Am 27.12.19 um 17:36 schrieb logo:
> Chris
>
> Am 2019-12-27 16:33, schrieb Christopher Schultz:
> Peter,
>
> On 12/26/19 18:55, logo wrote:
> >>> Hi Mark,
>
> I hope it's okay if I reply. :)
>
> > :-)
>
>
>
> >>> I just recently tested Step CA (smallstep.com) as an internal CA
> >>> that provides an internal ACME service.
> >>>
> >>> After I deployed the created cert to my Tomcat (8.5.50 with
> >>> adoptopenjdk 11) I noticed that while the openssl connector
> >>> immediately started, the JSSE connector with the same cert would
> >>> fail with a "java.security.KeyStoreException: Cannot store
> >>> non-PrivateKeys“ I use the openssl XML certificate config also for
> >>> JSSE.
> >>>
> >>> It took me quite a while to figure this one out - as the message
> >>> usually indicates a public key as cert. I noticed that Step Ca is
> >>> creating ECDSA certs by default. The Openssl Connector delivers the
> >>> new ECDSA cert just fine.
> >>>
> >>> While Java (afaik) seems to be able to handle ECDSA, tomcat will
> >>> fall through a case statement in
> >>> org.apache.tomcat.util.net.jsse.PEMFile
> >>>
> >>> When loading the PEM file parts it will skip all cases in
> >>>
> >>> for (Part part : parts) { switch (part.type) { case "PRIVATE KEY":
> >>> privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8);
> >>> break; case "ENCRYPTED PRIVATE KEY": privateKey =
> >>> part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break;
> >>> case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null,
> >>> keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509
> >>> CERTIFICATE": certificates.add(part.toCertificate()); break; } }
> >>>
> >>> as an EC certificate will start with EC PRIVATE KEY.
> >>>
> >>> Is this something that is expected? ECDSA unsupported? Or just an
> >>> incomplete implementation, edge case or a bug?
>
> EC should work. What does your <Connector> configuration look like?
>
>
> > <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> >
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> > maxThreads="150"
> > SSLEnabled="true" >
> > <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" />
> > <SSLHostConfig>
> > <Certificate
> > certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
> > certificateFile="${catalina.base}/conf/ssl/cert.pem"
> > />
> > </SSLHostConfig>
> > </Connector>
>
> > really basic.
> > First I had a type attribute "RSA" but even ommitting this didn't
> change it.
>
> > Once Tomcat hits the PEMFile-Class the parts read from the
> ECDSA-PEM-file are not transferred to a private key so the class
> member "privateKey" is null. None of the cases above match "EC PRIVATE
> KEY".
The comments at the beginning of PEMFile state that it works for PKCS8,
only. But the code makes an exception for RSA keys, so it probably makes
sense to ad EC keys, too.
Have you tried to convert your key to pkcs8?
Felix
>
> > Peter
>
> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
