Open kares opened 2 years ago
This issue manifested with the CI due the Docker base image switch from:
OpenSSL 1.0.2k-fips 26 Jan 2017
to
OpenSSL 1.1.1f 31 Mar 2020
a default openssl pkcs8 -topk8 -in ... -out ... -passout pass:...
fails in Ubuntu (due the -v2
default)
a work-around is to use a v1 algorithm e.g. openssl pkcs8 -topk8 -v1 PBE-SHA1-RC2-128 -in ... -passout pass:...
This issue will happen whenever Java fails to read PKCS#8 keys created by OpenSSL tools:
openssl pkcs8 -topk8 -in ./cert.key -out ./cert.key.pkcs8 -passin:foo -passout:bar
It might manifest in different forms such as :
Java::JavaSecurity::NoSuchAlgorithmException: 1.2.840.113549.1.5.13 SecretKeyFactory not available
Java::JavaIo::IOException: PBE parameter parsing error: expecting the object identifier for AES cipher
The first happens with OpenSSL 1.1 defaults (
-v2
is the default) or when specifying -v2 aes128 (or -v2 aes256). The second due using (-v2 des3)openssl pkcs8 -topk8 -in ./cert.key -out ./cert.key.pkcs8 -passout:foobar -v2 des3
Java fails to read such keys and one needs to use a -v1 (PKCS#5 v1.5) algorithm e.g.
-v1 PBE-SHA1-RC2-128
Tested on OpenJDK
2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8
.