LogStash::ConfigurationError: File does not contain valid private key

Question

LogStash::ConfigurationError: File does not contain valid private key

kares opened this issue 2 years ago · 1 comments

This issue will happen whenever Java fails to read PKCS#8 keys created by OpenSSL tools:
openssl pkcs8 -topk8 -in ./cert.key -out ./cert.key.pkcs8 -passin:foo -passout:bar

It might manifest in different forms such as :

Java::JavaSecurity::NoSuchAlgorithmException: 1.2.840.113549.1.5.13 SecretKeyFactory not available
Java::JavaIo::IOException: PBE parameter parsing error: expecting the object identifier for AES cipher

The first happens with OpenSSL 1.1 defaults (-v2 is the default) or when specifying -v2 aes128 (or -v2 aes256).
The second due using (-v2 des3) openssl pkcs8 -topk8 -in ./cert.key -out ./cert.key.pkcs8 -passout:foobar -v2 des3

Java fails to read such keys and one needs to use a -v1 (PKCS#5 v1.5) algorithm e.g. -v1 PBE-SHA1-RC2-128

OpenSSL 1.0 http://www.manpagez.com/man/1/pkcs8/pkcs8-1.0.2.php
OpenSSL 1.1 https://manpages.debian.org/testing/openssl/pkcs8.1ssl.en.html#v2

Tested on OpenJDK 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8.

Answer 1 · 2021-12-30T13:51:55.000Z

This issue manifested with the CI due the Docker base image switch from:

CentOS Linux release 7.9.2009 (Core) `OpenSSL 1.0.2k-fips 26 Jan 2017`

to

20.04.3 LTS (Focal Fossa) `OpenSSL 1.1.1f 31 Mar 2020`

a default openssl pkcs8 -topk8 -in ... -out ... -passout pass:... fails in Ubuntu (due the -v2 default)
a work-around is to use a v1 algorithm e.g. openssl pkcs8 -topk8 -v1 PBE-SHA1-RC2-128 -in ... -passout pass:...

CentOS Linux release 7.9.2009 (Core) OpenSSL 1.0.2k-fips 26 Jan 2017

20.04.3 LTS (Focal Fossa) OpenSSL 1.1.1f 31 Mar 2020

CentOS Linux release 7.9.2009 (Core) `OpenSSL 1.0.2k-fips 26 Jan 2017`

20.04.3 LTS (Focal Fossa) `OpenSSL 1.1.1f 31 Mar 2020`