-
Notifications
You must be signed in to change notification settings - Fork 426
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix issue-2530 encrypted private keys is not working issue #2532
base: main
Are you sure you want to change the base?
Conversation
@lilgreenbird FYI |
thanks the team will take a look |
Thanks @lilgreenbird @Jeffery-Wasty can we expect this fix in 12.8.1 version or it will be available with new version of driver? |
@muskaan62 please see above you will need to agree to CLA before the PR can be considered and tests run on it |
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder; | ||
import org.bouncycastle.operator.InputDecryptorProvider; | ||
import org.bouncycastle.operator.OperatorCreationException; | ||
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo; | ||
import org.bouncycastle.pkcs.PKCSException; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll need to fix the issue without using Bouncy Castle. Try to use java.security instead. We want to limit Bouncy Castle use to Java 8 and drop it when Java 8 support ends.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@David-Engel Thanks..The existing code is already using bouncy castle for private keys, i've just added one more if condition for encrypted keys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand that. But the existing code is only used within the context of the Always Encrypted with secure enclaves feature with Java 8 only, (https://github.com/microsoft/mssql-jdbc/blob/main/README.md#dependencies)
We can't extend the use of Bouncy Castle for other contexts/features without approval from our security team, as they didn't like the use of an external encryption library at all. We only got approval because it would be dropped when support for Java 8 ends.
If you have to limit the fix to Java 11+ only, I'm fine with that. We just need to update the docs appropriately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @David-Engel I tried to use java security but looks with java 11 we do not have security providers to decrypt the keys and has to fall back on bouncy castle only...Yes, i want to limit this fix to java 11 only. please do lemme know if anything else needs to be done be from my end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To clarify, I meant: If you have to limit this fix to Java 11+ only without using Bouncy Castle, I'm fine with that. I was assuming Bouncy Castle was only required for Java 8.
We can't extend our usage of Bouncy Castle to Java 11.
Can you fix it for Java 17+ without Bouncy Castle?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@David-Engel , thanks for your help here. Just wanted a clarification. We are presently using jdk11 to build our applications. And we are actively using the following bouncycastle APIs in our application:
<dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpg-jdk18on</artifactId> <version>1.78.1</version> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-ext-jdk18on</artifactId> <version>1.78.1</version> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-jdk18on</artifactId> <version>1.78.1</version> </dependency>
In the PR that is raised by @muskaan62 to address the issue being encountered while using mssql-jdbc driver, are you asking us to use bouncycastle if its jdk11 or below but don't do it for any jdk version from/beyond jdk17?
Also, can you clarify what is meant by jdk11+ and jdk17+?
thanks again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @David-Engel
If i Understood correctly, then you are saying to fix this issue for java 17+ and the issue will still exist for java 8 and java 11??
We are using Java 11 in our applications and require a fix that works specifically for this version. I attempted to address the issue using the Java Security API, but encountered errors related to the provider. Upon investigation, it appears these errors stem from a known bug in JDK 11 (JDK-8231581) that remains unresolved.
we need a solution for Java 11. Most suggestions I found online recommend using Bouncy Castle. If you have any references or approaches to resolve this for Java 11, I would be glad to explore them. Thank you for your help!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bouncy Castle has security issues it is not recommended to be used and is not approved by Microsoft. We are looking into a solution that does not require Bouncy Castle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lilgreenbird , thanks for the reply.
Can you pls help me more details around the security issues being present in the bouncy castle library? That will help me to see if I also need to have BC in my app or not. The more details around it would be appreciated.
@microsoft-github-policy-service agree company="Gaian Solutions" |
@lilgreenbird Done, lemme know anything else to be done from my end. |
I'm also encountering the same issue regarding to the encrypted private key when using |
client certificate without password (the test you provide for this scenario) [working]
client certificate with password [working]
client certificate with private key [working]
client certificate with private key and key password (i.e means encrypted key) [bug]
The above 3 ways are working fine but fourth is not ..
The logic for decrypt the private key is restricted to pvk though providing pvk key also its not working types and RSA private keys when decrypting also failing so added a fix for this. related to https://github.com/microsoft/mssql-jdbc/issues/2530