Allow specifying multiple root certificates in NpgsqlDataSourceBuilder (#6057)

vonzshik · web-flow · commit c3cf9f94b09c · 2025-11-06T11:09:06.000+03:00
Closes #6056
diff --git a/src/Npgsql/Internal/NpgsqlConnector.cs b/src/Npgsql/Internal/NpgsqlConnector.cs
@@ -1127,19 +1127,19 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,
             var checkCertificateRevocation = Settings.CheckCertificateRevocation;
 
             RemoteCertificateValidationCallback? certificateValidationCallback;
-            X509Certificate2? caCert;
+            X509Certificate2Collection? caCerts;
             string? certRootPath = null;
 
             if (sslMode is SslMode.Prefer or SslMode.Require)
             {
                 certificateValidationCallback = SslTrustServerValidation;
                 checkCertificateRevocation = false;
             }
-            else if ((caCert = DataSource.TransportSecurityHandler.RootCertificateCallback?.Invoke()) is not null ||
+            else if (((caCerts = DataSource.TransportSecurityHandler.RootCertificatesCallback?.Invoke()) is not null && caCerts.Count > 0) ||
                      (certRootPath = Settings.RootCertificate ??
                                      PostgresEnvironment.SslCertRoot ?? PostgresEnvironment.SslCertRootDefault) is not null)
             {
-                certificateValidationCallback = SslRootValidation(sslMode == SslMode.VerifyFull, certRootPath, caCert);
+                certificateValidationCallback = SslRootValidation(sslMode == SslMode.VerifyFull, certRootPath, caCerts);
             }
             else if (sslMode == SslMode.VerifyCA)
             {
@@ -1195,7 +1195,7 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,
                     if (Settings.RootCertificate is not null)
                         throw new ArgumentException(NpgsqlStrings.CannotUseSslRootCertificateWithCustomValidationCallback);
 
-                    if (DataSource.TransportSecurityHandler.RootCertificateCallback is not null)
+                    if (DataSource.TransportSecurityHandler.RootCertificatesCallback is not null)
                         throw new ArgumentException(NpgsqlStrings.CannotUseValidationRootCertificateCallbackWithCustomValidationCallback);
                 }
             }
@@ -1984,7 +1984,7 @@ internal void ClearTransaction(Exception? disposeReason = null)
         (sender, certificate, chain, sslPolicyErrors)
             => true;
 
-    static RemoteCertificateValidationCallback SslRootValidation(bool verifyFull, string? certRootPath, X509Certificate2? caCertificate)
+    static RemoteCertificateValidationCallback SslRootValidation(bool verifyFull, string? certRootPath, X509Certificate2Collection? caCertificates)
         => (_, certificate, chain, sslPolicyErrors) =>
         {
             if (certificate is null || chain is null)
@@ -2001,12 +2001,12 @@ static RemoteCertificateValidationCallback SslRootValidation(bool verifyFull, st
 
             if (certRootPath is null)
             {
-                Debug.Assert(caCertificate is not null);
-                certs.Add(caCertificate);
+                Debug.Assert(caCertificates is { Count: > 0 });
+                certs.AddRange(caCertificates);
             }
             else
             {
-                Debug.Assert(caCertificate is null);
+                Debug.Assert(caCertificates is null or { Count: > 0 });
                 if (Path.GetExtension(certRootPath).ToUpperInvariant() != ".PFX")
                     certs.ImportFromPemFile(certRootPath);
 
diff --git a/src/Npgsql/Internal/TransportSecurityHandler.cs b/src/Npgsql/Internal/TransportSecurityHandler.cs
@@ -11,7 +11,7 @@ class TransportSecurityHandler
 {
     public virtual bool SupportEncryption => false;
 
-    public virtual Func<X509Certificate2?>? RootCertificateCallback
+    public virtual Func<X509Certificate2Collection?>? RootCertificatesCallback
     {
         get => throw new NotSupportedException(string.Format(NpgsqlStrings.TransportSecurityDisabled, nameof(NpgsqlSlimDataSourceBuilder.EnableTransportSecurity)));
         set => throw new NotSupportedException(string.Format(NpgsqlStrings.TransportSecurityDisabled, nameof(NpgsqlSlimDataSourceBuilder.EnableTransportSecurity)));
@@ -29,7 +29,7 @@ sealed class RealTransportSecurityHandler : TransportSecurityHandler
 {
     public override bool SupportEncryption => true;
 
-    public override Func<X509Certificate2?>? RootCertificateCallback { get; set; }
+    public override Func<X509Certificate2Collection?>? RootCertificatesCallback { get; set; }
 
     public override Task NegotiateEncryption(bool async, NpgsqlConnector connector, SslMode sslMode, NpgsqlTimeout timeout, CancellationToken cancellationToken)
         => connector.NegotiateEncryption(sslMode, timeout, async, cancellationToken);
diff --git a/src/Npgsql/NpgsqlDataSourceBuilder.cs b/src/Npgsql/NpgsqlDataSourceBuilder.cs
@@ -41,7 +41,7 @@ public INpgsqlNameTranslator DefaultNameTranslator
     }
 
     /// <summary>
-    /// A connection string builder that can be used to configured the connection string on the builder.
+    /// A connection string builder that can be used to configure the connection string on the builder.
     /// </summary>
     public NpgsqlConnectionStringBuilder ConnectionStringBuilder => _internalBuilder.ConnectionStringBuilder;
 
@@ -297,6 +297,17 @@ public NpgsqlDataSourceBuilder UseRootCertificate(X509Certificate2? rootCertific
         return this;
     }
 
+    /// <summary>
+    /// Sets the <see cref="X509Certificate2Collection" /> that will be used validate SSL certificate, received from the server.
+    /// </summary>
+    /// <param name="rootCertificates">The CA certificates.</param>
+    /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    public NpgsqlDataSourceBuilder UseRootCertificates(X509Certificate2Collection? rootCertificates)
+    {
+        _internalBuilder.UseRootCertificates(rootCertificates);
+        return this;
+    }
+
     /// <summary>
     /// Specifies a callback that will be used to validate SSL certificate, received from the server.
     /// </summary>
@@ -313,6 +324,23 @@ public NpgsqlDataSourceBuilder UseRootCertificateCallback(Func<X509Certificate2>
         return this;
     }
 
+    /// <summary>
+    /// Specifies a callback that will be used to validate SSL certificate, received from the server.
+    /// </summary>
+    /// <param name="rootCertificateCallback">The callback to get CA certificates.</param>
+    /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    /// <remarks>
+    /// This overload, which accepts a callback, is suitable for scenarios where the certificate rotates
+    /// and might change during the lifetime of the application.
+    /// When that's not the case, use the overload which directly accepts the certificate.
+    /// </remarks>
+    /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    public NpgsqlDataSourceBuilder UseRootCertificatesCallback(Func<X509Certificate2Collection>? rootCertificateCallback)
+    {
+        _internalBuilder.UseRootCertificatesCallback(rootCertificateCallback);
+        return this;
+    }
+
     /// <summary>
     /// Configures a periodic password provider, which is automatically called by the data source at some regular interval. This is the
     /// recommended way to fetch a rotating access token.
diff --git a/src/Npgsql/NpgsqlSlimDataSourceBuilder.cs b/src/Npgsql/NpgsqlSlimDataSourceBuilder.cs
@@ -60,7 +60,7 @@ public sealed class NpgsqlSlimDataSourceBuilder : INpgsqlTypeMapper
     internal Action<NpgsqlSlimDataSourceBuilder> ConfigureDefaultFactories { get; set; }
 
     /// <summary>
-    /// A connection string builder that can be used to configured the connection string on the builder.
+    /// A connection string builder that can be used to configure the connection string on the builder.
     /// </summary>
     public NpgsqlConnectionStringBuilder ConnectionStringBuilder { get; }
 
@@ -252,9 +252,19 @@ public NpgsqlSlimDataSourceBuilder UseClientCertificatesCallback(Action<X509Cert
     /// <returns>The same builder instance so that multiple calls can be chained.</returns>
     public NpgsqlSlimDataSourceBuilder UseRootCertificate(X509Certificate2? rootCertificate)
         => rootCertificate is null
-            ? UseRootCertificateCallback(null)
+            ? UseRootCertificatesCallback((Func<X509Certificate2Collection>?)null)
             : UseRootCertificateCallback(() => rootCertificate);
 
+    /// <summary>
+    /// Sets the <see cref="X509Certificate2Collection" /> that will be used validate SSL certificate, received from the server.
+    /// </summary>
+    /// <param name="rootCertificates">The CA certificates.</param>
+    /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    public NpgsqlSlimDataSourceBuilder UseRootCertificates(X509Certificate2Collection? rootCertificates)
+        => rootCertificates is null
+            ? UseRootCertificatesCallback((Func<X509Certificate2Collection>?)null)
+            : UseRootCertificatesCallback(() => rootCertificates);
+
     /// <summary>
     /// Specifies a callback that will be used to validate SSL certificate, received from the server.
     /// </summary>
@@ -268,7 +278,27 @@ public NpgsqlSlimDataSourceBuilder UseRootCertificate(X509Certificate2? rootCert
     /// <returns>The same builder instance so that multiple calls can be chained.</returns>
     public NpgsqlSlimDataSourceBuilder UseRootCertificateCallback(Func<X509Certificate2>? rootCertificateCallback)
     {
-        _transportSecurityHandler.RootCertificateCallback = rootCertificateCallback;
+        _transportSecurityHandler.RootCertificatesCallback = () => rootCertificateCallback is not null
+            ? new X509Certificate2Collection(rootCertificateCallback())
+            : null;
+
+        return this;
+    }
+
+    /// <summary>
+    /// Specifies a callback that will be used to validate SSL certificate, received from the server.
+    /// </summary>
+    /// <param name="rootCertificateCallback">The callback to get CA certificates.</param>
+    /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    /// <remarks>
+    /// This overload, which accepts a callback, is suitable for scenarios where the certificate rotates
+    /// and might change during the lifetime of the application.
+    /// When that's not the case, use the overload which directly accepts the certificate.
+    /// </remarks>
+    /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    public NpgsqlSlimDataSourceBuilder UseRootCertificatesCallback(Func<X509Certificate2Collection>? rootCertificateCallback)
+    {
+        _transportSecurityHandler.RootCertificatesCallback = rootCertificateCallback;
 
         return this;
     }
diff --git a/src/Npgsql/PublicAPI.Unshipped.txt b/src/Npgsql/PublicAPI.Unshipped.txt
@@ -22,6 +22,8 @@ Npgsql.NpgsqlDataSourceBuilder.MapEnum(System.Type! clrType, string? pgName = nu
 Npgsql.NpgsqlDataSourceBuilder.MapEnum<TEnum>(string? pgName = null, Npgsql.INpgsqlNameTranslator? nameTranslator = null) -> Npgsql.NpgsqlDataSourceBuilder!
 Npgsql.NpgsqlDataSourceBuilder.ConfigureTracing(System.Action<Npgsql.NpgsqlTracingOptionsBuilder!>! configureAction) -> Npgsql.NpgsqlDataSourceBuilder!
 Npgsql.NpgsqlDataSourceBuilder.UseNegotiateOptionsCallback(System.Action<System.Net.Security.NegotiateAuthenticationClientOptions!>? negotiateOptionsCallback) -> Npgsql.NpgsqlDataSourceBuilder!
+Npgsql.NpgsqlDataSourceBuilder.UseRootCertificates(System.Security.Cryptography.X509Certificates.X509Certificate2Collection? rootCertificates) -> Npgsql.NpgsqlDataSourceBuilder!
+Npgsql.NpgsqlDataSourceBuilder.UseRootCertificatesCallback(System.Func<System.Security.Cryptography.X509Certificates.X509Certificate2Collection!>? rootCertificateCallback) -> Npgsql.NpgsqlDataSourceBuilder!
 Npgsql.NpgsqlDataSourceBuilder.UseSslClientAuthenticationOptionsCallback(System.Action<System.Net.Security.SslClientAuthenticationOptions!>? sslClientAuthenticationOptionsCallback) -> Npgsql.NpgsqlDataSourceBuilder!
 Npgsql.NpgsqlMetricsOptions
 Npgsql.NpgsqlMetricsOptions.NpgsqlMetricsOptions() -> void
@@ -36,6 +38,8 @@ Npgsql.NpgsqlSlimDataSourceBuilder.MapComposite<T>(string? pgName = null, Npgsql
 Npgsql.NpgsqlSlimDataSourceBuilder.MapEnum(System.Type! clrType, string? pgName = null, Npgsql.INpgsqlNameTranslator? nameTranslator = null) -> Npgsql.NpgsqlSlimDataSourceBuilder!
 Npgsql.NpgsqlSlimDataSourceBuilder.MapEnum<TEnum>(string? pgName = null, Npgsql.INpgsqlNameTranslator? nameTranslator = null) -> Npgsql.NpgsqlSlimDataSourceBuilder!
 Npgsql.NpgsqlSlimDataSourceBuilder.UseNegotiateOptionsCallback(System.Action<System.Net.Security.NegotiateAuthenticationClientOptions!>? negotiateOptionsCallback) -> Npgsql.NpgsqlSlimDataSourceBuilder!
+Npgsql.NpgsqlSlimDataSourceBuilder.UseRootCertificates(System.Security.Cryptography.X509Certificates.X509Certificate2Collection? rootCertificates) -> Npgsql.NpgsqlSlimDataSourceBuilder!
+Npgsql.NpgsqlSlimDataSourceBuilder.UseRootCertificatesCallback(System.Func<System.Security.Cryptography.X509Certificates.X509Certificate2Collection!>? rootCertificateCallback) -> Npgsql.NpgsqlSlimDataSourceBuilder!
 Npgsql.NpgsqlSlimDataSourceBuilder.UseSslClientAuthenticationOptionsCallback(System.Action<System.Net.Security.SslClientAuthenticationOptions!>? sslClientAuthenticationOptionsCallback) -> Npgsql.NpgsqlSlimDataSourceBuilder!
 *REMOVED*Npgsql.NpgsqlTracingOptions
 *REMOVED*Npgsql.NpgsqlTracingOptions.NpgsqlTracingOptions() -> void
diff --git a/test/Npgsql.Tests/SecurityTests.cs b/test/Npgsql.Tests/SecurityTests.cs
@@ -2,6 +2,8 @@
 using System.IO;
 using System.Runtime.InteropServices;
 using System.Security.Authentication;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using Npgsql.Properties;
@@ -563,6 +565,45 @@ public async Task Connect_with_verify_check_host([Values(SslMode.VerifyCA, SslMo
         }
     }
 
+    [Test]
+    [Platform(Exclude = "MacOsX", Reason = "Mac requires explicit opt-in to receive CA certificate in TLS handshake")]
+    public async Task Connect_with_verify_and_multiple_ca_cert([Values(SslMode.VerifyCA, SslMode.VerifyFull)] SslMode sslMode, [Values] bool realCaFirst)
+    {
+        if (!IsOnBuildServer)
+            Assert.Ignore("Only executed in CI");
+
+        var certificates = new X509Certificate2Collection();
+
+#if NET9_0_OR_GREATER
+        using var realCaCert = X509CertificateLoader.LoadCertificateFromFile("ca.crt");
+#else
+        using var realCaCert = new X509Certificate2("ca.crt");
+#endif
+
+        using var ecdsa = ECDsa.Create();
+        var req = new CertificateRequest("cn=localhost", ecdsa, HashAlgorithmName.SHA256);
+        using var unrelatedCaCert = req.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(1));
+
+        if (realCaFirst)
+        {
+            certificates.Add(realCaCert);
+            certificates.Add(unrelatedCaCert);
+        }
+        else
+        {
+            certificates.Add(unrelatedCaCert);
+            certificates.Add(realCaCert);
+        }
+
+        var dataSourceBuilder = CreateDataSourceBuilder();
+        dataSourceBuilder.ConnectionStringBuilder.SslMode = sslMode;
+        dataSourceBuilder.UseRootCertificates(certificates);
+
+        await using var dataSource = dataSourceBuilder.Build();
+
+        await using var _ = await dataSource.OpenConnectionAsync();
+    }
+
     [Test]
     [NonParallelizable] // Sets environment variable
     public async Task Direct_ssl_via_env_requires_correct_sslmode()

Original file line number	Diff line number	Diff line change
`@@ -1127,19 +1127,19 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,`
`1127`	`1127`	`var checkCertificateRevocation = Settings.CheckCertificateRevocation;`
`1128`	`1128`
`1129`	`1129`	`RemoteCertificateValidationCallback? certificateValidationCallback;`
`1130`		`- X509Certificate2? caCert;`
	`1130`	`+ X509Certificate2Collection? caCerts;`
`1131`	`1131`	`string? certRootPath = null;`
`1132`	`1132`
`1133`	`1133`	`if (sslMode is SslMode.Prefer or SslMode.Require)`
`1134`	`1134`	`{`
`1135`	`1135`	`certificateValidationCallback = SslTrustServerValidation;`
`1136`	`1136`	`checkCertificateRevocation = false;`
`1137`	`1137`	`}`
`1138`		`- else if ((caCert = DataSource.TransportSecurityHandler.RootCertificateCallback?.Invoke()) is not null \|\|`
	`1138`	`+ else if (((caCerts = DataSource.TransportSecurityHandler.RootCertificatesCallback?.Invoke()) is not null && caCerts.Count > 0) \|\|`
`1139`	`1139`	`(certRootPath = Settings.RootCertificate ??`
`1140`	`1140`	`PostgresEnvironment.SslCertRoot ?? PostgresEnvironment.SslCertRootDefault) is not null)`
`1141`	`1141`	`{`
`1142`		`- certificateValidationCallback = SslRootValidation(sslMode == SslMode.VerifyFull, certRootPath, caCert);`
	`1142`	`+ certificateValidationCallback = SslRootValidation(sslMode == SslMode.VerifyFull, certRootPath, caCerts);`
`1143`	`1143`	`}`
`1144`	`1144`	`else if (sslMode == SslMode.VerifyCA)`
`1145`	`1145`	`{`
`@@ -1195,7 +1195,7 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,`
`1195`	`1195`	`if (Settings.RootCertificate is not null)`
`1196`	`1196`	`throw new ArgumentException(NpgsqlStrings.CannotUseSslRootCertificateWithCustomValidationCallback);`
`1197`	`1197`
`1198`		`- if (DataSource.TransportSecurityHandler.RootCertificateCallback is not null)`
	`1198`	`+ if (DataSource.TransportSecurityHandler.RootCertificatesCallback is not null)`
`1199`	`1199`	`throw new ArgumentException(NpgsqlStrings.CannotUseValidationRootCertificateCallbackWithCustomValidationCallback);`
`1200`	`1200`	`}`
`1201`	`1201`	`}`
`@@ -1984,7 +1984,7 @@ internal void ClearTransaction(Exception? disposeReason = null)`
`1984`	`1984`	`(sender, certificate, chain, sslPolicyErrors)`
`1985`	`1985`	`=> true;`
`1986`	`1986`
`1987`		`- static RemoteCertificateValidationCallback SslRootValidation(bool verifyFull, string? certRootPath, X509Certificate2? caCertificate)`
	`1987`	`+ static RemoteCertificateValidationCallback SslRootValidation(bool verifyFull, string? certRootPath, X509Certificate2Collection? caCertificates)`
`1988`	`1988`	`=> (_, certificate, chain, sslPolicyErrors) =>`
`1989`	`1989`	`{`
`1990`	`1990`	`if (certificate is null \|\| chain is null)`
`@@ -2001,12 +2001,12 @@ static RemoteCertificateValidationCallback SslRootValidation(bool verifyFull, st`
`2001`	`2001`
`2002`	`2002`	`if (certRootPath is null)`
`2003`	`2003`	`{`
`2004`		`- Debug.Assert(caCertificate is not null);`
`2005`		`- certs.Add(caCertificate);`
	`2004`	`+ Debug.Assert(caCertificates is { Count: > 0 });`
	`2005`	`+ certs.AddRange(caCertificates);`
`2006`	`2006`	`}`
`2007`	`2007`	`else`
`2008`	`2008`	`{`
`2009`		`- Debug.Assert(caCertificate is null);`
	`2009`	`+ Debug.Assert(caCertificates is null or { Count: > 0 });`
`2010`	`2010`	`if (Path.GetExtension(certRootPath).ToUpperInvariant() != ".PFX")`
`2011`	`2011`	`certs.ImportFromPemFile(certRootPath);`
`2012`	`2012`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ class TransportSecurityHandler`
`11`	`11`	`{`
`12`	`12`	`public virtual bool SupportEncryption => false;`
`13`	`13`
`14`		`- public virtual Func<X509Certificate2?>? RootCertificateCallback`
	`14`	`+ public virtual Func<X509Certificate2Collection?>? RootCertificatesCallback`
`15`	`15`	`{`
`16`	`16`	`get => throw new NotSupportedException(string.Format(NpgsqlStrings.TransportSecurityDisabled, nameof(NpgsqlSlimDataSourceBuilder.EnableTransportSecurity)));`
`17`	`17`	`set => throw new NotSupportedException(string.Format(NpgsqlStrings.TransportSecurityDisabled, nameof(NpgsqlSlimDataSourceBuilder.EnableTransportSecurity)));`
`@@ -29,7 +29,7 @@ sealed class RealTransportSecurityHandler : TransportSecurityHandler`
`29`	`29`	`{`
`30`	`30`	`public override bool SupportEncryption => true;`
`31`	`31`
`32`		`- public override Func<X509Certificate2?>? RootCertificateCallback { get; set; }`
	`32`	`+ public override Func<X509Certificate2Collection?>? RootCertificatesCallback { get; set; }`
`33`	`33`
`34`	`34`	`public override Task NegotiateEncryption(bool async, NpgsqlConnector connector, SslMode sslMode, NpgsqlTimeout timeout, CancellationToken cancellationToken)`
`35`	`35`	`=> connector.NegotiateEncryption(sslMode, timeout, async, cancellationToken);`