Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cockroach connect join gets confused by CA key file format #64942

Open
knz opened this issue May 10, 2021 · 0 comments · May be fixed by #64943
Open

cockroach connect join gets confused by CA key file format #64942

knz opened this issue May 10, 2021 · 0 comments · May be fixed by #64943
Labels
A-authentication Pertains to authn subsystems A-security C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior. T-server-and-security DB Server & Security

Comments

@knz
Copy link
Contributor

knz commented May 10, 2021
edited
Loading

I was trying to do QA for #63492 and ran into the following error:

ERROR: failed to initialize host certs after writing CAs to disk: 
  failed to load or create InterNode certificates: 
  failed to create Service Cert and Key: 
  failed to parse valid Private Key from PEM blob: 
  x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)

This is because this particular ca.key on the existing node is stored indeed as a PKCS#8 package, not PKCS#1. I found out in Go's own tls package that the CA key is customarily loaded like this:

  if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
    return key, nil
  }
  if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
    switch key := key.(type) {
    case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey:
      return key, nil
    default:
      return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
    }
  }
  if key, err := x509.ParseECPrivateKey(der); err == nil {
    return key, nil
  }

  return nil, errors.New("tls: failed to parse private key")

Which is why we hadn't noticed this problem before.

Jira issue: CRDB-7356
Epic: CRDB-6663
@knz knz added C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior. A-security labels May 10, 2021
This was referenced May 10, 2021
Draft
Closed
@jlinder jlinder added the T-server-and-security DB Server & Security label Jun 16, 2021
@knz knz added the A-authentication Pertains to authn subsystems label Jul 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-authentication Pertains to authn subsystems A-security C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior. T-server-and-security DB Server & Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

security: accept CA keys in either PKCS#1 or PKCS#8 encodings knz/cockroach
2 participants
@jlinder @knz