Issue with SSL and password protected keys in DER/PK8 format
Hello,
We leverage PostgreSQL (currently version 13.7) in our product and use two different means of communication:
1. JDBC driver directly from our Java code - majority of our interactions is using this mechanism
2. Our process calls psql and pg_dump binaries for some selective features such as making backups, etc (in which case it is my understanding that psql and pg_dump use libpq library to make connections).
When PostgreSQL runs over SSL, specifically two-way SSL, and has been configured to expect client certificates for handshakes - if the private key is password protected, communication using #2 method (from above) fails when the key is in DER format. I use following line to convert PEM key to DER:
openssl pkcs8 -topk8 -inform PEM -outform DER -in test.pem -out test.pem.pk8
That line will produce DER encoded private key that is still password protected. That key can be successfully used when using JDBC type connection, but using directly through psql or pg_dump binaries - we get an error message:
psql: error: could not load private key file "test.pem.pk8": no start line
Please note that if PK8 key is not password protected - everything works. Essentially if the key is in PEM format - we can use it via JDBC (#1) and directly through binaries (#2) regardless of whether it is password protected or not. But for DER format if the key is password protected then JDBC will work but directly calling psql or pg_dump (or pg_restore) will fail.
Cheers,
Derek
Derek Zasiewski | InfoArchive
Senior Principal | Security Advocate
Toronto, Canada
mobile: 416-526-6400
[cid:image001.gif@01D8823D.A4890A10]
Attachments:
On Mon, Jun 20, 2022 at 10:00 AM Derek Zasiewski <dzasiews@opentext.com>
wrote:
Hello,
We leverage PostgreSQL (currently version 13.7) in our product and use two
different means of communication:1. JDBC driver directly from our Java code – majority of our
interactions is using this mechanism
2. Our process calls *psql* and pg_*dump* binaries for some selective
features such as making backups, etc (in which case it is my understanding
that psql and pg_dump use libpq library to make connections).When PostgreSQL runs over SSL, specifically two-way SSL, and has been
configured to expect client certificates for handshakes – if the private
key is password protected, communication using #2 method (from above) fails
when the key is in DER format. I use following line to convert PEM key to
DER:openssl pkcs8 -topk8 -inform PEM -outform DER -in test.pem -out
test.pem.pk8That line will produce DER encoded private key that is still password
protected. That key can be successfully used when using JDBC type
connection, but using directly through psql or pg_dump binaries – we get an
error message:psql: error: could not load private key file "test.pem.pk8": no start line
Please note that if PK8 key is not password protected – everything works.
Essentially if the key is in PEM format – we can use it via JDBC (#1) and
directly through binaries (#2) regardless of whether it is password
protected or not. But for DER format if the key is password protected then
JDBC will work but directly calling psql or pg_dump (or pg_restore) will
fail.
In general I don't think the PKCS8 format is the same as DER and therefor
not supported? Thus, your command produces a "pkcs8 format key in DER
encoding", but libpq supports "PEM format key in DER encoding". What if you
just convert it
What if you just run:
openssl rsa -inform pem -outform der -in test.key -out test.der
And use that key?
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>