search

swisscom / mssql-always-encrypted

An utils library to work with MSSQL Always Encrypted features
MIT License
3 stars 1 forks source link

pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1 #1

Open owen-transcarent opened 2 years ago

owen-transcarent commented 2 years ago

Hi @denysvitali

I followed your PR from the go-mssqldb project https://github.com/denisenkom/go-mssqldb/pull/637

It looks great! I'm not sure why Microsoft hasn't supported it in their fork, but I think Always Encrypted is a great security feature.

I've been trying to get the PR and this external mssql-always-encrypted lib to work in my repos. I am wondering if you came across an error with pkcs12: unknown digest algorithm when trying to use the PFX certs.

Here's what I have checked so far.

  1. I can read the PFX keystore w/ password. When I have a user that doesn't match it gives me the correct error about wrong cert. 
error while scanning | invalid certificate being used to decrypt: currentuser/my/05c365ad6afaf88c598d85a5f137951e04c0906b requested but db5da876586e9949c0ac5fa5e772e24adbaac0e9 provided
  1. When I use the correct user and the key is in the PFX file, it gives me this error:
error while running query | pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1

  1. I checked the PFX file and able to read it with openssl, extract the key and certs. And since I know #1 is not an issue, it seems to be with what the algo.

  2. Googling around I found that that OID maps to a SHA-256 Message Digest. Does the PFX file have to be created from the SQL Server in a specific format?

The current algo to encrypt on our end is the standard: AEAD_AES_256_CBC_HMAC_SHA_256

This looks similar to what is supported by the msqql-always-encrypted library. https://github.com/swisscom/mssql-always-encrypted/tree/master/pkg/algorithms

Any help you can provide would be greatly appreciated.

Thanks so much for your contributions.

denysvitali commented 2 years ago

Hey @owen-transcarent, sorry for the late reply :(

When I have a user that doesn't match it gives me the correct error about wrong cert.

This path comes directly from the CEK Table (it's stored in the DB): https://github.com/swisscom/go-mssqldb/blob/a4486a15644a4d590f0f6d1322e17c7e7bd7890e/token.go#L856-L861

You can eventually skip this part, but this means that the underlying certificate / private key is invalid, see: https://github.com/swisscom/mssql-always-encrypted/blob/master/pkg/alwaysencrypted.go#L24-L29

Sadly I'm not propagating the error from this method (sorry!) and thus you can't see why the verification fails.

I checked the PFX file and able to read it with openssl, extract the key and certs. And since I know https://github.com/swisscom/mssql-always-encrypted/issues/1 is not an issue, it seems to be with what the algo.

It seems that this is due to Golang (?) supporting only the "old" pfx format, see https://github.com/hashicorp/terraform-provider-azurerm/issues/16228 and: https://discuss.hashicorp.com/t/azure-service-principal-client-certificate-error/32037/2