Re: libpq sslpassword parameter and callback function
Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
From: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2019-11-28T00:06:10Z
Lists: pgsql-hackers
Attachments
- 0001-libpq-sslpassword-der-support.patch (text/x-patch)
On 11/25/19 4:09 PM, Andrew Dunstan wrote: > On 10/31/19 7:27 PM, Andrew Dunstan wrote: >> On 10/31/19 6:34 PM, Andrew Dunstan wrote: >>> This time with attachment. >>> >>> >>> On 10/31/19 6:33 PM, Andrew Dunstan wrote: >>>> This patch provides for an sslpassword parameter for libpq, and a hook >>>> that a client can fill in for a callback function to set the password. >>>> >>>> >>>> This provides similar facilities to those already available in the JDBC >>>> driver. >>>> >>>> >>>> There is also a function to fetch the sslpassword from the connection >>>> parameters, in the same way that other settings can be fetched. >>>> >>>> >>>> This is mostly the excellent work of my colleague Craig Ringer, with a >>>> few embellishments from me. >>>> >>>> >>>> Here are his notes: >>>> >>>> >>>> Allow libpq to non-interactively decrypt client certificates that >>>> are stored >>>> encrypted by adding a new "sslpassword" connection option. >>>> >>>> The sslpassword option offers a middle ground between a cleartext >>>> key and >>>> setting up advanced key mangement via openssl engines, PKCS#11, USB >>>> crypto >>>> offload and key escrow, etc. >>>> >>>> Previously use of encrypted client certificate keys only worked if >>>> the user >>>> could enter the key's password interactively on stdin, in response >>>> to openssl's >>>> default prompt callback: >>>> >>>> Enter PEM passhprase: >>>> >>>> That's infesible in many situations, especially things like use from >>>> postgres_fdw. >>>> >>>> This change also allows admins to prevent libpq from ever prompting >>>> for a >>>> password by calling: >>>> >>>> PQsetSSLKeyPassHook(PQdefaultSSLKeyPassHook); >>>> >>>> which is useful since OpenSSL likes to open /dev/tty to prompt for a >>>> password, >>>> so even closing stdin won't stop it blocking if there's no user >>>> input available. >>>> Applications may also override or extend SSL password fetching with >>>> their own >>>> callback. >>>> >>>> There is deliberately no environment variable equivalent for the >>>> sslpassword >>>> option. >>>> >>>> >> I should also mention that this patch provides for support for DER >> format certificates and keys. >> >> > > Here's an updated version of the patch, adjusted to the now committed > changes to TestLib.pm. > > Here's an update now we have backed out the TestLib changes. The tests that need a pty are skipped. cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
libq support for sslpassword connection param, DER format keys
- 4dc63552109f 13.0 landed