKey, exception);
}
catch (SignatureException exception)
{
throw new Exception(Resources.InvalidSslCertificateSignature, exception);
}
catch (CertificateException exception)
{
throw new Exception(Resources.EncodingError, exception);
}
catch (Exception exception)
{
throw new Exception(Resources.InvalidSslCertificateSignatureGeneral, exception);
}
}
/// <summary>
/// Verifies that no SSL policy errors regarding the identitfy of the host were raised.
/// </summary>
/// <param name="sslPolicyErrors">A <see cref="SslPolicyErrors"/> instance set with the raised SSL errors.</param>
private static void VerifyIdentity(SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateNameMismatch)
{
throw new MySqlException(Resources.SslConnectionError, new Exception(Resources.SslCertificateHostNameMismatch));
}
}
/// <summary>
/// Verifies that the issuer matches the CA by comparing the CA certificate issuer and the server certificate issuer.
/// </summary>
/// <param name="CACertificate">The CA certificate.</param>
/// <param name="serverCertificate">The server certificate.</param>
private static void VerifyIssuer(Org.BouncyCastle.X509.X509Certificate CACertificate, System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate)
{
var certificate = new System.Security.Cryptography.X509Certificates.X509Certificate(CACertificate.GetEncoded());
if (certificate.Issuer != serverCertificate.Issuer)
{
throw new MySqlException(Resources.SslConnectionError, new Exception(Resources.SslCertificateCAMismatch));
}
}
[Obsolete]
private static void VerifyKeyCorrespondsToCertificateKey(Org.BouncyCastle.X509.X509Certificate certificate, AsymmetricCipherKeyPair key)
{
var certificateKey = certificate.GetPublicKey().ToString();
if (!string.IsNullOrEmpty(certificateKey) && certificateKey != key.Public.ToString())
{
throw new InvalidKeyException();
}
}
/// Validates that the certificate provided is a CA certificate.
/// </summary>
/// <param name="certificate">The certificate to validate.</param>
/// <param name="certificationPathLength">The allowed certification path length.</param>
/// <returns><c>null</c> if the certificate info does not allow to determine the CA status;
/// otherwise, a boolean value indicating the CA status.</null></returns>
private static bool? IsCA(Org.BouncyCastle.X509.X509Certificate certificate, out int certificationPathLength)
{
// If certificate version equal to 3 then the isCA property can be retrieved.
if (certificate.Version == 3)
{
// A value of -1 indicates certificate is not a CA.
// A value of Integer.MAX_VALUE indicates there is no limit on the allowed length of the certification path.
certificationPathLength = certificate.GetBasicConstraints();
return certificationPathLength != -1;
}
certificationPathLength = -1;
return null;
}
#endregion
}
}