SNOW-899319: Encrypted Private Key connection not working

[Dionakra]

1. What version of JDBC driver are you using?
3.14.0

2. What operating system and processor architecture are you using?
MacOs Ventura 13.4.1, Intel

3. What version of Java are you using?
Java 17

4. What did you do?
I tried to connect to Snowflake using a Spring Boot application with Encripted Key-Pair authentication. When trying to do it, it throws the following error:
Private key provided is invalid or not supported: [REDACTED]: PBE parameter parsing error: expecting the object identifier for AES cipher

net.snowflake.client.jdbc.SnowflakeSQLLoggedException: Private key provided is invalid or not supported: [REDACTED]: PBE parameter parsing error: expecting the object identifier for AES cipher
	at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initialize(DefaultSFConnectionHandler.java:117) ~[snowflake-jdbc-3.14.0.jar:3.14.0]
	at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initializeConnection(DefaultSFConnectionHandler.java:85) ~[snowflake-jdbc-3.14.0.jar:3.14.0]
	at net.snowflake.client.jdbc.SnowflakeConnectionV1.initConnectionWithImpl(SnowflakeConnectionV1.java:116) ~[snowflake-jdbc-3.14.0.jar:3.14.0]
	at net.snowflake.client.jdbc.SnowflakeConnectionV1.<init>(SnowflakeConnectionV1.java:96) ~[snowflake-jdbc-3.14.0.jar:3.14.0]
	at net.snowflake.client.jdbc.SnowflakeDriver.connect(SnowflakeDriver.java:187) ~[snowflake-jdbc-3.14.0.jar:3.14.0]

I generated the Key-Pair as per the docs and added the public key to the user, but it doesn't work. If I repeat the steps, but with an unencrypted Key-Pair, it works.

My OpenSSL version info is the following:

OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
built on: Tue Aug  1 13:36:55 2023 UTC
platform: darwin64-x86_64-cc

5. What did you expect to see?
A connection to Snowflake, as it occurs when using Unencripted Key-Pair authentication.

[sfc-gh-spanaite]

Hi @Dionakra , can you test the generated key/pair with SnowSQL to confirm the keys are actually good?

[sfc-gh-spanaite]

@Dionakra Have you had a chance to test?

[sfc-gh-spanaite]

Hi @Dionakra , I am able to reproduce this on Ubuntu 22.04.
The only workaround I have so far is to use OpenJDK 19 rather than 17 and generate the rsa key using AES rather than 3-DES since OpenJDK lacks support for 3-DES in EncryptedPrivateKeyInfos.

This works with OpenJDK 19 and OpenSSL 3.x generated rsa:

openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 aes128 -inform PEM -out rsa_key.p8
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

[Dionakra]

Hi @sfc-gh-spanaite ,

I came to the same conclusion as I saw that the Snowflake Kafka Connector worked for us as intended, but the docs for generating the Key-Pair are a bit different that the general one.

The JDBC docs link to this document, but the Kafka Connect docs don't link to that document, they re-write it because, I guess, the team responsible for the Kafka Connect already knew that the JDBC docs weren't working for them.

And if you take a look at the Snowflake Kafka Connect source code, you will be able to see that they perform some custom encryption stuff to get it working in older Java versions, as the connector works fine in a Kafka Connect cluster with Java 11 for example.

So I guess this should be put in some docs? We migrated to Java 21 as it just hit LTS and it solved our issue, but this should be disclosed in Snowflake's docs.

[sfc-gh-spanaite]

Thanks, @Dionakra for this good feedback. Let me circle it back internally.

[radhe-kishan]

I was trying to use key-pair as described in section private-key-file-name-and-password-as-connection-properties.
But it gives me net.snowflake.client.jdbc.SnowflakeSQLLoggedException: Missing password. error.
Driver Version 3.14.4
I am setting

{
private_key_file=/Users/radhe.soni/work/CDP-Platform/key-pair/RSONI_without.p8,
 private_key_file_pwd=yes,
 application=DBeaver_DBeaver,
 authenticator=snowflake, user=RSONI
}

• Using Snowflake Driver Instance →

• Connection Props →

• It basically breaks in Sanity check

• I think it should not look for password when private_key_file property is set.

[sfc-gh-wfateem]

PR #1671 addresses the original issue reported:

net.snowflake.client.jdbc.SnowflakeSQLLoggedException: Private key provided is invalid or not supported: [REDACTED]: PBE parameter parsing error: expecting the object identifier for AES cipher

@radhe-kishan can I ask you to open a separate issue, please? What you're describing is a different problem and I'll need to look into that a bit more to see what's going on because I haven't personally run into that issue when I was working on that PR I mentioned. I was running tests using keypair authentication and I don't believe I was providing a user password, but it's not something I looked at too closely.

Closing this since the original issue is going to be addressed in the next JDBC release.