[GODRIVER-364] Support PKCS8 encrypted client private keys Created: 13/Apr/18 Updated: 26/Oct/21 Resolved: 01/Feb/21 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | Options & Configuration |
| Affects Version/s: | None |
| Fix Version/s: | 1.5.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | David Golden | Assignee: | Benji Rewis (Inactive) |
| Resolution: | Done | Votes: | 4 |
| Labels: | FY21Q4, neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||
| Description |
|
Go's support for encrypted private keys only handles decryption of the outer PEM layer, it does not support decryption of the PEM-decoded PKCS8 data. See Go issue#8860. That ticket references a 3rd party library, https://github.com/youmark/pkcs8 , which does PKCS8 decryption – but only for a single encryption algorithm, which might be a useful starting point for full support. |
| Comments |
| Comment by Kevin Albertson [ 11/Feb/21 ] |
|
Cherry-picked onto release/1.5 with https://github.com/mongodb/mongo-go-driver/commit/74b156e6d52ba5975d61c1b24584428ffd8adb48 |
| Comment by Githook User [ 01/Feb/21 ] |
|
Author: {'name': 'Benjamin Rewis', 'email': '32186188+benjirewis@users.noreply.github.com', 'username': 'benjirewis'}Message: |
| Comment by Benji Rewis (Inactive) [ 01/Feb/21 ] |
|
Generating PKCS8 encrypted client private keys with PKCS 5 v2.0 (the schema the Go driver will now support) is rather specific. For future reference: If using openssl to create "client-pkcs8-encrypted.pem" from "client.pem": openssl pkcs8 -v2 des3 -topk8 -inform PEM -outform PEM -in client.pem -out client-pkcs8-encrypted.pem
|
| Comment by Benji Rewis (Inactive) [ 21/Jan/21 ] |
| Comment by Jay Pearson [ 21/Jan/20 ] |
|
The generally accepted work around to change the PEM file to RSA format does not work in a FIPS environment. This resulted in a customer I was working with using unencrypted PEM key files in their FIPS environment. Red Hat is developing their own library to address the issue: https://developers.redhat.com/blog/2019/06/24/go-and-fips-140-2-on-red-hat-enterprise-linux/ See HELP-2044 and HELP-13060 |
| Comment by Craig Wilson [ 18/Jan/19 ] |
|
Also see here for examples using that library: https://github.com/10gen/mongohouse/tree/master/internal/util/tlsutil |
| Comment by David Golden [ 18/Jan/19 ] |
|
Some interim improvements might include:
|