Description:
Hi,

I am not sure but it seems there is a bug in handling the certificate thumbprint option and the lookup function in the certificate store. No matter what thumbprint is passed the certificate cannot be found in the store which is probably caused by a character encoding problem.

The character length of the Settings.CertificateThumbprint is 46 char[], while it is supposed to be 40 characters.

I have tested this in the 6.8, 6.9 en 8.0 library version (source code from github).

Source code: NativeDriver.cs method GetClientCertificates()

How to repeat:
1. Connect to mysql server using the certificatethumbprintoption
2. Get exception telling the certificate with thumbprint is not found although it exists in the certificate store.

example connection string:

using (MySqlConnection connection = new MySqlConnection("Host=x.y.z;database=dbname;user=username;Password=hidden;CertificateStoreLocation=CurrentUser;SSLMode=Required;CertificateThumbprint=‎‎‎‎‎‎40characterthumbprint"))

I have checked multiple times i am not copying any hidden UTF 8 characters in the thumbprint.

Suggested fix:
I am not a .NET developer and i don't know the cause so i only have a quick and dirty fix:

Settings.CertificateThumbprint = Regex.Replace(Settings.CertificateThumbprint, @"[^\da-zA-z]", string.Empty).ToUpper();

That way all unknown characters are removed and we end up with a 40 character long thumbprint. The certificate matching the thumbprnt can now be found in the store.

Hello Jaco Stienstra,

Thank you for the bug report.
Could you please provide repeatable test case (exact steps/sample project, connection string, algorithm etc. - please make it as private if you prefer) to confirm this issue at our end?

Thanks,
Chiranjeevi.

I have used the following code to test if the certificate was indeed in the store using roughly the same code the MySQL Data library uses and a connection test to a MySQL server.

            var thumbprint = "E53C060C0C8A1B4011A9BDF19223B92245DC06D4";
            
            X509CertificateCollection certs = new X509CertificateCollection();
            StoreLocation location = StoreLocation.CurrentUser;
            X509Store store = new X509Store(StoreName.My, location);

            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

            // Test to find certificate with given thumbprint
            certs.AddRange(store.Certificates.Find(X509FindType.FindByThumbprint,
                      thumbprint, true));

            if (certs.Count == 0) {
                MessageBox.Show("no cert found", "oh noes");
            } else {
                MessageBox.Show(certs[0].Subject, "cert");
            }

            using (MySqlConnection connection = new MySqlConnection("Host=1.2.3.4;database=test;user=test;Password=test;CertificateStoreLocation=CurrentUser;SSLMode=Required;CertificateThumbprint=‎‎‎‎‎‎"+thumbprint))
            {
                connection.Open();

                MessageBox.Show("Server version: "+ connection.ServerVersion, "Connection Info");
            }

Since i was unable to connect i modified the method GetClientCertificates(): 
https://github.com/mysql/mysql-connector-net/blob/a12b00dade83c79730ad3d1fe63fa7dffedc1c4c...

I added a string length check on line 368 by throwing an exception:
https://github.com/mysql/mysql-connector-net/blob/a12b00dade83c79730ad3d1fe63fa7dffedc1c4c...

throw new MySqlException("Certificate TP Length:"+ Settings.CertificateThumbprint.Length);

I will attach a pfx containing a certificate with above thumbprint.

certificate

Attachment: devolutions.pfx (application/x-pkcs12, text), 3.26 KiB.

Additional info:
To test this you only need a running mysql server, a valid user or password is not needed to test the certificate functionality.

Hello Jaco Stienstra,

Thank you for the bug report.
Verified based on internal discussion with dev's.

Thanks,
Chiranjeevi.