Chris
Am 2019-12-27 16:33, schrieb Christopher Schultz:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 12/26/19 18:55, logo wrote:
Hi Mark,
I hope it's okay if I reply. :)
:-)
I just recently tested Step CA (smallstep.com) as an internal CA
that provides an internal ACME service.
After I deployed the created cert to my Tomcat (8.5.50 with
adoptopenjdk 11) I noticed that while the openssl connector
immediately started, the JSSE connector with the same cert would
fail with a "java.security.KeyStoreException: Cannot store
non-PrivateKeys“ I use the openssl XML certificate config also for
JSSE.
It took me quite a while to figure this one out - as the message
usually indicates a public key as cert. I noticed that Step Ca is
creating ECDSA certs by default. The Openssl Connector delivers the
new ECDSA cert just fine.
While Java (afaik) seems to be able to handle ECDSA, tomcat will
fall through a case statement in
org.apache.tomcat.util.net.jsse.PEMFile
When loading the PEM file parts it will skip all cases in
for (Part part : parts) { switch (part.type) { case "PRIVATE KEY":
privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8);
break; case "ENCRYPTED PRIVATE KEY": privateKey =
part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break;
case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null,
keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509
CERTIFICATE": certificates.add(part.toCertificate()); break; } }
as an EC certificate will start with EC PRIVATE KEY.
Is this something that is expected? ECDSA unsupported? Or just an
incomplete implementation, edge case or a bug?
EC should work. What does your <Connector> configuration look like?
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxThreads="150"
SSLEnabled="true" >
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate
certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
certificateFile="${catalina.base}/conf/ssl/cert.pem"
/>
</SSLHostConfig>
</Connector>
really basic.
First I had a type attribute "RSA" but even ommitting this didn't change
it.
Once Tomcat hits the PEMFile-Class the parts read from the
ECDSA-PEM-file are not transferred to a private key so the class member
"privateKey" is null. None of the cases above match "EC PRIVATE KEY".
Peter
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJDIACgkQHPApP6U8
pFi1HBAAxzrE1P4o2nj9/6/nr9sVEiPOusw30P2YnaJGvvkv2jvHoj1TITGVlaTg
Y/Oy4GPA7NEn0ofRPFwaphL0+kETxZyHSBotxtlsOZsg2aLj2tLKCmwCZe2UfPcA
nRmVtn+TgPOHOb3x+sSKhOzv73SjbnqVVRQLCa/4t/D/S8nfR6Lc9yqPibLI4y/+
+gqnKhs7TW5f74ZAMjLlWKrEwbsr1KRcCW7G4vA6859fxDtPSckPR5MoHBe3H/pK
2D26EoNb5jZ5McxgM9xmGe74lYXp3XVOQLEOZnBNAjGd6VWs4oyHFbc3/800vD6E
gyQLgFonupS0XE3gj0cy3HVWggSQhd9AlQXwyBNQg8UWA4tQNhRiPTvgX5gAYWnf
AHBKPb5LpDm8cEkCM63Ow92ce4a6JHFBxEs2TX2h14iHGCk1ARERiM2tgltugxub
vmkJLGkDGd6EM2B62Wv8dnA6/1qtebgrW6IcZrESEKaP3T5qYivs5uUq4sYLXMho
G8v24Om8tRDOCoE1gl+UIWRsoMZQttOJSYwbBriOWa7OJ3PSq3nzE22zSgqhqHOh
QwPBXMSYQNz6aMXKxCwwS5GjdrRQqIQINi8YbRf4Wjre4zZNIzPJ4FgDtROQYl85
32Gsa4pcwyEtM2a+8iH98dXhpP5ST1CxCiGXhlzEFmXbFgSadKg=
=aSBb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
