| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Derek Zasiewski <dzasiews(at)opentext(dot)com> |
| Cc: | "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Issue with SSL and password protected keys in DER/PK8 format |
| Date: | 2022-06-20 21:21:34 |
| Message-ID: | CABUevEwby32_vCfV0s6ap5DTRNwhDpgf9pXOB=a9Cr+zgcx3TA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, Jun 20, 2022 at 10:00 AM Derek Zasiewski <dzasiews(at)opentext(dot)com>
wrote:
> Hello,
>
>
>
> We leverage PostgreSQL (currently version 13.7) in our product and use two
> different means of communication:
>
> 1. JDBC driver directly from our Java code – majority of our
> interactions is using this mechanism
> 2. Our process calls *psql* and pg_*dump* binaries for some selective
> features such as making backups, etc (in which case it is my understanding
> that psql and pg_dump use libpq library to make connections).
>
> When PostgreSQL runs over SSL, specifically two-way SSL, and has been
> configured to expect client certificates for handshakes – if the private
> key is password protected, communication using #2 method (from above) fails
> when the key is in DER format. I use following line to convert PEM key to
> DER:
>
>
>
> openssl pkcs8 -topk8 -inform PEM -outform DER -in test.pem -out
> test.pem.pk8
>
>
>
> That line will produce DER encoded private key that is still password
> protected. That key can be successfully used when using JDBC type
> connection, but using directly through psql or pg_dump binaries – we get an
> error message:
>
>
>
> psql: error: could not load private key file "test.pem.pk8": no start line
>
>
>
> Please note that if PK8 key is not password protected – everything works.
> Essentially if the key is in PEM format – we can use it via JDBC (#1) and
> directly through binaries (#2) regardless of whether it is password
> protected or not. But for DER format if the key is password protected then
> JDBC will work but directly calling psql or pg_dump (or pg_restore) will
> fail.
>
>
>
In general I don't think the PKCS8 format is the same as DER and therefor
not supported? Thus, your command produces a "pkcs8 format key in DER
encoding", but libpq supports "PEM format key in DER encoding". What if you
just convert it
What if you just run:
openssl rsa -inform pem -outform der -in test.key -out test.der
And use that key?
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kyotaro Horiguchi | 2022-06-21 00:27:53 | Re: BUG #17522: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL test fails on OpenBSD 7.1 |
| Previous Message | Peter Eisentraut | 2022-06-20 12:22:09 | Re: BUG #17522: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL test fails on OpenBSD 7.1 |