Re: PKCS#8 encryption algorithm unrecognized
In the
SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"
we defined a Class to convert the Encrypted password and set the following
properties:
public class MyPropertySource implements
org.apache.tomcat.util.IntrospectionUtils.PropertySource
...
public String getProperty(String arg0) {
if (arg0.contains("KSENC(")) {
System.setProperty("javax.net.ssl.keyStore",
keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword",
clearText);
System.setProperty("javax.net.ssl.trustStore",
trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",
clearText);
}
...
}
This class will set the following properties at the beginning of Tomcat init
In my debugging I found that it could not determine the store properly.
So, I tried putting in the keystoreType="PKCS12 and now it works.
I hope this helps. I'm still set up for debugging if you need something
looked at.
Thanks
On Tue, Jun 11, 2024 at 2:14 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Mark,
>
> On 6/10/24 14:56, Timothy Resh wrote:
> > After much debugging, I have found the issue in my situation. In the
> > server.xml file, you must put keystoreType="PKCS12" for it to recognize
> the
> > keystore properly.
>
> That doesn't make any sense to me. Not a single one of your previous
> posts has been using a keystore file at all for Tomcat. You did show how
> you assembled a (rather complicated) PKCS12 keystore file using a
> combination of openssl and keytool in your message from 25 March but
> this is the only place in your configuration file I see that file:
>
> SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"
>
> I have *no idea* what you are doing in there, but I assumed that
> keystore contained some kind of password and not a certificate or RSA key.
>
> -chris
>
> > On Fri, Apr 5, 2024 at 4:27 AM Roberto Benedetti <
> > roberto.benede...@dedalus.eu> wrote:
> >
> >>> I got the Object ID and version straight out of the Certificate using
> >>> Keystore Explorer. I'm not sure why there is a difference.
> >>
> >> Keystore Explorer uses Bouncy Castle (https://www.bouncycastle.org/) as
> >> provider for JCE.
> >>
> >> If your JRE/JDK does not provide some algorithm you could use Bouncy
> >> Castle as well.
> >>
> >> Regards,
> >> Roberto
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: PKCS#8 encryption algorithm unrecognized
After much debugging, I have found the issue in my situation. In the server.xml file, you must put keystoreType="PKCS12" for it to recognize the keystore properly. On Fri, Apr 5, 2024 at 4:27 AM Roberto Benedetti < roberto.benede...@dedalus.eu> wrote: > > I got the Object ID and version straight out of the Certificate using > > Keystore Explorer. I'm not sure why there is a difference. > > Keystore Explorer uses Bouncy Castle (https://www.bouncycastle.org/) as > provider for JCE. > > If your JRE/JDK does not provide some algorithm you could use Bouncy > Castle as well. > > Regards, > Roberto > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: PKCS#8 encryption algorithm unrecognized
Java is 1.8.0_391 On Thu, Apr 4, 2024 at 1:35 PM Timothy Resh wrote: > I got the Object ID and version straight out of the Certificate using > Keystore Explorer. I'm not sure why there is a difference. > > The "\" is because I manually deleted the beginning part of the path. > It's correct in the actual file. > > Java is 1.8. > > On Wed, Apr 3, 2024 at 6:11 PM Konstantin Kolinko > wrote: > >> > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption >> > algorithm with DER encoded OID of [2a864886f70d010c0103] was not >> recognised >> >> If I google for the above hex number, it finds the following: >> >> '2A864886F70D010C0103' -- 1.2.840.113549.1.12.1.3 >> pbeWithSHAAnd3-KeyTripleDES-CBC (PKCS #12 PbeIds) >> >> (actually a comment in some random source file, but it explains what >> the value is). >> >> If I manually decode that value, thanks to >> https://stackoverflow.com/a/24720842 >> I get the same value: >> >> 2a = 42 = 1 * 40 + 2 -> "1.2" >> 8648 = (0x06 * 128) + 0x48 = 6 * 128 + 72 = 840 >> 86f70d = ((0x06 * 128) + (0x77 * 128) + 0x0d = ((6 * 128) + 119) * 128 >> + 13 = 113549 >> 01 = 1 >> 0c = 12 >> 01 = 1 >> 03 = 3 >> >> I saw that you mentioned >> > The ASN.1 is OBJECT IDENTIFIER=Sha256WithRSAEncryption >> (1.2.840.113549.1.1.11) >> >> but the value is different. >> *.1.1.11 vs *.1.12.1.3 >> >> Maybe it helps. >> >> What is your version of Java? >> >> Isn't the algorithm (mentioned in the error message) deprecated, >> because it uses SHA-1 ? >> >> > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3...cer" >> >> A '\' is missing after ':'. >> >> Best regards, >> Konstantin Kolinko >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>
Re: PKCS#8 encryption algorithm unrecognized
I got the Object ID and version straight out of the Certificate using Keystore Explorer. I'm not sure why there is a difference. The "\" is because I manually deleted the beginning part of the path. It's correct in the actual file. Java is 1.8. On Wed, Apr 3, 2024 at 6:11 PM Konstantin Kolinko wrote: > > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption > > algorithm with DER encoded OID of [2a864886f70d010c0103] was not > recognised > > If I google for the above hex number, it finds the following: > > '2A864886F70D010C0103' -- 1.2.840.113549.1.12.1.3 > pbeWithSHAAnd3-KeyTripleDES-CBC (PKCS #12 PbeIds) > > (actually a comment in some random source file, but it explains what > the value is). > > If I manually decode that value, thanks to > https://stackoverflow.com/a/24720842 > I get the same value: > > 2a = 42 = 1 * 40 + 2 -> "1.2" > 8648 = (0x06 * 128) + 0x48 = 6 * 128 + 72 = 840 > 86f70d = ((0x06 * 128) + (0x77 * 128) + 0x0d = ((6 * 128) + 119) * 128 > + 13 = 113549 > 01 = 1 > 0c = 12 > 01 = 1 > 03 = 3 > > I saw that you mentioned > > The ASN.1 is OBJECT IDENTIFIER=Sha256WithRSAEncryption > (1.2.840.113549.1.1.11) > > but the value is different. > *.1.1.11 vs *.1.12.1.3 > > Maybe it helps. > > What is your version of Java? > > Isn't the algorithm (mentioned in the error message) deprecated, > because it uses SHA-1 ? > > > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3...cer" > > A '\' is missing after ':'. > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: PKCS#8 encryption algorithm unrecognized
Sure, I can provide the entire setup for you. I'll work on that tonight . On Sun, Mar 31, 2024 at 2:05 PM Mark Thomas wrote: > On 25/03/2024 16:56, Timothy Resh wrote: > > Sorry for the delay. Our certificate creation process was automated > > several years ago and I had to go through the code to figure out the > > commands being used for the certificates > > > > First, we use the createcert.exe from the Sybase 17 installation to > > I don't have access to that application so I am unable to follow the > provided instructions. > > Given you do have access to the application, it will likely be simpler > if you provide a test key and certificate that don't work that we can > use for investigation. > > If you want to provide those offline, feel free to email the pem files > to me directly. > > Mark > > > > generate a DB cert for ODBC connectivity. Please see the following link > > for more information. > > > https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html > > -t encryption type > > -b length > > -ca "1" Create Certificate Authority > > -u 3,4,5,6 > > > > - 3. Key Encipherment > > - 4. Data Encipherment > > - 5. Key Agreement > > - 6. Certificate Signing > > > > -v 6 years > > -co Public Certificate > > -x Generates a self-signed certificate > > > > *C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe" > > -t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate > > Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application > > Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x > -co > > "C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM > > Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com > > <http://WSD-2DNX4M3.mydomain.com>" -sl "Norfolk" -so "Vessel Ships" -sou > > "Engineering" -sst "VA" -u 3,4,5,6 -v "6"* > > > > > > > > > > > > > > > > > > > > *SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: > The > > certificate will not be compatible with older versionsof the software > > including version 12.0.1 prior to build 3994 and version 16.0prior to > build > > 1691. Use the -3des switch if you require compatibility.Generating key > > pair...Certificate will be a self-signed rootSerial number [generate > GUID]: > > Generated serial number: 42455c10a27d441db3e3d09f39f35452* > > > > > > This creates a ASA12 SAMM Vessel.pub that is then copied to the Tomcat > > Application Server as "Client Configuration.pem" > > > > our next commands are all openssl or keytool > > > > openssl.exe genrsa -aes256 -passout pass:"changeit" -out > > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048 > > 1>nul 2>&1 > > openssl.exe req -new -key "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN= > > WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" > -out > > "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin > > pass:"changeit"1>nul 2>&1 > > > > echo basicConstraints = CA:FALSE 1>"C:\tmp12\openssl\v3.ext" > > echo keyUsage = digitalSignature, keyEncipherment > > 1>>"C:\tmp12\openssl\v3.ext" > > ECHO [SAN] 1>>"C:\tmp12\openssl\v3.ext" > > ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com > > 1>>"C:\tmp12\openssl\v3.ext" > > > > openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey > > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in > > "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out > > "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin > > pass:"changeit" -days "2190" -extensions SAN > > Certificate request self-signature ok > > subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O = > > U.S.Government, C = US > > > > COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" > > "C:\tmp12\Certificates\CA\" 1>nul 2>&1 > > > > openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public > > Key\WSD-2DNX
Re: PKCS#8 encryption algorithm unrecognized
xe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
pass:"changeit" -passout pass:"changeit"
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2"
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3"
keytool.exe -importkeystore -srckeystore
"C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS -deststoretype
PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -noprompt
keytool.exe -delete -alias "ASA12 SAMM Vessel Temporary CA" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -delete -alias "ASA12 SAMM Vessel" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -import -alias "ASA12 SAMM Vessel" -file "C:\tmp12\Client
Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12"
-storepass "changeit" -noprompt
keytool.exe -import -trustcacerts -alias "ASA12 SAMM Vessel Temporary CA"
-file "C:\tmp12\Client Configuration.pem" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
if you need anything else please get in touch with me.
I have tested this with the Tomcat 87 release and it still does not work.
Thanks
Mark Resh
On Tue, Mar 19, 2024 at 4:15 PM Mark Thomas wrote:
> On 19/03/2024 18:18, Timothy Resh wrote:
> > > SSLProtocol="TLSv1.2"
> > SSLCipherSuite="-ALL
> >
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
> >
> > SSLPassword="${KSENC(6qkaMErQ==;
> C:\Certificate\Keystore\Vessel.p12)}"
> > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3...cer"
> > SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3...cer"
> > SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3..key"
> > SSLVerifyClient="optional"
> > SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> > SSLCACertificatePath="C:\Certificates\CA\"
> >>
> >
> > where the . is the fqdn
> >
> > This works fine *until* Tomcat 9.0.83 and now we get the following listed
> > below. I have read some of the
> > https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask
> for
> > help.
> > The certificates are being created using openssl 3.013. Please note the
> > encrypted password to the p12 keystore. There was a message saying this
> > was going to be fixed in a January release.
> > I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT
> > IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
> >
> > Does anyone have some suggestions for a fix?
>
> Please provide a set of OpenSSL commands that create a problematic,
> self-signed certificate for localhost. This will save us a *lot* of time.
>
> Mark
>
>
> >
> > Thanks Mark Resh
> >
> >
> > 15-Mar-2024 18:27:37.621 WARNING [main]
> > org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
> > [ciphers] attribute in a manner consistent with the latest OpenSSL
> > development branch. Some of the specified [ciphers] are not supported by
> > the configured SSL engine for this connector (which may use JSSE or an
> > older OpenSSL version) and have been skipped:
> > [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
> > 15-Mar-2024 18:27:37.636 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> > initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
> > org.apache.catalina.LifecycleException: Protocol handler initialization
> > failed
> > at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> > at
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.jav
PKCS#8 encryption algorithm unrecognized
where the . is the fqdn This works fine *until* Tomcat 9.0.83 and now we get the following listed below. I have read some of the https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask for help. The certificates are being created using openssl 3.013. Please note the encrypted password to the p12 keystore. There was a message saying this was going to be fixed in a January release. I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11) Does anyone have some suggestions for a fix? Thanks Mark Resh 15-Mar-2024 18:27:37.621 WARNING [main] org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the [ciphers] attribute in a manner consistent with the latest OpenSSL development branch. Some of the specified [ciphers] are not supported by the configured SSL engine for this connector (which may use JSSE or an older OpenSSL version) and have been skipped: [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]] 15-Mar-2024 18:27:37.636 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:554) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477) Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1345) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009) ... 13 more Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379) at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:213) at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:141) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:465) ... 19 more 15-Mar-2024 18:27:37.636 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1655] milliseconds
