Issue with SSL and password protected keys in DER/PK8 format

Hello,

We leverage PostgreSQL (currently version 13.7) in our product and use two different means of communication:

1. JDBC driver directly from our Java code – majority of our interactions is using this mechanism
2. Our process calls psql and pg_dump binaries for some selective features such as making backups, etc (in which case it is my understanding that psql and pg_dump use libpq library to make connections).

When PostgreSQL runs over SSL, specifically two-way SSL, and has been configured to expect client certificates for handshakes – if the private key is password protected, communication using #2 method (from above) fails when the key is in DER format. I use following line to convert PEM key to DER:

openssl pkcs8 -topk8 -inform PEM -outform DER -in test.pem -out test.pem.pk8

That line will produce DER encoded private key that is still password protected. That key can be successfully used when using JDBC type connection, but using directly through psql or pg_dump binaries – we get an error message:

psql: error: could not load private key file "test.pem.pk8": no start line

Please note that if PK8 key is not password protected – everything works. Essentially if the key is in PEM format – we can use it via JDBC (#1) and directly through binaries (#2) regardless of whether it is password protected or not. But for DER format if the key is password protected then JDBC will work but directly calling psql or pg_dump (or pg_restore) will fail.

Cheers,

Derek

Derek Zasiewski | InfoArchive

Senior Principal | Security Advocate

Toronto, Canada

mobile: 416-526-6400