New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GODRIVER-364 Support PKCS8 encrypted client private keys #565
Conversation
return "", err | ||
} | ||
} else if strings.Contains(currentBlock.Type, "ENCRYPTED") { | ||
// The pkcs8 package only handles the PKCS #5 v2.0 scheme. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This parsing code is from the TOOLS-2013 PR. This was also brought up there, but youmark/pkcs8
can only handle the PKCS 5 v2.0 scheme. I don't much about the various PKCS schemes, but it might be worth documenting somewhere how to create this scheme. I used:
openssl pkcs8 -v2 des3 -topk8 -inform PEM -outform PEM -in client.pem -out client-pkcs8-encrypted.pem
Furthermore, did we need support for a specific scheme?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, the command used to generate seems worth leaving a comment in GODRIVER-364 for future reference (anytime I need to generate certs, I need to google around...).
Given the conversation in TOOLS-2013 and related tickets, I think v2.0 is only requirement. It seems v1.5 was superseded (judging from RFC-8018 and and an article describing the v2.0 key derivation function.
cc @markbenvenuto in case you'd like to weigh in. I do not think we need to support more than PKCS 5 v2.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can leave the two commands (one for encrypted and one for unencrypted) in the original ticket. And good to know 2.0 supersedes other versions; thanks for doing that research.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we only need to support PKCS#5 v2.0. We don't need to support the older version since it uses a weaker key derivation function.
vendor/modules.txt
Outdated
@@ -97,9 +97,12 @@ github.com/tidwall/pretty | |||
github.com/xdg/scram | |||
# github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc | |||
github.com/xdg/stringprep | |||
# golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5 | |||
# github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't sure on our process for adding dependencies... I ran go get github.com/youmark/pkcs8
, and go mod vendor
after using the new package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code changes LGTM. There's a merge conflict with mongo/integration/client_test.go
, so you may have to rebase locally and force-push to this branch.
mongo/integration/client_test.go
Outdated
DB string | ||
certificates := [3]string{"client.pem", "client-pkcs8-encrypted.pem", "client-pkcs8-unencrypted.pem"} | ||
for _, certificate := range certificates { | ||
keyFilePassword := "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: For empty declarations, I generally prefer using the zero value: var keyFilePassword string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Good to learn common Go patterns :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm with a test nit
mongo/integration/client_test.go
Outdated
User string | ||
DB string | ||
certificates := [3]string{"client.pem", "client-pkcs8-encrypted.pem", "client-pkcs8-unencrypted.pem"} | ||
for _, certificate := range certificates { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Each certificate type can be run as its own subtest for debugging
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
return "", err | ||
} | ||
} else if strings.Contains(currentBlock.Type, "ENCRYPTED") { | ||
// The pkcs8 package only handles the PKCS #5 v2.0 scheme. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, the command used to generate seems worth leaving a comment in GODRIVER-364 for future reference (anytime I need to generate certs, I need to google around...).
Given the conversation in TOOLS-2013 and related tickets, I think v2.0 is only requirement. It seems v1.5 was superseded (judging from RFC-8018 and and an article describing the v2.0 key derivation function.
cc @markbenvenuto in case you'd like to weigh in. I do not think we need to support more than PKCS 5 v2.0.
{"roles", bson.A{ | ||
bson.D{{"role", "readWrite"}, {"db", "test"}}, | ||
}}, | ||
testCases := []struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, good idea making this into a table test!
Co-authored-by: Kevin Albertson <kevin.albertson@10gen.com>
GODRIVER-364
Adds support for decrypting PKCS8 encrypted PEM keys. Private keys encrypted with PKCS8 should begin with
-----BEGIN ENCRYPTED PRIVATE KEY----
according to documentation, so the new parsing inclientoptions#addClientCertFromBytes
assumes this.Adds two new test certificates used in the
TestClient/x509
test. One is a PKCS8 encrypted PEM key, and one is unencrypted.