[GODRIVER-364] Support PKCS8 encrypted client private keys Created: 13/Apr/18  Updated: 26/Oct/21  Resolved: 01/Feb/21

Status: Closed
Project: Go Driver
Component/s: Options & Configuration
Affects Version/s: None
Fix Version/s: 1.5.0

Type: Improvement Priority: Major - P3
Reporter: David Golden Assignee: Benji Rewis (Inactive)
Resolution: Done Votes: 4
Labels: FY21Q4, neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by GODRIVER-1830 Support PKCS 8 encrypted private keys Closed
Related
related to GODRIVER-287 SSL client certificate should support... Closed
is related to TOOLS-2013 Support PKCS8 encrypted client privat... Closed
Case:

 Description   

Go's support for encrypted private keys only handles decryption of the outer PEM layer, it does not support decryption of the PEM-decoded PKCS8 data. See Go issue#8860.

That ticket references a 3rd party library, https://github.com/youmark/pkcs8 , which does PKCS8 decryption – but only for a single encryption algorithm, which might be a useful starting point for full support.



 Comments   
Comment by Kevin Albertson [ 11/Feb/21 ]

Cherry-picked onto release/1.5 with https://github.com/mongodb/mongo-go-driver/commit/74b156e6d52ba5975d61c1b24584428ffd8adb48

Comment by Githook User [ 01/Feb/21 ]

Author:

{'name': 'Benjamin Rewis', 'email': '32186188+benjirewis@users.noreply.github.com', 'username': 'benjirewis'}

Message: GODRIVER-364 Support PKCS8 encrypted client private keys (#565)
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/15a10511b52f5f50147d572d66c3eec3adfe1ade

Comment by Benji Rewis (Inactive) [ 01/Feb/21 ]

Generating PKCS8 encrypted client private keys with PKCS 5 v2.0 (the schema the Go driver will now support) is rather specific. For future reference:

If using openssl to create "client-pkcs8-encrypted.pem" from "client.pem":

openssl pkcs8 -v2 des3 -topk8 -inform PEM -outform PEM -in client.pem -out client-pkcs8-encrypted.pem

 

 

Comment by Benji Rewis (Inactive) [ 21/Jan/21 ]

https://github.com/mongodb/mongo-go-driver/pull/565

Comment by Jay Pearson [ 21/Jan/20 ]

The generally accepted work around to change the PEM file to RSA format does not work in a FIPS environment. This resulted in a customer I was working with using unencrypted PEM key files in their FIPS environment.  Red Hat is developing their own library to address the issue:

https://developers.redhat.com/blog/2019/06/24/go-and-fips-140-2-on-red-hat-enterprise-linux/

See HELP-2044 and HELP-13060

Comment by Craig Wilson [ 18/Jan/19 ]

Also see here for examples using that library: https://github.com/10gen/mongohouse/tree/master/internal/util/tlsutil

Comment by David Golden [ 18/Jan/19 ]

Some interim improvements might include:

  • Looking for the "BEGIN ENCRYPTED PRIVATE KEY" header and issue a specific "Encrypted PKCS8 format not supported" error instead of a generic "failed to parse private key"
  • Documenting the limitation in SSLOpt with any recommended workarounds (such as converting encrypted PKCS8 format to encrypted PKCS1 format)
Generated at Thu Feb 08 08:34:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.