GODRIVER-364 Support PKCS8 encrypted client private keys

[benjirewis]

GODRIVER-364

Adds support for decrypting PKCS8 encrypted PEM keys. Private keys encrypted with PKCS8 should begin with -----BEGIN ENCRYPTED PRIVATE KEY---- according to documentation, so the new parsing in clientoptions#addClientCertFromBytes assumes this.

Adds two new test certificates used in the TestClient/x509 test. One is a PKCS8 encrypted PEM key, and one is unencrypted.

[benjirewis]

This parsing code is from the TOOLS-2013 PR. This was also brought up there, but youmark/pkcs8 can only handle the PKCS 5 v2.0 scheme. I don't much about the various PKCS schemes, but it might be worth documenting somewhere how to create this scheme. I used:

openssl pkcs8 -v2 des3 -topk8 -inform PEM -outform PEM -in client.pem -out client-pkcs8-encrypted.pem

Furthermore, did we need support for a specific scheme?

[kevinAlbs]

Good point, the command used to generate seems worth leaving a comment in GODRIVER-364 for future reference (anytime I need to generate certs, I need to google around...).

Given the conversation in TOOLS-2013 and related tickets, I think v2.0 is only requirement. It seems v1.5 was superseded (judging from RFC-8018 and and an article describing the v2.0 key derivation function.

cc @markbenvenuto in case you'd like to weigh in. I do not think we need to support more than PKCS 5 v2.0.

[benjirewis]

I can leave the two commands (one for encrypted and one for unencrypted) in the original ticket. And good to know 2.0 supersedes other versions; thanks for doing that research.

[markbenvenuto]

Yes, we only need to support PKCS#5 v2.0. We don't need to support the older version since it uses a weaker key derivation function.

[benjirewis]

I wasn't sure on our process for adding dependencies... I ran go get github.com/youmark/pkcs8, and go mod vendor after using the new package.

[divjotarora]

Code changes LGTM. There's a merge conflict with mongo/integration/client_test.go, so you may have to rebase locally and force-push to this branch.

[divjotarora]

nit: For empty declarations, I generally prefer using the zero value: var keyFilePassword string

[benjirewis]

Nice! Good to learn common Go patterns :)

[iwysiu]

lgtm with a test nit

[iwysiu]

Each certificate type can be run as its own subtest for debugging

[benjirewis]

Done!

[kevinAlbs]

LGTM!

[kevinAlbs]

Good point, the command used to generate seems worth leaving a comment in GODRIVER-364 for future reference (anytime I need to generate certs, I need to google around...).

Given the conversation in TOOLS-2013 and related tickets, I think v2.0 is only requirement. It seems v1.5 was superseded (judging from RFC-8018 and and an article describing the v2.0 key derivation function.

cc @markbenvenuto in case you'd like to weigh in. I do not think we need to support more than PKCS 5 v2.0.

[kevinAlbs]

Nice, good idea making this into a table test!