Open owen-transcarent opened 2 years ago
Hey @owen-transcarent, sorry for the late reply :(
When I have a user that doesn't match it gives me the correct error about wrong cert.
This path comes directly from the CEK Table (it's stored in the DB): https://github.com/swisscom/go-mssqldb/blob/a4486a15644a4d590f0f6d1322e17c7e7bd7890e/token.go#L856-L861
You can eventually skip this part, but this means that the underlying certificate / private key is invalid, see: https://github.com/swisscom/mssql-always-encrypted/blob/master/pkg/alwaysencrypted.go#L24-L29
Sadly I'm not propagating the error from this method (sorry!) and thus you can't see why the verification fails.
I checked the PFX file and able to read it with openssl, extract the key and certs. And since I know https://github.com/swisscom/mssql-always-encrypted/issues/1 is not an issue, it seems to be with what the algo.
It seems that this is due to Golang (?) supporting only the "old" pfx format, see https://github.com/hashicorp/terraform-provider-azurerm/issues/16228 and: https://discuss.hashicorp.com/t/azure-service-principal-client-certificate-error/32037/2
Hi @denysvitali
I followed your PR from the go-mssqldb project https://github.com/denisenkom/go-mssqldb/pull/637
It looks great! I'm not sure why Microsoft hasn't supported it in their fork, but I think Always Encrypted is a great security feature.
I've been trying to get the PR and this external mssql-always-encrypted lib to work in my repos. I am wondering if you came across an error with
pkcs12: unknown digest algorithm
when trying to use the PFX certs.Here's what I have checked so far.
I checked the PFX file and able to read it with openssl, extract the key and certs. And since I know #1 is not an issue, it seems to be with what the algo.
Googling around I found that that OID maps to a SHA-256 Message Digest. Does the PFX file have to be created from the SQL Server in a specific format?
The current algo to encrypt on our end is the standard:
AEAD_AES_256_CBC_HMAC_SHA_256
This looks similar to what is supported by the msqql-always-encrypted library. https://github.com/swisscom/mssql-always-encrypted/tree/master/pkg/algorithms
Any help you can provide would be greatly appreciated.
Thanks so much for your contributions.