subject:"Re\: PKCS#8 encryption algorithm unrecognized"

Re: PKCS#8 encryption algorithm unrecognized

2024-06-27 Thread Christopher Schultz


Timothy,

On 6/25/24 10:39, Timothy Resh wrote:

In the
  SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"

we defined a Class to convert the Encrypted password  and set the following
properties:
public class MyPropertySource implements
org.apache.tomcat.util.IntrospectionUtils.PropertySource
...
  public String getProperty(String arg0) {
 if (arg0.contains("KSENC(")) {

 System.setProperty("javax.net.ssl.keyStore",
keyStorePath);
 System.setProperty("javax.net.ssl.keyStorePassword",
clearText);
 System.setProperty("javax.net.ssl.trustStore",
trustStorePath);
 System.setProperty("javax.net.ssl.trustStorePassword",
clearText);
  }
...
}
This class will set the following properties at the beginning of Tomcat init

In my debugging I found that it could not determine the store properly.
So, I tried putting in the keystoreType="PKCS12 and now it works.

I hope this helps.  I'm still set up for debugging if you need something
looked at.


FYI I /think/ that all the javax.net.ssl.* properties are read only once 
during JSSE initialization. It's entirely possible that JSSE is 
configured *before* this code runs and it doesn't have any effect. For 
JVM-wide properties like these, it's best to set those system properties 
on the command-line instead of waiting for Java code to set them.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PKCS#8 encryption algorithm unrecognized

2024-06-25 Thread Timothy Resh

In the
 SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"

we defined a Class to convert the Encrypted password  and set the following
properties:
public class MyPropertySource implements
org.apache.tomcat.util.IntrospectionUtils.PropertySource
...
 public String getProperty(String arg0) {
if (arg0.contains("KSENC(")) {

System.setProperty("javax.net.ssl.keyStore",
keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword",
clearText);
System.setProperty("javax.net.ssl.trustStore",
trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",
clearText);
 }
...
}
This class will set the following properties at the beginning of Tomcat init

In my debugging I found that it could not determine the store properly.
So, I tried putting in the keystoreType="PKCS12 and now it works.

I hope this helps.  I'm still set up for debugging if you need something
looked at.

Thanks

On Tue, Jun 11, 2024 at 2:14 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Mark,
>
> On 6/10/24 14:56, Timothy Resh wrote:
> > After much debugging, I have found the issue in my situation. In the
> > server.xml file, you must put keystoreType="PKCS12" for it to recognize
> the
> > keystore properly.
>
> That doesn't make any sense to me. Not a single one of your previous
> posts has been using a keystore file at all for Tomcat. You did show how
> you assembled a (rather complicated) PKCS12 keystore file using a
> combination of openssl and keytool in your message from 25 March but
> this is the only place in your configuration file I see that file:
>
>  SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"
>
> I have *no idea* what you are doing in there, but I assumed that
> keystore contained some kind of password and not a certificate or RSA key.
>
> -chris
>
> > On Fri, Apr 5, 2024 at 4:27 AM Roberto Benedetti <
> > roberto.benede...@dedalus.eu> wrote:
> >
> >>> I got the Object ID and version straight out of the Certificate using
> >>> Keystore Explorer.  I'm not sure why there is a difference.
> >>
> >> Keystore Explorer uses Bouncy Castle (https://www.bouncycastle.org/) as
> >> provider for JCE.
> >>
> >> If your JRE/JDK does not provide some algorithm you could use Bouncy
> >> Castle as well.
> >>
> >> Regards,
> >> Roberto
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: PKCS#8 encryption algorithm unrecognized

2024-06-11 Thread Christopher Schultz


Mark,

On 6/10/24 14:56, Timothy Resh wrote:

After much debugging, I have found the issue in my situation. In the
server.xml file, you must put keystoreType="PKCS12" for it to recognize the
keystore properly.


That doesn't make any sense to me. Not a single one of your previous 
posts has been using a keystore file at all for Tomcat. You did show how 
you assembled a (rather complicated) PKCS12 keystore file using a 
combination of openssl and keytool in your message from 25 March but 
this is the only place in your configuration file I see that file:


SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"

I have *no idea* what you are doing in there, but I assumed that 
keystore contained some kind of password and not a certificate or RSA key.


-chris


On Fri, Apr 5, 2024 at 4:27 AM Roberto Benedetti <
roberto.benede...@dedalus.eu> wrote:


I got the Object ID and version straight out of the Certificate using
Keystore Explorer.  I'm not sure why there is a difference.


Keystore Explorer uses Bouncy Castle (https://www.bouncycastle.org/) as
provider for JCE.

If your JRE/JDK does not provide some algorithm you could use Bouncy
Castle as well.

Regards,
Roberto
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PKCS#8 encryption algorithm unrecognized

2024-06-10 Thread Timothy Resh

After much debugging, I have found the issue in my situation. In the
server.xml file, you must put keystoreType="PKCS12" for it to recognize the
keystore properly.

On Fri, Apr 5, 2024 at 4:27 AM Roberto Benedetti <
roberto.benede...@dedalus.eu> wrote:

> > I got the Object ID and version straight out of the Certificate using
> > Keystore Explorer.  I'm not sure why there is a difference.
>
> Keystore Explorer uses Bouncy Castle (https://www.bouncycastle.org/) as
> provider for JCE.
>
> If your JRE/JDK does not provide some algorithm you could use Bouncy
> Castle as well.
>
> Regards,
> Roberto
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: PKCS#8 encryption algorithm unrecognized

2024-04-04 Thread Timothy Resh

Java is 1.8.0_391

On Thu, Apr 4, 2024 at 1:35 PM Timothy Resh  wrote:

> I got the Object ID and version straight out of the Certificate using
> Keystore Explorer.  I'm not sure why there is a difference.
>
> The "\" is because I manually deleted the beginning part of the path.
> It's correct in the actual file.
>
> Java is 1.8.
>
> On Wed, Apr 3, 2024 at 6:11 PM Konstantin Kolinko 
> wrote:
>
>> > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
>> > algorithm with DER encoded OID of [2a864886f70d010c0103] was not
>> recognised
>>
>> If I google for the above hex number, it finds the following:
>>
>> '2A864886F70D010C0103' -- 1.2.840.113549.1.12.1.3
>> pbeWithSHAAnd3-KeyTripleDES-CBC (PKCS #12 PbeIds)
>>
>> (actually a comment in some random source file, but it explains what
>> the value is).
>>
>> If I manually decode that value, thanks to
>> https://stackoverflow.com/a/24720842
>> I get the same value:
>>
>> 2a = 42 = 1 * 40 + 2 -> "1.2"
>> 8648 = (0x06 * 128) + 0x48 = 6 * 128 + 72 = 840
>> 86f70d = ((0x06 * 128) + (0x77 * 128) + 0x0d = ((6 * 128) + 119) * 128
>> + 13 = 113549
>> 01 = 1
>> 0c = 12
>> 01 = 1
>> 03 = 3
>>
>> I saw that you mentioned
>> > The ASN.1 is  OBJECT IDENTIFIER=Sha256WithRSAEncryption
>> (1.2.840.113549.1.1.11)
>>
>> but the value is different.
>> *.1.1.11 vs *.1.12.1.3
>>
>> Maybe it helps.
>>
>> What is your version of Java?
>>
>> Isn't the algorithm (mentioned in the error message) deprecated,
>> because it uses SHA-1 ?
>>
>> > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3...cer"
>>
>> A '\' is missing after ':'.
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: PKCS#8 encryption algorithm unrecognized

2024-04-04 Thread Timothy Resh

I got the Object ID and version straight out of the Certificate using
Keystore Explorer.  I'm not sure why there is a difference.

The "\" is because I manually deleted the beginning part of the path.  It's
correct in the actual file.

Java is 1.8.

On Wed, Apr 3, 2024 at 6:11 PM Konstantin Kolinko 
wrote:

> > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
> > algorithm with DER encoded OID of [2a864886f70d010c0103] was not
> recognised
>
> If I google for the above hex number, it finds the following:
>
> '2A864886F70D010C0103' -- 1.2.840.113549.1.12.1.3
> pbeWithSHAAnd3-KeyTripleDES-CBC (PKCS #12 PbeIds)
>
> (actually a comment in some random source file, but it explains what
> the value is).
>
> If I manually decode that value, thanks to
> https://stackoverflow.com/a/24720842
> I get the same value:
>
> 2a = 42 = 1 * 40 + 2 -> "1.2"
> 8648 = (0x06 * 128) + 0x48 = 6 * 128 + 72 = 840
> 86f70d = ((0x06 * 128) + (0x77 * 128) + 0x0d = ((6 * 128) + 119) * 128
> + 13 = 113549
> 01 = 1
> 0c = 12
> 01 = 1
> 03 = 3
>
> I saw that you mentioned
> > The ASN.1 is  OBJECT IDENTIFIER=Sha256WithRSAEncryption
> (1.2.840.113549.1.1.11)
>
> but the value is different.
> *.1.1.11 vs *.1.12.1.3
>
> Maybe it helps.
>
> What is your version of Java?
>
> Isn't the algorithm (mentioned in the error message) deprecated,
> because it uses SHA-1 ?
>
> > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3...cer"
>
> A '\' is missing after ':'.
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: PKCS#8 encryption algorithm unrecognized

2024-04-03 Thread Konstantin Kolinko

> Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
> algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised

If I google for the above hex number, it finds the following:

'2A864886F70D010C0103' -- 1.2.840.113549.1.12.1.3
pbeWithSHAAnd3-KeyTripleDES-CBC (PKCS #12 PbeIds)

(actually a comment in some random source file, but it explains what
the value is).

If I manually decode that value, thanks to
https://stackoverflow.com/a/24720842
I get the same value:

2a = 42 = 1 * 40 + 2 -> "1.2"
8648 = (0x06 * 128) + 0x48 = 6 * 128 + 72 = 840
86f70d = ((0x06 * 128) + (0x77 * 128) + 0x0d = ((6 * 128) + 119) * 128
+ 13 = 113549
01 = 1
0c = 12
01 = 1
03 = 3

I saw that you mentioned
> The ASN.1 is  OBJECT IDENTIFIER=Sha256WithRSAEncryption 
> (1.2.840.113549.1.1.11)

but the value is different.
*.1.1.11 vs *.1.12.1.3

Maybe it helps.

What is your version of Java?

Isn't the algorithm (mentioned in the error message) deprecated,
because it uses SHA-1 ?

> SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3...cer"

A '\' is missing after ':'.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PKCS#8 encryption algorithm unrecognized

2024-04-03 Thread Timothy Resh

Sure, I can provide the entire setup for you.   I'll work on that tonight .

On Sun, Mar 31, 2024 at 2:05 PM Mark Thomas  wrote:

> On 25/03/2024 16:56, Timothy Resh wrote:
> > Sorry for the delay.  Our certificate creation process was automated
> > several years ago and I had to go through the code to figure out the
> > commands being used for the certificates
> >
> > First, we use the createcert.exe from the Sybase 17 installation to
>
> I don't have access to that application so I am unable to follow the
> provided instructions.
>
> Given you do have access to the application, it will likely be simpler
> if you provide a test key and certificate that don't work that we can
> use for investigation.
>
> If you want to provide those offline, feel free to email the pem files
> to me directly.
>
> Mark
>
>
> > generate a DB cert for ODBC connectivity.  Please see the following link
> > for more information.
> >
> https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
> > -t encryption type
> > -b length
> > -ca "1"  Create Certificate Authority
> > -u 3,4,5,6
> >
> > - 3. Key Encipherment
> > - 4. Data Encipherment
> > - 5. Key Agreement
> > - 6. Certificate Signing
> >
> > -v 6 years
> > -co Public Certificate
> > -x Generates a self-signed certificate
> >
> > *C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
> > -t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
> > Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
> > Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x
> -co
> > "C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
> > Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
> > " -sl "Norfolk" -so "Vessel Ships" -sou
> > "Engineering" -sst "VA" -u 3,4,5,6 -v "6"*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning:
> The
> > certificate will not be compatible with older versionsof the software
> > including version 12.0.1 prior to build 3994 and version 16.0prior to
> build
> > 1691. Use the -3des switch if you require compatibility.Generating key
> > pair...Certificate will be a self-signed rootSerial number [generate
> GUID]:
> > Generated serial number: 42455c10a27d441db3e3d09f39f35452*
> >
> >
> > This creates a  ASA12 SAMM Vessel.pub  that is then copied to the Tomcat
> > Application Server as "Client Configuration.pem"
> >
> > our next commands are all openssl or keytool
> >
> > openssl.exe genrsa -aes256 -passout pass:"changeit" -out
> > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
> > 1>nul 2>&1
> > openssl.exe req -new -key "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
> > WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US"
> -out
> > "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
> > pass:"changeit"1>nul 2>&1
> >
> > echo basicConstraints = CA:FALSE  1>"C:\tmp12\openssl\v3.ext"
> > echo keyUsage = digitalSignature, keyEncipherment
> >   1>>"C:\tmp12\openssl\v3.ext"
> > ECHO [SAN]   1>>"C:\tmp12\openssl\v3.ext"
> > ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
> > 1>>"C:\tmp12\openssl\v3.ext"
> >
> > openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
> > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
> > "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
> > "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
> > pass:"changeit" -days "2190" -extensions SAN
> > Certificate request self-signature ok
> > subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
> > U.S.Government, C = US
> >
> > COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
> > "C:\tmp12\Certificates\CA\"   1>nul 2>&1
> >
> > openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
> > Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
> > "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
> > WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout
> pass:"changeit"
> >
> > keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
> > "changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
> > -srckeystore "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
> > "changeit" -alias WSD-2DNX4M3.mydomain.com
> > Importing keystore C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.mydomain.com.p12 to
> > C:\tmp12\Certificate\Keystore\Vessel.jks...
> > DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"
> >
> > openssl.exe rsa -in "C:\tmp12\Certificate\Private
> > Key\WSD-2DNX4M3.my

Re: PKCS#8 encryption algorithm unrecognized

2024-03-31 Thread Mark Thomas


On 25/03/2024 16:56, Timothy Resh wrote:

Sorry for the delay.  Our certificate creation process was automated
several years ago and I had to go through the code to figure out the
commands being used for the certificates

First, we use the createcert.exe from the Sybase 17 installation to


I don't have access to that application so I am unable to follow the 
provided instructions.


Given you do have access to the application, it will likely be simpler 
if you provide a test key and certificate that don't work that we can 
use for investigation.


If you want to provide those offline, feel free to email the pem files 
to me directly.


Mark



generate a DB cert for ODBC connectivity.  Please see the following link
for more information.
https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
-t encryption type
-b length
-ca "1"  Create Certificate Authority
-u 3,4,5,6

- 3. Key Encipherment
- 4. Data Encipherment
- 5. Key Agreement
- 6. Certificate Signing

-v 6 years
-co Public Certificate
-x Generates a self-signed certificate

*C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
-t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x -co
"C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
" -sl "Norfolk" -so "Vessel Ships" -sou
"Engineering" -sst "VA" -u 3,4,5,6 -v "6"*









*SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: The
certificate will not be compatible with older versionsof the software
including version 12.0.1 prior to build 3994 and version 16.0prior to build
1691. Use the -3des switch if you require compatibility.Generating key
pair...Certificate will be a self-signed rootSerial number [generate GUID]:
Generated serial number: 42455c10a27d441db3e3d09f39f35452*


This creates a  ASA12 SAMM Vessel.pub  that is then copied to the Tomcat
Application Server as "Client Configuration.pem"

our next commands are all openssl or keytool

openssl.exe genrsa -aes256 -passout pass:"changeit" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
1>nul 2>&1
openssl.exe req -new -key "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" -out
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
pass:"changeit"1>nul 2>&1

echo basicConstraints = CA:FALSE  1>"C:\tmp12\openssl\v3.ext"
echo keyUsage = digitalSignature, keyEncipherment
  1>>"C:\tmp12\openssl\v3.ext"
ECHO [SAN]   1>>"C:\tmp12\openssl\v3.ext"
ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
1>>"C:\tmp12\openssl\v3.ext"

openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
pass:"changeit" -days "2190" -extensions SAN
Certificate request self-signature ok
subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
U.S.Government, C = US

COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
"C:\tmp12\Certificates\CA\"   1>nul 2>&1

openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout pass:"changeit"

keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
"changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
-srckeystore "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
"changeit" -alias WSD-2DNX4M3.mydomain.com
Importing keystore C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12 to
C:\tmp12\Certificate\Keystore\Vessel.jks...
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"

openssl.exe rsa -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit"
openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout
pass:"changeit"
openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
pass:"changeit"

Re: PKCS#8 encryption algorithm unrecognized

2024-03-25 Thread Timothy Resh

Sorry for the delay.  Our certificate creation process was automated
several years ago and I had to go through the code to figure out the
commands being used for the certificates

First, we use the createcert.exe from the Sybase 17 installation to
generate a DB cert for ODBC connectivity.  Please see the following link
for more information.
https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
-t encryption type
-b length
-ca "1"  Create Certificate Authority
-u 3,4,5,6

   - 3. Key Encipherment
   - 4. Data Encipherment
   - 5. Key Agreement
   - 6. Certificate Signing

-v 6 years
-co Public Certificate
-x Generates a self-signed certificate

*C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
-t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x -co
"C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
" -sl "Norfolk" -so "Vessel Ships" -sou
"Engineering" -sst "VA" -u 3,4,5,6 -v "6"*









*SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: The
certificate will not be compatible with older versionsof the software
including version 12.0.1 prior to build 3994 and version 16.0prior to build
1691. Use the -3des switch if you require compatibility.Generating key
pair...Certificate will be a self-signed rootSerial number [generate GUID]:
Generated serial number: 42455c10a27d441db3e3d09f39f35452*


This creates a  ASA12 SAMM Vessel.pub  that is then copied to the Tomcat
Application Server as "Client Configuration.pem"

our next commands are all openssl or keytool

openssl.exe genrsa -aes256 -passout pass:"changeit" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
1>nul 2>&1
openssl.exe req -new -key "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" -out
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
pass:"changeit"1>nul 2>&1

echo basicConstraints = CA:FALSE  1>"C:\tmp12\openssl\v3.ext"
echo keyUsage = digitalSignature, keyEncipherment
 1>>"C:\tmp12\openssl\v3.ext"
ECHO [SAN]   1>>"C:\tmp12\openssl\v3.ext"
ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
1>>"C:\tmp12\openssl\v3.ext"

openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
pass:"changeit" -days "2190" -extensions SAN
Certificate request self-signature ok
subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
U.S.Government, C = US

COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
"C:\tmp12\Certificates\CA\"   1>nul 2>&1

openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout pass:"changeit"

keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
"changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
-srckeystore "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
"changeit" -alias WSD-2DNX4M3.mydomain.com
Importing keystore C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12 to
C:\tmp12\Certificate\Keystore\Vessel.jks...
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"

openssl.exe rsa -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit"
openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout
pass:"changeit"
openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
pass:"changeit" -passout pass:"changeit"

DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2"
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3"

keytool.exe -importkeystore -srckeystore
"C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS -deststoretype
PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -nopr

Re: PKCS#8 encryption algorithm unrecognized

2024-03-19 Thread Mark Thomas


On 19/03/2024 18:18, Timothy Resh wrote:





where the . is the fqdn

This works fine *until* Tomcat 9.0.83 and now we get the following listed
below. I have read some of the
https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask for
help.
The certificates are being created using openssl 3.013.  Please note the
encrypted password to the p12 keystore.  There was a message saying this
was going to be fixed in a January release.
I just tested 9.0.87 and the error is the same.  The ASN.1 is  OBJECT
IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)

Does anyone have some suggestions for a fix?


Please provide a set of OpenSSL commands that create a problematic, 
self-signed certificate for localhost. This will save us a *lot* of time.


Mark




Thanks Mark Resh


15-Mar-2024 18:27:37.621 WARNING [main]
org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
[ciphers] attribute in a manner consistent with the latest OpenSSL
development branch. Some of the specified [ciphers] are not supported by
the configured SSL engine for this connector (which may use JSSE or an
older OpenSSL version) and have been skipped:
[[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
15-Mar-2024 18:27:37.636 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1345)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
... 13 more
Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:213)
at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:141)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:465)
... 19 more
15-Mar-2024 18:27:37.636 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in [1655]
milliseconds



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PKCS#8 encryption algorithm unrecognized

2024-03-19 Thread Christopher Schultz


Timothy,

On 3/19/24 14:18, Timothy Resh wrote:





where the . is the fqdn

This works fine *until* Tomcat 9.0.83 and now we get the following listed
below.


Is it possible for you to re-test with Tomcat 9.0.85 or later?

-chris

I have read some of the

https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask for
help.
The certificates are being created using openssl 3.013.  Please note the
encrypted password to the p12 keystore.  There was a message saying this
was going to be fixed in a January release.
I just tested 9.0.87 and the error is the same.  The ASN.1 is  OBJECT
IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)

Does anyone have some suggestions for a fix?

Thanks Mark Resh


15-Mar-2024 18:27:37.621 WARNING [main]
org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
[ciphers] attribute in a manner consistent with the latest OpenSSL
development branch. Some of the specified [ciphers] are not supported by
the configured SSL engine for this connector (which may use JSSE or an
older OpenSSL version) and have been skipped:
[[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
15-Mar-2024 18:27:37.636 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1345)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
... 13 more
Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:213)
at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:141)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:465)
... 19 more
15-Mar-2024 18:27:37.636 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in [1655]
milliseconds



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

Re: PKCS#8 encryption algorithm unrecognized

12 matches

Site Navigation

Mail list logo

Footer information