pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1 #1
Comments
|
Hey @owen-transcarent, sorry for the late reply :(
This path comes directly from the CEK Table (it's stored in the DB): You can eventually skip this part, but this means that the underlying certificate / private key is invalid, see: Sadly I'm not propagating the error from this method (sorry!) and thus you can't see why the verification fails.
It seems that this is due to Golang (?) supporting only the "old" pfx format, see hashicorp/terraform-provider-azurerm#16228 and: |
Hi @denysvitali
I followed your PR from the go-mssqldb project
denisenkom/go-mssqldb#637
It looks great! I'm not sure why Microsoft hasn't supported it in their fork, but I think Always Encrypted is a great security feature.
I've been trying to get the PR and this external mssql-always-encrypted lib to work in my repos. I am wondering if you came across an error with
pkcs12: unknown digest algorithmwhen trying to use the PFX certs.Here's what I have checked so far.
I checked the PFX file and able to read it with openssl, extract the key and certs. And since I know pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1 #1 is not an issue, it seems to be with what the algo.
Googling around I found that that OID maps to a SHA-256 Message Digest. Does the PFX file have to be created from the SQL Server in a specific format?
The current algo to encrypt on our end is the standard:
AEAD_AES_256_CBC_HMAC_SHA_256This looks similar to what is supported by the msqql-always-encrypted library. https://github.com/swisscom/mssql-always-encrypted/tree/master/pkg/algorithms
Any help you can provide would be greatly appreciated.
Thanks so much for your contributions.
The text was updated successfully, but these errors were encountered: