LogStash::ConfigurationError: File does not contain valid private key
kares opened this issue · 1 comments
This issue will happen whenever Java fails to read PKCS#8 keys created by OpenSSL tools:
openssl pkcs8 -topk8 -in ./cert.key -out ./cert.key.pkcs8 -passin:foo -passout:bar
It might manifest in different forms such as :
Java::JavaSecurity::NoSuchAlgorithmException: 1.2.840.113549.1.5.13 SecretKeyFactory not available
Java::JavaIo::IOException: PBE parameter parsing error: expecting the object identifier for AES cipher
The first happens with OpenSSL 1.1 defaults (-v2
is the default) or when specifying -v2 aes128 (or -v2 aes256).
The second due using (-v2 des3) openssl pkcs8 -topk8 -in ./cert.key -out ./cert.key.pkcs8 -passout:foobar -v2 des3
Java fails to read such keys and one needs to use a -v1 (PKCS#5 v1.5) algorithm e.g. -v1 PBE-SHA1-RC2-128
- OpenSSL 1.0 http://www.manpagez.com/man/1/pkcs8/pkcs8-1.0.2.php
- OpenSSL 1.1 https://manpages.debian.org/testing/openssl/pkcs8.1ssl.en.html#v2
Tested on OpenJDK 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8
.
This issue manifested with the CI due the Docker base image switch from:
CentOS Linux release 7.9.2009 (Core) OpenSSL 1.0.2k-fips 26 Jan 2017
to
20.04.3 LTS (Focal Fossa) OpenSSL 1.1.1f 31 Mar 2020
a default openssl pkcs8 -topk8 -in ... -out ... -passout pass:...
fails in Ubuntu (due the -v2
default)
a work-around is to use a v1 algorithm e.g. openssl pkcs8 -topk8 -v1 PBE-SHA1-RC2-128 -in ... -passout pass:...