-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-1272895: Key Pair Authentication with Encrypted Key Not Working #1683
Comments
Hello @KevinMellott91 , Thanks for raising the issue, will look into it. Regards, |
This issue is applicable to 3.15.0 too. |
I haven't gotten this working before (never tried in the past), but I was not able to get the 3.13.30 driver to work either. |
For context, I was trying driver 3.13.30 first because that is the version used within my Flyway version. When the Flyway connection could not be made, I dug deeper into the driver itself to find this issue. |
Hello @KevinMellott91 , This is a commonly known issue with Java not supporting most modern encrypted key types As a workaround you can try the below command if it doesnt work, please generate and export it from the older OpenSSL version, its still a secure private key of the legacy format. Regards, |
Hi @sfc-gh-sghosh thanks for the workaround information. Unfortunately, I won't be able to use this due to security team requirements. However, I was wondering if #1671 is a fix for this issue? If I'm understanding the update correctly, it appears it would add a configuration that would allow Bouncy Castle to handle the decryption aspects. |
Hi @KevinMellott91, Yes, that's the objective of PR #1671. Would it be possible for you to build that PR and test the fix? |
@sfc-gh-wfateem I just tested with a local version of the driver (built from that PR branch), and all worked as expected! That PR will fix this issue. |
PR #1671 has been merged and we'll add documentation concerning the new JVM argument. |
@sfc-gh-wfateem it doesn't seem like this has been documented yet? Just hit up against the same issue. Would be nice for this to be called out in the official documentation (perhaps near where it discusses generating keys in this way?) |
@Strainy thanks for letting us know. We added documentation about this here: |
What version of JDBC driver are you using?
3.15.0
What operating system and processor architecture are you using?
Macbook M1 Max, Sonoma 14.4.1
What version of Java are you using?
openjdk version "1.8.0_402"
OpenJDK Runtime Environment (Temurin)(build 1.8.0_402-b06)
OpenJDK 64-Bit Server VM (Temurin)(build 25.402-b06, mixed mode)
What did you do?
I'm unable to create a connection using the JDBC driver when using Key Pair authentication with an encrypted key. This works fine when using an unencrypted key, but that is not sufficient for our security needs.
To generate the key, I used the default instructions found at https://docs.snowflake.com/en/user-guide/key-pair-auth and am using openssl v3.1.1. I am also running the basic test program provided at https://docs.snowflake.com/en/developer-guide/jdbc/jdbc-using#java-sample-program.
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8 openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
I was able to connect to the Snowflake account using these credentials with SnowSQL. The script for that is below for reference.
However, when I attempt to do so with the JDBC driver in a test program, I receive the error below.
I expected the JDBC driver to connect without issue.
Here are the full logs...
The text was updated successfully, but these errors were encountered: