[CDRIVER-4269] Unable to load PKCS#8 private key with SChannel Created: 26/Jan/22  Updated: 10/Feb/23

Status: Backlog
Project: C Driver
Component/s: None
Affects Version/s: 1.20.1
Fix Version/s: None

Type: Bug Priority: Unknown
Reporter: Kevin Albertson Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Epic Link: CDRIVER-4575

 Description   

Summary

Private keys can be in PKCS#1 or PKCS#8 format. Secure Channel on Windows is unable to load PKCS#8 encoded private keys.

How to Reproduce

Start a server and require client certificates. Use test .pem files from the https://github.com/mongodb-labs/drivers-evergreen-tools repo:

./bin/mongod \
    --setParameter enableTestCommands=1 \
    --tlsCertificateKeyFile=C:/cygwin/home/Administrator/code/drivers-evergreen-tools/.evergreen/x509gen/server.pem \
    --tlsCAFile=C:/cygwin/home/Administrator/code/drivers-evergreen-tools/.evergreen/x509gen/ca.pem \
    --tlsMode=requireTLS \
    --port=27018 \
    --dbpath ./data

Use the repro environment here:

Use the run.sh script to test connecting with a PKCS#1 key (succeeds) and a PKCS#8 private key (fails):

export CA_FILE="C:/cygwin/home/Administrator/code/drivers-evergreen-tools/.evergreen/x509gen/ca.pem"export CLIENT_FILE="C:/cygwin/home/Administrator/code/drivers-evergreen-tools/.evergreen/x509gen/client-pkcs8-unencrypted.pem"export MONGODB_URI="mongodb://localhost:27018/?tls=true&tlsCAFile=$CA_FILE&tlsCertificateKeyFile=$CLIENT_FILE"./cmake-build/Debug/crepro.out

Gets the following output on Windows:

2022/01/25 23:59:03.0700: [ 9916]:    ERROR: stream-secure-channel: Failed to parse private key. ASN1 bad tag value met.
(0x8009310B)
2022/01/25 23:59:03.0930: [ 9916]:    ERROR: stream-secure-channel: Failed to parse private key. ASN1 bad tag value met.
(0x8009310B)
2022/01/25 23:59:03.0954: [ 9916]:    ERROR:       mongoc: mongoc_collection_count_documents error: No suitable servers found (`serverSelectionTryOnce` set): [Failed to receive length header from server. calling hello on 'localhost:27018']

Additional Background

See SERVER-35541 for an example of this implementation in the MongoDB Server.

See https://stackoverflow.com/a/48960291/774658 for additional background on PKCS#1 and PKCS#8 format.

Workaround

As a workaround, users can convert PKCS#8 to PKCS#1 for an RSA key:

openssl rsa -in private_key_pkcs8.pem -out private_key_pkcs1.pem

 


Generated at Wed Feb 07 21:20:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.