Add MySQL TLS support (#3593)

Adds TLS support for MySQL connections in the Trillian server/signer. Key changes include: - Added new flags: + mysql_tls_ca: Path to the CA certificate file for the MySQL TLS connection. + mysql_server_name: Name of the MySQL server to be used as the Server Name in the TLS configuration. - Added a new function registerTLSConfig() to handle the registration of the custom TLS configuration. If no TLS configuration is provided, the connection defaults to non-TLS, ensuring backward compatibility. Issue: #3592
google · Aug 16, 2024 · 0bd653f · 0bd653f
1 parent 1a9af73
commit 0bd653f
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## HEAD
 
+* Add TLS support for MySQL: https://github.com/google/trillian/pull/3593
+  * `--mysql_tls_ca`: users can provide a CA certificate, that is used to establish a secure communication with MySQL server. 
+  * `--mysql_server_name`: users can provide the name of the MySQL server to be used as the Server Name in the TLS configuration.
+
 ## Notable Changes
 
 * Updated go version 1.20 -> 1.21

diff --git a/storage/mysql/provider.go b/storage/mysql/provider.go
@@ -15,22 +15,28 @@
 package mysql
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
+	"errors"
 	"flag"
+	"os"
 	"sync"
 
 	"github.com/google/trillian/monitoring"
 	"github.com/google/trillian/storage"
 	"k8s.io/klog/v2"
 
 	// Load MySQL driver
-	_ "github.com/go-sql-driver/mysql"
+	"github.com/go-sql-driver/mysql"
 )
 
 var (
-	mySQLURI = flag.String("mysql_uri", "test:zaphod@tcp(127.0.0.1:3306)/test", "Connection URI for MySQL database")
-	maxConns = flag.Int("mysql_max_conns", 0, "Maximum connections to the database")
-	maxIdle  = flag.Int("mysql_max_idle_conns", -1, "Maximum idle database connections in the connection pool")
+	mySQLURI        = flag.String("mysql_uri", "test:zaphod@tcp(127.0.0.1:3306)/test", "Connection URI for MySQL database")
+	maxConns        = flag.Int("mysql_max_conns", 0, "Maximum connections to the database")
+	maxIdle         = flag.Int("mysql_max_idle_conns", -1, "Maximum idle database connections in the connection pool")
+	mySQLTLSCA      = flag.String("mysql_tls_ca", "", "Path to the CA certificate file for MySQL TLS connection ")
+	mySQLServerName = flag.String("mysql_server_name", "", "Name of the MySQL server to be used as the Server Name in the TLS configuration")
 
 	mysqlMu              sync.Mutex
 	mysqlErr             error
@@ -81,7 +87,14 @@ func getMySQLDatabaseLocked() (*sql.DB, error) {
 	if mysqlDB != nil || mysqlErr != nil {
 		return mysqlDB, mysqlErr
 	}
-	db, err := OpenDB(*mySQLURI)
+	dsn := *mySQLURI
+	if *mySQLTLSCA != "" {
+		if err := registerMySQLTLSConfig(); err != nil {
+			return nil, err
+		}
+		dsn += "?tls=custom"
+	}
+	db, err := OpenDB(dsn)
 	if err != nil {
 		mysqlErr = err
 		return nil, err
@@ -107,3 +120,26 @@ func (s *mysqlProvider) AdminStorage() storage.AdminStorage {
 func (s *mysqlProvider) Close() error {
 	return s.db.Close()
 }
+
+// registerMySQLTLSConfig registers a custom TLS config for MySQL using a provided CA certificate and optional server name.
+// Returns an error if the CA certificate can't be read or added to the root cert pool, or when the registration of the TLS config fails.
+func registerMySQLTLSConfig() error {
+	if *mySQLTLSCA == "" {
+		return nil
+	}
+	rootCertPool := x509.NewCertPool()
+	pem, err := os.ReadFile(*mySQLTLSCA)
+	if err != nil {
+		return err
+	}
+	if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+		return errors.New("failed to append PEM")
+	}
+	tlsConfig := &tls.Config{
+		RootCAs: rootCertPool,
+	}
+	if *mySQLServerName != "" {
+		tlsConfig.ServerName = *mySQLServerName
+	}
+	return mysql.RegisterTLSConfig("custom", tlsConfig)
+}