[GODRIVER-2263] Not loading all certs in a PEM file Created: 05/Jan/22  Updated: 28/Oct/23  Resolved: 24/Jan/22

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.8.3

Type: Bug Priority: Unknown
Reporter: Derrick Wippler Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
related to GODRIVER-2650 Fix incorrect X509 certificate being ... Closed
related to DRIVERS-2038 Test tlsCertificateKeyFile .pem file ... Backlog
Cloud Backport: Needed

 Description   

Summary

When using tlsCertificateKeyFile or sslClientCertificateKeyFile options, ClientOptions.ApplyURI() only loads the final cert in the provided PEM file. This is undesired when a PEM contains multiple certs to be considered during a TLS hand shake.

How to Reproduce

Create a PEM file with multiple certs and use either tlsCertificateKeyFile or sslClientCertificateKeyFile options to load the PEM file. Only the final cert will be loaded into the tls config cert list.

Additional Background

Code change that resolves this bug can be found here https://github.com/mailgun/mongo-go-driver/pull/1/commits/71f1654d022eaa0234345143edd0ee157ecb2077 If this bug is approved will submit a PR against the main repo.



 Comments   
Comment by Githook User [ 24/Jan/22 ]

Author:

{'name': 'Derrick J. Wippler', 'email': 'thrawn01@gmail.com', 'username': 'thrawn01'}

Message: GODRIVER-2263 Load all certs in a PEM (#834)
Branch: release/1.8
https://github.com/mongodb/mongo-go-driver/commit/67dcab6e1490381e94b1e87c6442afeeafb76186

Comment by Githook User [ 24/Jan/22 ]

Author:

{'name': 'Derrick J. Wippler', 'email': 'thrawn01@gmail.com', 'username': 'thrawn01'}

Message: GODRIVER-2263 Load all certs in a PEM (#834)
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/ae48c67470353306985af3466d20d1241d972296

Comment by Derrick Wippler [ 10/Jan/22 ]

PR Created here https://github.com/mongodb/mongo-go-driver/pull/834

Comment by Kevin Albertson [ 07/Jan/22 ]

Thank you for the report thrawn01@gmail.com! I was able to reproduce the "private key does not match public key" with testing certificates and private keys here. Applying the linked commit resolved the error.

To compare with another driver, the C driver uses SSL_CTX_use_certificate_chain_file:

SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.

If you are able to submit a PR, it would be much appreciated!

Comment by Shawn Poulson [ 05/Jan/22 ]

In the scenario where a client certificate is necessary to connect to Mongo, the pem may contain: a private key, a client cert, and one or more intermediate CA certs.

Golang's TLS expects pems to contain the leaf (client) certificate first, then the intermediate certificates.

This logic conflicts with Mongo's ClientOptions.ApplyURI() parsing only the last certificate in the pem. Then, mongo.NewClient() fails validating options with "private key does not match public key" because it paired the pem private key with an intermediate CA cert instead of the client cert.

This fix is necessary to resolve this conflict.

Generated at Thu Feb 08 08:38:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.