nareshv opened a new issue, #21599: URL: https://github.com/apache/pulsar/issues/21599
### Search before asking - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Version 3.1.1 ### Minimal reproduce step Configure the Apache Pulsar as per standard docs and use ECDSA keys instead of RSA. Sample Private key ``` -----BEGIN EC PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgazGsqbEbxfbPuPvi O6jXRPNqmktZmB/qbaW36dcyRL6hRANCAASTE+XBhDy+ZKdqx3VxBrkfsTRkXUKe NN4mW12RLkk1jzU0NIVAjIJ+s939X/6WfC84bpFotR4J5aNcBV7G4hKF -----END EC PRIVATE KEY----- ``` Sample Cert ``` -----BEGIN CERTIFICATE----- MIICEDCCAbagAwIBAgIQcz6Xu7uN65O1zZfSXJtAVTAKBggqhkjOPQQDAjAeMQsw CQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMB4XDTIzMTEyMDEwNTMxNloXDTIz MTEyMDExNTMyNlowSDELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBVNQSVJFMSkwJwYD VQQtEyBmN2ZhMDUxYjY2MGYyYmUzNGU1NDA1NmE4YzRlMjgxYTBZMBMGByqGSM49 AgEGCCqGSM49AwEHA0IABJMT5cGEPL5kp2rHdXEGuR+xNGRdQp403iZbXZEuSTWP NTQ0hUCMgn6z3f1f/pZ8LzhukWi1Hgnlo1wFXsbiEoWjgaswgagwDgYDVR0PAQH/ BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E AjAAMB0GA1UdDgQWBBRcM/qknVmhjlPic4nTtw6qvr9G9zAfBgNVHSMEGDAWgBR6 ZnTUlLssxViFpo6o1HKXj5uPETApBgNVHREEIjAghh5zcGlmZmU6Ly9leGFtcGxl Lm9yZy9teXNlcnZpY2UwCgYIKoZIzj0EAwIDSAAwRQIhAO9TxcbIsfASe0oeek1o 42Fjo2f7NfRf4cdoptB9/e7NAiBPK6AtBUF/YpKIbiNoKbx7gpr6n+mzgZ8KzFee a5luJQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB4TCCAWegAwIBAgIRANYwzjm+dA9oi34juhIXLRUwCgYIKoZIzj0EAwMwHjEL MAkGA1UEBhMCVVMxDzANBgNVBAoMBlNQSUZGRTAeFw0yMzExMjAwMDIwMDRaFw0y MzExMjEwMDIwMTRaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZTUElGRkUwWTAT BgcqhkjOPQIBBggqhkjOPQMBBwNCAAR/0PbgQ2xi9Keze7TLmB7g0QwKVxxAziYD 9ZaSlNCmSksms3aFZDmTD40LDQEvGVpUsH5y6JblvijeEzVSeyqXo4GFMIGCMA4G A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR6ZnTUlLss xViFpo6o1HKXj5uPETAfBgNVHSMEGDAWgBSSiuNgxqqnz2r/jRcWsARqphwQ/zAf BgNVHREEGDAWhhRzcGlmZmU6Ly9leGFtcGxlLm9yZzAKBggqhkjOPQQDAwNoADBl AjAD6QMk7G1f4ydvhl6DGiKbFdqMsJl1NwLAKDAeqi+LRyeBjvaNb7aPD4o8Nebx dTMCMQDUC6+52Dbt97JqYfmVwsTmrj9wmLvBOVqiBfsHWr8kE/5m93QBwSXozlgl mB8tb3U= -----END CERTIFICATE-----``` ### What did you expect to see? Pulsar Proxy/Brokers should start normally ### What did you see instead? Exception in the startup logs ``` 2023-11-20T20:59:45,765+0530 [main] ERROR org.apache.pulsar.common.util.SslContextAutoRefreshBuilder - Exception while trying to refresh ssl Context Private key loading error java.security.KeyManagementException: Private key loading error at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:520) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemFile(SecurityUtility.java:484) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] at org.apache.pulsar.common.util.SecurityUtility.createSslContext(SecurityUtility.java:228) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] at org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:59) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] at org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:24) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] at org.apache.pulsar.common.util.SslContextAutoRefreshBuilder.get(SslContextAutoRefreshBuilder.java:79) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] at org.apache.pulsar.jetty.tls.JettySslContextFactory$Server.getSslContext(JettySslContextFactory.java:113) ~[org.apache.pulsar-pulsar-broker-common-3.1.1.jar:3.1.1] at org.eclipse.jetty.util.ssl.SslContextFactory.newSSLEngine(SslContextFactory.java:1903) ~[org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:99) ~[org.eclipse.jetty-jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:323) ~[org.eclipse.jetty-jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[org.eclipse.jetty-jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) ~[org.eclipse.jetty-jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.server.Server.doStart(Server.java:401) ~[org.eclipse.jetty-jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217] at org.apache.pulsar.broker.web.WebService.start(WebService.java:309) ~[org.apache.pulsar-pulsar-broker-3.1.1.jar:3.1.1] at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:813) ~[org.apache.pulsar-pulsar-broker-3.1.1.jar:3.1.1] at org.apache.pulsar.PulsarStandalone.start(PulsarStandalone.java:349) ~[org.apache.pulsar-pulsar-broker-3.1.1.jar:3.1.1] at org.apache.pulsar.PulsarStandaloneStarter.main(PulsarStandaloneStarter.java:141) ~[org.apache.pulsar-pulsar-broker-3.1.1.jar:3.1.1] Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:253) ~[?:?] at java.security.KeyFactory.generatePrivate(KeyFactory.java:389) ~[?:?] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:518) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] ... 21 more Caused by: java.security.InvalidKeyException: Invalid RSA private key at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:358) ~[?:?] at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:163) ~[?:?] at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:92) ~[?:?] at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:348) ~[?:?] at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:249) ~[?:?] at java.security.KeyFactory.generatePrivate(KeyFactory.java:389) ~[?:?] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:518) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] ... 21 more Caused by: java.io.IOException: Version must be 0 at sun.security.rsa.RSAPrivateCrtKeyImpl.parseASN1(RSAPrivateCrtKeyImpl.java:323) ~[?:?] at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:348) ~[?:?] at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:163) ~[?:?] at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:92) ~[?:?] at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:348) ~[?:?] at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:249) ~[?:?] at java.security.KeyFactory.generatePrivate(KeyFactory.java:389) ~[?:?] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:518) ~[org.apache.pulsar-pulsar-common-3.1.1.jar:3.1.1] ... 21 more 2023-11-20T20:59:45,770+0530 [main] ERROR org.apache.pulsar.broker.PulsarService - Failed to start Pulsar service: java.lang.NullPointerException: Cannot invoke "javax.net.ssl.SSLContext.createSSLEngine()" because "context" is null``` ### Anything else? The bug is in the code https://github.com/apache/pulsar/blob/98bf9dd72910e1b02dea17148a4199e3b26d7147/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java#L516 where its supporting only **RSA** keys. ### Are you willing to submit a PR? - [ ] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
