SNOW-1909756: Unable to connect with key pair authentication

[tosehee]

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

1. What version of JDBC driver are you using? -> 3.22.0

2. What operating system and processor architecture are you using? Mac OSX

3. What version of Java are you using? Java 17

4. What did you do?

I am using the Hikari + Snowflake JDBC Drivers to connect using key pair authentication.

config.addDataSourceProperty("private_key_base64", privateKey);
config.addDataSourceProperty("private_key_pwd", privateKeyPw);

where "config" is the HikariHikariConfig.

When trying to connect, I get the following error.

Caused by: net.snowflake.client.jdbc.SnowflakeSQLLoggedException: Private key provided is invalid or not supported: net.snowflake.client.jdbc.internal.org.bouncycastle.operator.OperatorCreationException: 1.2.840.113549.1.5.13 not available: Wrong algorithm: DESede or TripleDES required
at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initialize(DefaultSFConnectionHandler.java:136) ~[snowflake-jdbc-3.22.0.jar!/:3.22.0]
at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initializeConnection(DefaultSFConnectionHandler.java:104) ~[snowflake-jdbc-3.22.0.jar!/:3.22.0]
at net.snowflake.client.jdbc.SnowflakeConnectionV1.initConnectionWithImpl(SnowflakeConnectionV1.java:155) ~[snowflake-jdbc-3.22.0.jar!/:3.22.0]
at net.snowflake.client.jdbc.SnowflakeConnectionV1.(SnowflakeConnectionV1.java:132) ~[snowflake-jdbc-3.22.0.jar!/:3.22.0]

5. What did you expect to see?

Connect to Snowflakes DB.

6. Can you set logging to DEBUG and collect the logs?

Caused by: net.snowflake.client.jdbc.SnowflakeSQLLoggedException: Private key provided is invalid or not supported: net.snowflake.client.jdbc.internal.org.bouncycastle.operator.OperatorCreationException: 1.2.840.113549.1.5.13 not available: Wrong algorithm: DESede or TripleDES required
at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initialize(DefaultSFConnectionHandler.java:136) ~[snowflake-jdbc-3.22.0.jar!/:3.22.0]
at net.snowflake.client.jdbc.DefaultSFConnectionHandler.initializeConnection(DefaultSFConnectionHandler.java:104) ~[snowflake-jdbc-3.22.0.jar!/:3.22.0]
at net.snowflake.client.jdbc.SnowflakeConnectionV1.initConnectionWithImpl(SnowflakeConnectionV1.java:155) ~[snowflake-jdbc-3.22.0.jar!/:3.22.0]
at net.snowflake.client.jdbc.SnowflakeConnectionV1.(SnowflakeConnectionV1.java:132) ~[snowflake-jdbc-3.22.0.jar!/:3.22.0]

[sfc-gh-sghosh]

Hello @tosehee ,

Thanks for raising the issue.

The error mentions "1.2.840.113549.1.5.13", which corresponds to PBES2 encryption, and snowflake driver expects TripleDES (DESede). Could you please check how you encrypted the key.

Could you please share the code snippet and jdbc log. How did you generate the key ? did you add bouncy castle jar files ?

Regards,
Sujan

[tosehee]

Hello @tosehee ,

Thanks for raising the issue.

The error mentions "1.2.840.113549.1.5.13", which corresponds to PBES2 encryption, and snowflake driver expects TripleDES (DESede). Could you please check how you encrypted the key.

Could you please share the code snippet and jdbc log. How did you generate the key ? did you add bouncy castle jar files ?

Regards, Sujan

I followed the Snowflake's doc word for word.

To create pk

openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out snowflakes.p8

To create pub key

openssl rsa -in snowflakes.p8 -pubout -out snowflakes.pub

And yes. Bouncy castle jar is in the classpath along with latest Snowflakes's Driver.

jar tf target/brightdata.jar | grep bc
BOOT-INF/lib/bcprov-jdk15on-1.70.jar
BOOT-INF/lib/snowflake-jdbc-3.22.0.jar

HikariConfig config = new HikariConfig();
config.setJdbcUrl(params.get("url"));

config.setConnectionTimeout(30000);
config.setUsername(params.get("username"));
config.setIdleTimeout(params.get("idleTimeout") != null ? Long.parseLong(params.get("idleTimeout")) : 300000);
config.setMinimumIdle(0);
config.setMaximumPoolSize(params.get("maxPoolSize") != null ? Integer.parseInt(params.get("maxPoolSize")) : 3);
config.setPoolName(name);
config.setMaxLifetime(params.get("maxLifetime") != null ? Long.parseLong(params.get("maxLifetime")) : 1200000);
config.setLeakDetectionThreshold(params.get("leakDetectionThreshold") != null ? Long.parseLong(params.get("leakDetectionThreshold")) : 900000);
config.setDriverClassName(params.get("jdbcDriver") != null ? params.get("jdbcDriver") : null);

config.addDataSourceProperty("cachePrepStmts", "true");
config.addDataSourceProperty("useServerPrepStmts", "true");
config.addDataSourceProperty("prepStmtCacheSize", params.get("pstmtCacheSize") != null ? params.get("pstmtCacheSize") : "250");
config.addDataSourceProperty("prepStmtCacheSqlLimit", params.get("pstmtSqlLimit") != null ? params.get("pstmtSqlLimit") : "1024");
config.addDataSourceProperty("useLocalSessionState", true);
config.addDataSourceProperty("rewriteBatchedStatements", true);
config.addDataSourceProperty("cacheResultSetMetadata", true);
config.addDataSourceProperty("cacheServerConfiguration", true);
config.addDataSourceProperty("elideSetAutoCommits", true);
config.addDataSourceProperty("maintainTimeStats", false);

if (params.containsKey("private_key_base64") && params.get("private_key_base64") != null && !params.get("private_key_base64").isEmpty()) {
    String privateKey = params.get("private_key_base64");

    if (!Base64.isBase64(privateKey)) {
        privateKey = Base64.encodeBase64String(privateKey.getBytes());
    }
    config.addDataSourceProperty("private_key_base64", privateKey);
}

if (params.containsKey("private_key_pwd") && params.get("private_key_pwd") != null && !params.get("private_key_pwd").isEmpty()) {
    String privateKeyPw = params.get("private_key_pwd");

    config.addDataSourceProperty("private_key_pwd", privateKeyPw);
}

return new HikariDataSource(config);

[sfc-gh-sghosh]

Hello @tosehee ,

Thanks for the update.
Are you able to connect using key-pair authentication outside Hikari ?

Regards,
Sujan