MDEV-39857: Add multi-certificate SSL support via --ssl-cert-add/--ssl-key-add

include/violite.h

@@ -182,7 +182,8 @@ struct st_VioSSLFd
 		       const char *cipher, enum enum_ssl_init_error *error,
                        const char *crl_file, const char *crl_path);
 struct st_VioSSLFd
-*new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
+*new_VioSSLAcceptorFd(const char **key_files, const char **cert_files,
+		      uint cert_count,
 		      const char *ca_file,const char *ca_path,
 		      const char *cipher, enum enum_ssl_init_error *error,
 		      const char *crl_file, const char *crl_path,

mysql-test/lib/generate-ssl-certs.sh

@@ -68,6 +68,18 @@ cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_ha
 
 rm -rf demoCA
 
+# ECDSA server certificate signed by test CA
+openssl ecparam -genkey -name prime256v1 -out server-ecdsa-key.pem
+openssl req -new -key server-ecdsa-key.pem -out server-ecdsa.csr -subj '/CN=localhost' -batch
+openssl x509 -req -in server-ecdsa.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out server-ecdsa-cert.pem -days 7300
+rm -f server-ecdsa.csr
+
+# EdDSA (Ed25519) server certificate signed by test CA
+openssl genpkey -algorithm Ed25519 -out server-eddsa-key.pem
+openssl req -new -key server-eddsa-key.pem -out server-eddsa.csr -subj '/CN=localhost' -batch
+openssl x509 -req -in server-eddsa.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out server-eddsa-cert.pem -days 7300
+rm -f server-eddsa.csr cacert.srl
+
 # --- Certificate Chain ---
 # These tests are inspired from the following commit from MySQL Server
 # https://github.com/mysql/mysql-server/commit/969afef933f1872c5f38ea93047ef05c4509c335

mysql-test/main/ssl.result

@@ -4,6 +4,7 @@ variable_name
 Ssl_cipher
 Ssl_cipher_list
 Ssl_default_timeout
+Ssl_server_cert_type
 Ssl_server_not_after
 Ssl_server_not_before
 Ssl_verify_depth
@@ -12,6 +13,7 @@ Ssl_version
 Ssl_cipher
 Ssl_cipher_list
 Ssl_default_timeout
+Ssl_server_cert_type
 Ssl_server_not_after
 Ssl_server_not_before
 Ssl_verify_depth

mysql-test/main/ssl_multi_cert-master.opt

@@ -0,0 +1,5 @@
+--ssl-cert-add=$MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem
+--ssl-key-add=$MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem
+--ssl-cert-add=$MYSQL_TEST_DIR/std_data/server-eddsa-cert.pem
+--ssl-key-add=$MYSQL_TEST_DIR/std_data/server-eddsa-key.pem
+--tls-version=TLSv1.2

mysql-test/main/ssl_multi_cert.result

@@ -0,0 +1,39 @@
+#
+# Verify Ssl_server_cert_types global status shows all three types
+#
+SHOW GLOBAL STATUS LIKE 'Ssl_server_cert_types';
+Variable_name	Value
+Ssl_server_cert_types	RSA, ECDSA, EdDSA
+#
+# Test 1: Connect with RSA cipher - should get RSA cert
+#
+connect  rsa_con,localhost,root,,,,,SSL-CIPHER=ECDHE-RSA-AES128-GCM-SHA256;
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	ECDHE-RSA-AES128-GCM-SHA256
+SHOW STATUS LIKE 'Ssl_server_cert_type';
+Variable_name	Value
+Ssl_server_cert_type	RSA
+disconnect rsa_con;
+#
+# Test 2: Connect with ECDSA cipher - should get ECDSA cert
+#
+connection default;
+connect  ecdsa_con,localhost,root,,,,,SSL-CIPHER=ECDHE-ECDSA-AES128-GCM-SHA256;
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	ECDHE-ECDSA-AES128-GCM-SHA256
+SHOW STATUS LIKE 'Ssl_server_cert_type';
+Variable_name	Value
+Ssl_server_cert_type	ECDSA
+disconnect ecdsa_con;
+#
+# Test 3: Connect with default ciphers - should succeed
+#
+connection default;
+connect  default_con,localhost,root,,,,,SSL;
+SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
+have_ssl
+1
+disconnect default_con;
+connection default;

mysql-test/main/ssl_multi_cert.test

@@ -0,0 +1,46 @@
+#
+# Test RSA + ECDSA + EdDSA certificate support via --ssl-cert-add / --ssl-key-add
+# Server started with 3 cert types via ssl_multi_cert-master.opt
+#
+--source include/have_ssl_communication.inc
+
+# Skip on WolfSSL which does not support multiple certs
+if (`select @@version_ssl_library like 'wolfSSL%'`) {
+  skip WolfSSL;
+}
+
+# Ed25519 requires OpenSSL 1.1.1+
+if (`select @@version_ssl_library like 'OpenSSL 1.0%' or @@version_ssl_library like 'OpenSSL 1.1.0%'`) {
+  skip OpenSSL too old for Ed25519;
+}
+
+--echo #
+--echo # Verify Ssl_server_cert_types global status shows all three types
+--echo #
+SHOW GLOBAL STATUS LIKE 'Ssl_server_cert_types';
+
+--echo #
+--echo # Test 1: Connect with RSA cipher - should get RSA cert
+--echo #
+connect (rsa_con,localhost,root,,,,,SSL-CIPHER=ECDHE-RSA-AES128-GCM-SHA256);
+SHOW STATUS LIKE 'Ssl_cipher';
+SHOW STATUS LIKE 'Ssl_server_cert_type';
+disconnect rsa_con;
+
+--echo #
+--echo # Test 2: Connect with ECDSA cipher - should get ECDSA cert
+--echo #
+connection default;
+connect (ecdsa_con,localhost,root,,,,,SSL-CIPHER=ECDHE-ECDSA-AES128-GCM-SHA256);
+SHOW STATUS LIKE 'Ssl_cipher';
+SHOW STATUS LIKE 'Ssl_server_cert_type';
+disconnect ecdsa_con;
+
+--echo #
+--echo # Test 3: Connect with default ciphers - should succeed
+--echo #
+connection default;
+connect (default_con,localhost,root,,,,,SSL);
+SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
+disconnect default_con;
+connection default;

mysql-test/main/ssl_multi_cert_errors.result

@@ -0,0 +1,94 @@
+#
+# Test 1: --ssl-cert-add with invalid file
+#
+FOUND 1 /\[ERROR\] SSL error: Unable to get certificate/ in ssl_multi_cert_errors.err
+#
+# Test 2: --ssl-key-add with invalid file
+#
+FOUND 1 /\[ERROR\] SSL error: Unable to get private key/ in ssl_multi_cert_errors.err
+#
+# Test 3: --ssl-cert-add without --ssl-key-add (count mismatch)
+#
+FOUND 1 /Mismatched --ssl-cert-add/--ssl-key-add/ in ssl_multi_cert_errors.err
+#
+# Test 4: --ssl-key-add without --ssl-cert-add (count mismatch)
+#
+FOUND 1 /Mismatched --ssl-cert-add/--ssl-key-add/ in ssl_multi_cert_errors.err
+#
+# Test 5: same cert type added twice (OpenSSL replaces, last wins)
+#
+# restart: --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-cert.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-key.pem
+SELECT 1;
+1
+1
+# Kill the server
+#
+# Test 6: one valid cert-add + one invalid cert-add (invalid /etc/hosts)
+#
+FOUND 1 /\[ERROR\] SSL error: Unable to get certificate/ in ssl_multi_cert_errors.err
+#
+# Test 7: add second pair (RSA + ECDSA), verify Ssl_server_cert_types
+#
+# restart: --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem
+Ssl_server_cert_types contains RSA and ECDSA: OK
+#
+# Test 8: FLUSH SSL reloads alt certs correctly
+#
+FLUSH SSL;
+After FLUSH SSL, Ssl_server_cert_types still contains RSA and ECDSA: OK
+#
+# Test 9: --ssl-cert override + --ssl-cert-add (no interference)
+#
+# Kill the server
+# restart: --ssl-cert=MYSQL_TEST_DIR/std_data/server-cert.pem --ssl-key=MYSQL_TEST_DIR/std_data/server-key.pem --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem
+--ssl-cert override + --ssl-cert-add: OK
+# Kill the server
+#
+# Test 10: --ssl-cert-add then --ssl-cert resets alt certs
+# (like --plugin-load resets --plugin-load-add)
+#
+# restart: --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem --ssl-cert=MYSQL_TEST_DIR/std_data/server-cert.pem --ssl-key=MYSQL_TEST_DIR/std_data/server-key.pem
+--ssl-cert-add then --ssl-cert resets alt certs: OK
+# Kill the server
+#
+# Test 11: --ssl-cert-add alongside my.cnf default (appends to existing)
+#
+# restart: --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem
+--ssl-cert-add alongside my.cnf default: OK
+# Kill the server
+#
+# Test 12: --ssl-cert-add as sole cert (--ssl-cert= clears, first add becomes primary)
+#
+# restart: --ssl-cert= --ssl-key= --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem
+--ssl-cert-add as sole cert (first add becomes primary): OK
+# Kill the server
+#
+# Test 13: cert-adds before key-adds (order independent)
+# --ssl-cert-add --ssl-cert-add --ssl-key-add --ssl-key-add
+#
+# restart: --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-new-cert.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-new-key.pem
+cert-adds before key-adds (order independent): OK
+# Kill the server
+#
+# Test 14: key-adds before cert-adds (order independent)
+# --ssl-key-add --ssl-key-add --ssl-cert-add --ssl-cert-add
+#
+# restart: --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem --ssl-key-add=MYSQL_TEST_DIR/std_data/server-new-key.pem --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-new-cert.pem
+key-adds before cert-adds (order independent): OK
+# Kill the server
+#
+# Test 15: --ssl-key override resets alt keys independently
+#
+# restart: --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem --ssl-key=MYSQL_TEST_DIR/std_data/server-key.pem --ssl-cert=MYSQL_TEST_DIR/std_data/server-cert.pem
+--ssl-key override resets alt keys: OK
+# Kill the server
+#
+# Test 16: --ssl-key-add as sole key (--ssl-key= clears, first add becomes primary)
+#
+# restart: --ssl-cert= --ssl-key= --ssl-key-add=MYSQL_TEST_DIR/std_data/server-ecdsa-key.pem --ssl-cert-add=MYSQL_TEST_DIR/std_data/server-ecdsa-cert.pem
+--ssl-key-add as sole key (first add becomes primary): OK
+# Kill the server
+#
+# Cleanup
+#
+# restart