Bug #88372 Certificate store not working due to wrong thumbprint character length
Submitted: 6 Nov 2017 8:57 Modified: 13 Feb 2018 6:14
Reporter: Jaco Stienstra Email Updates:
Status: Verified Impact on me:
None 
Category:Connector / NET Severity:S3 (Non-critical)
Version:>= 6.8 OS:Windows
Assigned to: CPU Architecture:Any
Tags: certificate thumbprint

[6 Nov 2017 8:57] Jaco Stienstra
Description:
Hi,

I am not sure but it seems there is a bug in handling the certificate thumbprint option and the lookup function in the certificate store. No matter what thumbprint is passed the certificate cannot be found in the store which is probably caused by a character encoding problem.

The character length of the Settings.CertificateThumbprint is 46 char[], while it is supposed to be 40 characters.

I have tested this in the 6.8, 6.9 en 8.0 library version (source code from github).

Source code: NativeDriver.cs method GetClientCertificates()

How to repeat:
1. Connect to mysql server using the certificatethumbprintoption
2. Get exception telling the certificate with thumbprint is not found although it exists in the certificate store.

example connection string:

using (MySqlConnection connection = new MySqlConnection("Host=x.y.z;database=dbname;user=username;Password=hidden;CertificateStoreLocation=CurrentUser;SSLMode=Required;CertificateThumbprint=‎‎‎‎‎‎40characterthumbprint"))

I have checked multiple times i am not copying any hidden UTF 8 characters in the thumbprint.

Suggested fix:
I am not a .NET developer and i don't know the cause so i only have a quick and dirty fix:

Settings.CertificateThumbprint = Regex.Replace(Settings.CertificateThumbprint, @"[^\da-zA-z]", string.Empty).ToUpper();

That way all unknown characters are removed and we end up with a 40 character long thumbprint. The certificate matching the thumbprnt can now be found in the store.
[1 Dec 2017 6:41] Chiranjeevi Battula
Hello Jaco Stienstra,

Thank you for the bug report.
Could you please provide repeatable test case (exact steps/sample project, connection string, algorithm etc. - please make it as private if you prefer) to confirm this issue at our end?

Thanks,
Chiranjeevi.
[1 Dec 2017 13:55] Jaco Stienstra
I have used the following code to test if the certificate was indeed in the store using roughly the same code the MySQL Data library uses and a connection test to a MySQL server.

            var thumbprint = "E53C060C0C8A1B4011A9BDF19223B92245DC06D4";
            
            X509CertificateCollection certs = new X509CertificateCollection();
            StoreLocation location = StoreLocation.CurrentUser;
            X509Store store = new X509Store(StoreName.My, location);

            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

            // Test to find certificate with given thumbprint
            certs.AddRange(store.Certificates.Find(X509FindType.FindByThumbprint,
                      thumbprint, true));

            if (certs.Count == 0) {
                MessageBox.Show("no cert found", "oh noes");
            } else {
                MessageBox.Show(certs[0].Subject, "cert");
            }

            using (MySqlConnection connection = new MySqlConnection("Host=1.2.3.4;database=test;user=test;Password=test;CertificateStoreLocation=CurrentUser;SSLMode=Required;CertificateThumbprint=‎‎‎‎‎‎"+thumbprint))
            {
                connection.Open();

                MessageBox.Show("Server version: "+ connection.ServerVersion, "Connection Info");
            }

Since i was unable to connect i modified the method GetClientCertificates(): 
https://github.com/mysql/mysql-connector-net/blob/a12b00dade83c79730ad3d1fe63fa7dffedc1c4c...

I added a string length check on line 368 by throwing an exception:
https://github.com/mysql/mysql-connector-net/blob/a12b00dade83c79730ad3d1fe63fa7dffedc1c4c...

throw new MySqlException("Certificate TP Length:"+ Settings.CertificateThumbprint.Length);

I will attach a pfx containing a certificate with above thumbprint.
[1 Dec 2017 13:55] Jaco Stienstra
certificate

Attachment: devolutions.pfx (application/x-pkcs12, text), 3.26 KiB.

[1 Dec 2017 14:23] Jaco Stienstra
Additional info:
To test this you only need a running mysql server, a valid user or password is not needed to test the certificate functionality.
[13 Feb 2018 6:14] Chiranjeevi Battula
Hello Jaco Stienstra,

Thank you for the bug report.
Verified based on internal discussion with dev's.

Thanks,
Chiranjeevi.