Bug #71271 | MySQL fails to load PKCS#8 private key with YaSSL | ||
---|---|---|---|
Submitted: | 2 Jan 2014 11:51 | Modified: | 9 Jul 2019 17:15 |
Reporter: | Daniël van Eeden (OCA) | Email Updates: | |
Status: | Won't fix | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 5.5.30, 5.6.15, 5.7.20, 8.0.3 | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | pkcs, private key, SSL, tls |
[2 Jan 2014 11:51]
Daniël van Eeden
[2 Jan 2014 17:35]
Daniël van Eeden
To convert from PKCS#8 to PKCS#1: openssl rsa -in server-key-pkcs8.pem -out server-key-pkcs1.pem To convert from PKCS#1 to PKCS#8: openssl pkcs8 -topk8 -nocrypt -in server-key-pkcs1.pem -out server-key-pkcs8.pem And YaSSL claims to support PKCS#8: ----------------------- 4.3.7.2 PKCS #8 PKCS #8 is designed as the Private-Key Information Syntax Standard, which is used to store private key information - including a private key for some public-key algorithm and set of attributes. The PKCS #8 standard has two versions which describe the syntax to store both encrypted private keys and non-encrypted keys. CyaSSL supports both non-encrypted and encrypted PKCS #8. Supported formats include PKCS #5 version 1 - version 2, and PKCS#12. Types of encryption available include DES, 3DES, RC4, and AES. PKCS#8: http://tools.ietf.org/html/rfc5208 ----------------------- Source: http://www.yassl.com/yaSSL/Docs-cyassl-manual-4-features.html
[27 Jan 2014 20:20]
Sveta Smirnova
Thank you for the report. I can not repeat described behavior with current development versions of both 5.5 and 5.6 branches, so closing as "Can't repeat". Please upgrade.
[28 Jan 2014 20:17]
Daniël van Eeden
5.6.14 Enterprise: Works 5.6.15 Community: Does not work. dveeden@daniel-thinkpad:~/sandboxes$ egrep '^ssl' {msb_5_6_14-enterprise,msb_5_6_15}/my.sandbox.cnf msb_5_6_14-enterprise/my.sandbox.cnf:ssl-ca = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/CAcert.pem msb_5_6_14-enterprise/my.sandbox.cnf:ssl-cert = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-cert.pem msb_5_6_14-enterprise/my.sandbox.cnf:ssl-key = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem msb_5_6_15/my.sandbox.cnf:ssl-ca = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/CAcert.pem msb_5_6_15/my.sandbox.cnf:ssl-cert = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-cert.pem msb_5_6_15/my.sandbox.cnf:ssl-key = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem dveeden@daniel-thinkpad:~/sandboxes$ grep "BEGIN" {msb_5_6_14-enterprise,msb_5_6_15}/ssl/server-key*.pem msb_5_6_14-enterprise/ssl/server-key.pem:-----BEGIN RSA PRIVATE KEY----- msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem:-----BEGIN PRIVATE KEY----- msb_5_6_15/ssl/server-key.pem:-----BEGIN RSA PRIVATE KEY----- msb_5_6_15/ssl/server-key-pkcs8.pem:-----BEGIN PRIVATE KEY----- Messages from 5.6.15: SSL error: Unable to get private key from '/home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem' 2014-01-28 20:59:48 14084 [Warning] Failed to setup SSL 2014-01-28 20:59:48 14084 [Warning] SSL error: Unable to get private key
[28 Jan 2014 20:19]
Daniël van Eeden
Example SSL certs
Attachment: ssl.tar.bz2 (application/x-bzip, text), 4.20 KiB.
[28 Jan 2014 21:32]
Daniël van Eeden
5.6.15 compiled with "-DWITH_SSL=system": Works. So: 5.5.30 C YaSSL: Doesn't work 5.6.14 E OpenSSL 1.0.1d (static): works 5.6.15 C YaSSL: Doesn't work 5.6.15 C OpenSSL 1.0.1c (dynamic): works
[28 Jan 2014 22:14]
Daniël van Eeden
Trace info (5.6.15 with YaSSL) T@1 : >new_VioSSLFd T@1 : | enter: key_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem' cert_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-cert.pem' ca_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/CAcert.pem' ca_path: 'NULL' cipher: 'NULL' crl_file: 'NULL' crl_path: 'NULL' T@1 : | >my_malloc T@1 : | | my: size: 8 my_flags: 0 T@1 : | | exit: ptr: 0x2d49d50 T@1 : | <my_malloc 66 T@1 : | >vio_set_cert_stuff T@1 : | | enter: ctx: 0x2d48ba0 cert_file: /home/dveeden/sandboxes/msb_5_6_15/ssl/server-cert.pem key_file: /home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem T@1 : | | error: Unable to get private key from file '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem' T@1 : | <vio_set_cert_stuff 129 T@1 : | error: vio_set_cert_stuff failed T@1 : | >report_errors T@1 : | <report_errors 72 T@1 : | >my_free T@1 : | | my: ptr: 0x2d49d50 T@1 : | <my_free 141 T@1 : <new_VioSSLFd 281 T@1 : info: ssl_acceptor_fd: 0x0 T@1 : >sql_print_warning T@1 : | >vprint_msg_to_log T@1 : | | >print_buffer_to_file T@1 : | | | enter: buffer: Failed to setup SSL T@1 : | | <print_buffer_to_file 2298 T@1 : | <vprint_msg_to_log 2330 T@1 : <sql_print_warning 2357 T@1 : >sql_print_warning T@1 : | >vprint_msg_to_log T@1 : | | >print_buffer_to_file T@1 : | | | enter: buffer: SSL error: Unable to get private key T@1 : | | <print_buffer_to_file 2298 T@1 : | <vprint_msg_to_log 2330 T@1 : <sql_print_warning 2357
[29 Jan 2014 9:30]
Daniël van Eeden
The 'regular' private key file: $ openssl asn1parse -in server-key.pem 0:d=0 hl=4 l=1188 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=4 l= 257 prim: INTEGER :A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE09 268:d=1 hl=2 l= 3 prim: INTEGER :010001 273:d=1 hl=4 l= 256 prim: INTEGER :09B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF81 533:d=1 hl=3 l= 129 prim: INTEGER :D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC85 665:d=1 hl=3 l= 129 prim: INTEGER :C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B5 797:d=1 hl=3 l= 129 prim: INTEGER :883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C9 929:d=1 hl=3 l= 128 prim: INTEGER :6794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E37715 1060:d=1 hl=3 l= 129 prim: INTEGER :A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5
[29 Jan 2014 9:30]
Daniël van Eeden
The PKCS#8 file: $ openssl asn1parse -in server-key-pkcs8.pem 0:d=0 hl=4 l=1214 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=2 l= 13 cons: SEQUENCE 9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption 20:d=2 hl=2 l= 0 prim: NULL 22:d=1 hl=4 l=1192 prim: OCTET STRING [HEX DUMP]:308204A40201000282010100A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE0902030100010282010009B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF8102818100D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC8502818100C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B502818100883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C90281806794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E3771502818100A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5 The 'regular' key within the PKCS#8 file: $ openssl asn1parse -in server-key-pkcs8.pem -strparse 22 0:d=0 hl=4 l=1188 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=4 l= 257 prim: INTEGER :A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE09 268:d=1 hl=2 l= 3 prim: INTEGER :010001 273:d=1 hl=4 l= 256 prim: INTEGER :09B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF81 533:d=1 hl=3 l= 129 prim: INTEGER :D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC85 665:d=1 hl=3 l= 129 prim: INTEGER :C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B5 797:d=1 hl=3 l= 129 prim: INTEGER :883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C9 929:d=1 hl=3 l= 128 prim: INTEGER :6794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E37715 1060:d=1 hl=3 l= 129 prim: INTEGER :A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5
[29 Jan 2014 12:05]
Sveta Smirnova
I was able to repeat it with Community binaries mysql-5.6.15-linux-glibc2.5-x86_64.tar.gz Set to "Verified".
[2 Feb 2014 14:38]
Viktor Štujber
If I'm right, the reason for this is quite silly: // convert PEM file to DER x509 type x509* PemToDer(FILE* file, CertType type, EncryptedInfo* info) { ... strncpy(header, "-----BEGIN RSA PRIVATE KEY-----", sizeof(header)); strncpy(footer, "-----END RSA PRIVATE KEY-----", sizeof(header)); ... } This will not match DSA nor EC keys. Although all it does is strip the armoring, base64-decode the contents and feed it to x509 code - so there is no specific dependency on RSA here. The code should be made more flexible...
[4 Feb 2014 13:26]
Daniël van Eeden
Simple test: $ cat mysql-test/t/ssl_key_pkcs8.test $ cat mysql-test/t/ssl_key_pkcs8-master.opt --loose-ssl-key=$MYSQL_TEST_DIR/std_data/server-key-pkcs8.pem $ cat mysql-test/std_data/server-key-pkcs8.pem -----BEGIN PRIVATE KEY----- MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAzeSHUZ1yEaDR+vOS ixMc6/fimi9yqNZlSNFprxvATBPlYGBRQemrprwTuwxeMnzZbJ7NBSSEeNuAkS7Y iCvC7QIDAQABAkEAm7CEVsXc3NGkFsSaeongY9rVQkxAwsUkX7Ti2qP8fElwAhWE 4mEaaa1g3DXKPP9mw+d8kIzPh4U612O8a1+l4QIhAOYUWDZYu9ij7ab3D1XvPhki SDuLFiQj85tRRy19mQ85AiEA5Raeu+MWsBdsi9hP9hHnT7dkMsRznVfE2AmdapZi XVUCIQCdM4VaDKK8ULUOAXw+8Ony7lOAK3YDV3UYyB3j3Q75MQIgL9YyXT+FPE4X 33fS8qo4Z//+j09QaRmrxAT19wziC2UCIASI5wWmcuO1aPnuOuG7DbXi5ycHmuSW RBB74C1wBE2S -----END PRIVATE KEY----- The server-key-pkcs8.pem file was generated with: openssl pkcs8 -topk8 -nocrypt -in server-key.pem -out server-key-pkcs8.pem
[10 Oct 2014 9:40]
Dave Kelly
See #59227. Your info re: PKCS#1 vs. #8 explains the difference between the two formats, but apparently the bug remains.
[2 Jan 2016 12:07]
Sascha Curth
This bug still exists in 5.5.46-0ubuntu0.14.04.2-log. Converting to pkcs1 works. openssl rsa -in privkey.pem -out privkey1-pkcs1.pem
[14 Apr 2016 13:02]
Tom Sommer
How is this not fixed for 2+ years? Come on.
[29 Dec 2017 20:50]
Daniël van Eeden
Related: Bug #88865 Add in ECC SSL Support
[15 Jan 2019 15:53]
Daniël van Eeden
I consider this fixed. MySQL 5.7 works if linked against OpenSSL (not the default for Community Edition). MySQL 8.0.4 is linked against OpenSSL by default. YaSSL has been replaced with WolfSSL in 8.0.
[9 Jul 2019 17:15]
Paul DuBois
Posted by developer: This is a yaSSL issue. yaSSL support is removed as of MySQL 5.6.46/5.7.28, so this bug is being closed with no action taken.
[19 Sep 2019 11:37]
MySQL Verification Team
Bug #96945 marked as duplicate of this one
[20 Sep 2019 2:38]
Samson Lin
I am using 5.7.27. The issue still exists. I submitted a bug report and found that it is duplicated with this issue. What is the production version release date on 5.7.28? The latest version available from Oracle MySQL download site is 5.7.27.
[20 Sep 2019 3:53]
Samson Lin
I guess the release date of 5.7.28 should be at the end of Oct. :) Hope so.