Add client SSL authentication using key-file for Postgres, MySQL and MariaDB (#1850)

* use native-tls API * Add client cert and key to MySQL connector * Add client ssl tests for PostgreSQL * Add client ssl tests for MariaDB and MySQL * Adapt GA tests * Fix RUSTFLAGS to run all tests * Remove containers to free the DB port before running SSL auth tests * Fix CI bad naming * Use docker-compose down to remove also the network * Fix main rebase * Stop trying to stop service using docker-compose, simply use docker cmd * Fix RUSTFLAGS for Postgres * Name the Docker images for MariaDB and MySQL so we can stop them using their name * Add the exception for mysql 5.7 not supporting compatible TLS version with RusTLS * Rebase fixes * Set correctly tls struct (fix merge) * Handle Elliptic Curve variant for private key * Fix tests suite * Fix features in CI * Add tests for Postgres 15 + rebase * Python tests: fix exception for MySQL 5.7 + remove unneeded for loops * CI: run SSL tests only when building with TLS support --------- Co-authored-by: Barry Simons <linuxuser586@gmail.com>
2026-03-19 08:39:44 +00:00 · 2023-02-18 01:03:24 +01:00
parent 1fd05716af
commit c4130d45e3
23 changed files with 641 additions and 43 deletions
--- a/sqlx-postgres/src/connection/tls.rs
+++ b/sqlx-postgres/src/connection/tls.rs
@@ -58,6 +58,8 @@ async fn maybe_upgrade<S: Socket>(
        accept_invalid_hostnames,
        hostname: &options.host,
        root_cert_path: options.ssl_root_cert.as_ref(),
+        client_cert_path: options.ssl_client_cert.as_ref(),
+        client_key_path: options.ssl_client_key.as_ref(),
    };

    tls::handshake(socket, config, SocketIntoBox).await
--- a/sqlx-postgres/src/options/mod.rs
+++ b/sqlx-postgres/src/options/mod.rs
@@ -87,6 +87,8 @@ pub struct PgConnectOptions {
    pub(crate) database: Option<String>,
    pub(crate) ssl_mode: PgSslMode,
    pub(crate) ssl_root_cert: Option<CertificateInput>,
+    pub(crate) ssl_client_cert: Option<CertificateInput>,
+    pub(crate) ssl_client_key: Option<CertificateInput>,
    pub(crate) statement_cache_capacity: usize,
    pub(crate) application_name: Option<String>,
    pub(crate) log_settings: LogSettings,
@@ -112,6 +114,8 @@ impl PgConnectOptions {
    ///  * `PGPASSWORD`
    ///  * `PGDATABASE`
    ///  * `PGSSLROOTCERT`
+    ///  * `PGSSLCERT`
+    ///  * `PGSSLKEY`
    ///  * `PGSSLMODE`
    ///  * `PGAPPNAME`
    ///
@@ -145,6 +149,8 @@ impl PgConnectOptions {
            password: var("PGPASSWORD").ok(),
            database,
            ssl_root_cert: var("PGSSLROOTCERT").ok().map(CertificateInput::from),
+            ssl_client_cert: var("PGSSLCERT").ok().map(CertificateInput::from),
+            ssl_client_key: var("PGSSLKEY").ok().map(CertificateInput::from),
            ssl_mode: var("PGSSLMODE")
                .ok()
                .and_then(|v| v.parse().ok())
@@ -314,6 +320,38 @@ impl PgConnectOptions {
        self
    }

+    /// Sets the name of a file containing SSL client certificate.
+    ///
+    /// # Example
+    ///
+    /// ```rust
+    /// # use sqlx_core::postgres::{PgSslMode, PgConnectOptions};
+    /// let options = PgConnectOptions::new()
+    ///     // Providing a CA certificate with less than VerifyCa is pointless
+    ///     .ssl_mode(PgSslMode::VerifyCa)
+    ///     .ssl_client_cert("./client.crt");
+    /// ```
+    pub fn ssl_client_cert(mut self, cert: impl AsRef<Path>) -> Self {
+        self.ssl_client_cert = Some(CertificateInput::File(cert.as_ref().to_path_buf()));
+        self
+    }
+
+    /// Sets the name of a file containing SSL client key.
+    ///
+    /// # Example
+    ///
+    /// ```rust
+    /// # use sqlx_core::postgres::{PgSslMode, PgConnectOptions};
+    /// let options = PgConnectOptions::new()
+    ///     // Providing a CA certificate with less than VerifyCa is pointless
+    ///     .ssl_mode(PgSslMode::VerifyCa)
+    ///     .ssl_client_key("./client.key");
+    /// ```
+    pub fn ssl_client_key(mut self, key: impl AsRef<Path>) -> Self {
+        self.ssl_client_key = Some(CertificateInput::File(key.as_ref().to_path_buf()));
+        self
+    }
+
    /// Sets PEM encoded trusted SSL Certificate Authorities (CA).
    ///
    /// # Example
--- a/sqlx-postgres/src/options/parse.rs
+++ b/sqlx-postgres/src/options/parse.rs
@@ -53,6 +53,10 @@ impl PgConnectOptions {
                    options = options.ssl_root_cert(&*value);
                }

+                "sslcert" | "ssl-cert" => options = options.ssl_client_cert(&*value),
+
+                "sslkey" | "ssl-key" => options = options.ssl_client_key(&*value),
+
                "statement-cache-capacity" => {
                    options =
                        options.statement_cache_capacity(value.parse().map_err(Error::config)?);