-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PemUtils can't handle PKCS#5 v2.0 encrypted Private Keys in PKCS#8 format #32021
Comments
Pinging @elastic/es-security |
Any news about this issue? |
Hi @hxnan , we haven't prioritized work on this yet ,is this something that affects you when running elasticsearch?
Just to be clear, if you are interested in the upstream bug, then probably the jvm bug tracker is the best way to keep track of this |
I met the same issue when I use the netty tls feature, =new EncryptedPrivateKeyInfo(); |
This commit adds support for decrypting PKCS#8 encoded private keys that have been encrypted using a PBES2 based scheme (AES only). Unfortunately `java.crypto.EncryptedPrivateKeyInfo` doesn't make this easy as the underlying encryption algorithm is hidden within the `AlgorithmParameters`, and can only be extracted by calling `toString()` on the parameters object. See: https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.4 See: AlgorithmParameters#toString() See: com.sun.crypto.provider.PBES2Parameters#toString() Resolves: #78901, #32021
resolved by #78904 |
When storing encrypted Private Keys in PKCS#8 format, a number of PKCS#5 v1.5, PKCS#5 v2.0 and PKCS#12 can be used to generate the encryption key from the provided passphrase.
It turns out that Java support for PKCS#5 2.0 has some issues ( this bug report is open for three years now ). The manifestation of this bug is that when a PKCS#8 formatted Private Key that has been encrypted with a key derived using one of PKCS#5 v2.0 ciphers, PemUtils will fail to parse the key with the following exception
Example of generating a key that will fail to be parsed:
(-v2 selects a
PKCS#5 2.0
algorithm,aes128
and aes256` are other options - all fail )Example of generating a key that can be parsed:
-v1 selects a
PKCS#5 v1.5
orPKCS#12
algorithm, copying from openssl manpage, options includeThe text was updated successfully, but these errors were encountered: