No credentials are available in the security package

[ingted]

Software versions
MySqlConnector version: latest git cloned repository
Server type (MySQL, MariaDB, Aurora, etc.) and version: GCS 5.7
.NET version: .NET 7

Describe the bug
Unable to open a connection due to auth issue. "No credentials are available in the security package"

Code sample

        let myBuilder = 
            new MySqlConnectionStringBuilder(@"Server=XXXXX;User ID=YYYY;Password=ZZZZZZ;Database=QQQQQ")

        myBuilder.SslCert <- @"G:\Downloads\data-team\client-cert.pem"
        myBuilder.SslKey <- @"G:\Downloads\data-team\client-key.pem"
        myBuilder.SslCa <- @"G:\Downloads\data-team\server-ca.pem"
        myBuilder.SslMode <- MySqlSslMode.VerifyFull
        
        let myConn = new MySqlConnection(myBuilder.ConnectionString)

        myConn.Open()

Exception

Exception thrown: 'System.Security.Authentication.AuthenticationException' in System.Private.CoreLib.dll

[ingted]

Workaround (according to dotnet/runtime#23749)

Modify this file src\MySqlConnector\Core\ServerSession.cs

			m_clientCertificate = X509Certificate2.CreateFromPemFile(sslCertificateFile, sslKeyFile);
                        //add the following line
			m_clientCertificate = new X509Certificate2(m_clientCertificate.Export(X509ContentType.Pkcs12)); //add this line

			return new() { m_clientCertificate };

[bgrainger]

The ConnectSslClientCertificatePem integration tests are passing on Linux; need to check if they're tested for the Windows build.

https://github.com/mysql-net/MySqlConnector/blob/master/tests/IntegrationTests/SslTests.cs#L76-L95

[bgrainger]

Thanks for the bug report; the workaround that you identified seems like the right approach. In the meantime, you can use ProvideClientCertificatesCallback as a workaround (example in C#):

var myBuilder =
    new MySqlConnectionStringBuilder(@"Server=XXXXX;User ID=YYYY;Password=ZZZZZZ;Database=QQQQQ");

myBuilder.SslCa = @"G:\Downloads\data-team\server-ca.pem";
myBuilder.SslMode = MySqlSslMode.VerifyFull;

// don't set these:
// myBuilder.SslKey = @"G:\Downloads\data-team\client-key.pem";
// myBuilder.SslCert = @"G:\Downloads\data-team\client-cert.pem";
        
using var myConn = new MySqlConnection(myBuilder.ConnectionString);

// do this instead:
myConn.ProvideClientCertificatesCallback = collection =>
{
    var certificate = X509Certificate2.CreateFromPemFile(@"G:\Downloads\data-team\client-cert.pem", @"G:\Downloads\data-team\client-key.pem");
    collection.Add(new X509Certificate2(certificate.Export(X509ContentType.Pkcs12)));
    return default;
};

myConn.Open();

[ingted]

Not sure why, but not work for me...

[ingted]

Seems like ProvideClientCertificatesCallback has never been invoked... (step-into never touches break point inside it)

[bgrainger]

In order for ProvideClientCertificatesCallback to be called, the CertificateFile, SslCert, or SslKey options must not be specified in the connection string. (The documentation could be clearer about this.) It's OK to set SslCa, but not any of the others.

[ingted]

After removing path from connection string, callback works. Thank you so much!!!

[bgrainger]

I thought of another workaround (that may be easier):

Use openssl to combine the two PEM files into one PFX file, then use the CertificateFile connection string option to reference that:

openssl pkcs12 -in client-cert.pem -inkey client-key.pem -export -out client.pfx

Connection string becomes: Server=XXXXX;User ID=YYYY;Password=ZZZZZZ;Database=QQQQQ;Certificate File=G:\Downloads\data-team\client.pfx

[ingted]

Should I close this issue?

[bgrainger]

No, I'll close it once the fix is shipped (likely in 2.2.6).

[bgrainger]

Fixed in 2.2.6.