RUST-226 Support tlsCertificateKeyFilePassword

[abr-egn]

RUST-226

This will (probably; I'm not sure how to test it) allow using tlsCertificateKeyFilePassword or the corresponding in-code option field. Should work for both rustls-tls and openssl-tls.

[kevinAlbs]

LGTM with additional suggestions applied.

Testing with the drivers-evergreen-tools certificates initially got this error:

Error { kind: InvalidTlsConfig { message: "Invalid encrypted private key: PKCS#8 ASN.1 error: unknown/unsupported OID: 1.2.840.113549.3.7 at DER byte 66" }, labels: {}, wire_version: None, source: None }

OID 1.2.840.113549.3.7 refers to a DES algorithm. The error was fixed by adding features 3des, des-insecure, and sha1-insecure:

pkcs8 = { version = "0.10.2", features = [
    "encryption",
    "pkcs5",
    "3des",
    "des-insecure",
    "sha1-insecure",
] }

However, https://docs.rs/pkcs8/latest/pkcs8/ notes:

DES support (gated behind the des-insecure feature) is implemented to allow for decryption of legacy PKCS#8 files only.

I expect that the drivers-evergreen-tools certificate using outdated algorithms. I suggest keeping those feature flags out for now (as is done in current changes).

With those feature flags added, I was able to connect (both with openssl-tls and without) with this test.

[abr-egn]

I expect that the drivers-evergreen-tools certificate using outdated algorithms. I suggest keeping those feature flags out for now (as is done in current changes).

Yup, that makes sense. Downstream users can enable those features if they happen to be using keys with those algorithms.

With those feature flags added, I was able to connect (both with openssl-tls and without) with this test.

Thank you!

[abr-egn]

Update: I've put this behind an optional feature flag, since my expectation is that the very large majority of users will never want this and that avoids pulling in extra dependencies for them.

[isabelatkinson]

Code changes LGTM. There's a parsing test in src/client/options/test.rs that can be unskipped as part of this as well. Would it be feasible to add something like Kevin's test to CI? I'd like to avoid inadvertently breaking this in the future

[abr-egn]

Code changes LGTM. There's a parsing test in src/client/options/test.rs that can be unskipped as part of this as well. Would it be feasible to add something like Kevin's test to CI? I'd like to avoid inadvertently breaking this in the future

Unskipped the test; I'd like to leave the CI integration test for a follow-up PR for expediency and to make merging into the backport branch simpler.

[isabelatkinson]

I'd like to leave the CI integration test for a follow-up PR for expediency and to make merging into the backport branch simpler.

Makes sense, filed RUST-2112