microsoft · peterbae · Mar 27, 2020 · Feb 5, 2020 · Feb 8, 2020 · Feb 10, 2020
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -10,7 +10,7 @@ jobs:
     matrix:
       SQL-2019:
         Target_SQL: 'HGS-2k19-01'
-        Ex_Groups: 'xSQLv15'
+        Ex_Groups: 'xSQLv15, clientCertAuth'
       SQL-2012:
         Target_SQL: 'SQL-2K12-SP3-1'
         Ex_Groups: 'xSQLv12'

diff --git a/pom.xml b/pom.xml
@@ -51,9 +51,10 @@
 			xAzureSQLMI - - - - For tests not compatible with Azure SQL Managed Instance 
 			NTLM  - - - - - - - For tests using NTLM Authentication mode (excluded by default) 
 			reqExternalSetup  - For tests requiring external setup (excluded by default)
+			clientCertAuth  - - For tests requiring client certificate authentication setup (excluded by default)
 			- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 			Default testing enabled with SQL Server 2019 (SQLv15) -->
-		<excludedGroups>xSQLv15, NTLM, reqExternalSetup</excludedGroups>
+		<excludedGroups>xSQLv15, NTLM, reqExternalSetup, clientCertAuth</excludedGroups>
 
 		<!-- Use -preview for preview release, leave empty for official release.-->
 		<releaseExt></releaseExt>
@@ -66,6 +67,8 @@
 		<osgi.comp.version>5.0.0</osgi.comp.version>
 		<antlr.runtime.version>4.7.2</antlr.runtime.version>
 		<google.gson.version>2.8.6</google.gson.version>
+		<bouncycastle.bcprov.version>1.64</bouncycastle.bcprov.version>
+		<bouncycastle.bcpkix.version>1.64</bouncycastle.bcpkix.version>
 
 		<!-- JUnit Test Dependencies -->
 		<junit.platform.version>[1.3.2, 1.5.2]</junit.platform.version>
@@ -119,7 +122,15 @@
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk15on</artifactId>
-			<version>1.64</version>
+			<version>${bouncycastle.bcprov.version}</version>
+			<optional>true</optional>
+		</dependency>
+
+		<!-- dependencies for Client Certificate Authentication -->
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk15on</artifactId>
+			<version>${bouncycastle.bcpkix.version}</version>
 			<optional>true</optional>
 		</dependency>
 

diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java
@@ -62,6 +62,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
@@ -364,6 +365,7 @@ static final String getTokenName(int tdsTokenType) {
     static final byte ENCRYPT_ON = 0x01;
     static final byte ENCRYPT_NOT_SUP = 0x02;
     static final byte ENCRYPT_REQ = 0x03;
+    static final byte ENCRYPT_CLIENT_CERT = (byte) 0x80;
     static final byte ENCRYPT_INVALID = (byte) 0xFF;
 
     static final String getEncryptionLevel(int level) {
@@ -1597,9 +1599,16 @@ enum SSLHandhsakeState {
      *        Server Host Name for SSL Handshake
      * @param port
      *        Server Port for SSL Handshake
+     * @param clientCertificate
+     *        Client certificate path
+     * @param clientKey
+     *        Private key file path
+     * @param clientKeyPassword
+     *        Private key file's password
      * @throws SQLServerException
      */
-    void enableSSL(String host, int port) throws SQLServerException {
+    void enableSSL(String host, int port, String clientCertificate, String clientKey,
+            String clientKeyPassword) throws SQLServerException {
         // If enabling SSL fails, which it can for a number of reasons, the following items
         // are used in logging information to the TDS channel logger to help diagnose the problem.
         Provider tmfProvider = null; // TrustManagerFactory provider
@@ -1774,13 +1783,16 @@ else if (con.getTrustManagerClass() != null) {
             if (logger.isLoggable(Level.FINEST))
                 logger.finest(toString() + " Getting TLS or better SSL context");
 
+            KeyManager[] km = (null != clientCertificate && clientCertificate.length() > 0) ? SQLServerCertificateUtils
+                    .getKeyManagerFromFile(clientCertificate, clientKey, clientKeyPassword) : null;
+
             sslContext = SSLContext.getInstance(sslProtocol);
             sslContextProvider = sslContext.getProvider();
 
             if (logger.isLoggable(Level.FINEST))
                 logger.finest(toString() + " Initializing SSL context");
 
-            sslContext.init(null, tm, null);
+            sslContext.init(km, tm, null);
 
             // Got the SSL context. Now create an SSL socket over our own proxy socket
             // which we can toggle between TDS-encapsulated and raw communications.
@@ -6202,7 +6214,8 @@ void writeRPCReaderUnicode(String sName, Reader re, long reLength, boolean bOut,
 
     void sendEnclavePackage(String sql, ArrayList<byte[]> enclaveCEKs) throws SQLServerException {
         if (null != con && con.isAEv2()) {
-            if (null != sql && !sql.isEmpty() && null != enclaveCEKs && 0 < enclaveCEKs.size() && con.enclaveEstablished()) {
+            if (null != sql && !sql.isEmpty() && null != enclaveCEKs && 0 < enclaveCEKs.size()
+                    && con.enclaveEstablished()) {
                 byte[] b = con.generateEnclavePackage(sql, enclaveCEKs);
                 if (null != b && 0 != b.length) {
                     this.writeShort((short) b.length);

diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java b/src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java
@@ -903,5 +903,43 @@ public interface ISQLServerDataSource extends javax.sql.CommonDataSource {
      *        Enclave attestation protocol.
      */
     void setEnclaveAttestationProtocol(String protocol);
+
+    /**
+     * Returns client certificate path for client certificate authentication.
+     * 
+     * @return Client certificate path.
+     */
+    String getClientCertificate();
+
+    /**
+     * Sets client certificate path for client certificate authentication.
+     * 
+     * @param certPath
+     *        Client certificate path.
+     */
+    void setClientCertificate(String certPath);
+
+    /**
+     * Returns Private key file path for client certificate authentication.
+     * 
+     * @return Private key file path.
+     */
+    String getClientKey();
+
+    /**
+     * Sets Private key file path for client certificate authentication.
+     * 
+     * @param keyPath
+     *        Private key file path.
+     */
+    void setClientKey(String keyPath);
+
+    /**
+     * Sets the password to be used for Private key provided by the user for client certificate authentication.
+     * 
+     * @param password
+     *        Private key password.
+     */
+    void setClientKeyPassword(String password);
 
 }
diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerBouncyCastleLoader.java b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerBouncyCastleLoader.java
@@ -1,9 +1,15 @@
+/*
+ * Microsoft JDBC Driver for SQL Server Copyright(c) Microsoft Corporation All rights reserved. This program is made
+ * available under the terms of the MIT License. See the LICENSE file in the project root for more information.
+ */
+
 package com.microsoft.sqlserver.jdbc;
 
 import java.security.Security;
 
 /*
  * Class that is meant to statically load the BouncyCastle Provider for JDK 8. Hides the call so JDK 11/13 don't have to include the dependency.
+ * Also loads BouncyCastle provider for PKCS1 private key parsing.
  */
 class SQLServerBouncyCastleLoader {
     static void loadBouncyCastle() {