java.io.IOException: Invalid DER: object is not integer (continued)

[clouddistortion]

unfortunately I am unable to reopen the task #135 again, so I am posting this question here again.

Hi,

I am trying to get the client api (0.2) up and running but unfortunately I am getting the following error:

2017-12-05 16:21:10 ERROR {main} io.kubernetes.client.util.Config - Failed to invoke build key managers
java.io.IOException: Invalid DER: object is not integer
at io.kubernetes.client.util.SSLUtils$Asn1Object.getInteger(SSLUtils.java:229)
at io.kubernetes.client.util.SSLUtils.next(SSLUtils.java:160)
at io.kubernetes.client.util.SSLUtils.decodePKCS1(SSLUtils.java:155)
at io.kubernetes.client.util.SSLUtils.createKeyStore(SSLUtils.java:100)
at io.kubernetes.client.util.SSLUtils.createKeyStore(SSLUtils.java:78)
at io.kubernetes.client.util.SSLUtils.keyManagers(SSLUtils.java:63)
at io.kubernetes.client.util.Config.fromConfig(Config.java:110)

I tried it with the following code (via config yaml as string and via ~/.kube/config file)

ApiClient apiClient = Config
.fromConfig(configAsString)
//.fromConfig(new FileReader("/Users/me/.kube/config"))
.setVerifyingSsl(false);
Configuration.setDefaultApiClient(apiClient);

kubectl on command line works fine with my config

Do you have any suggestions? Is there anybody whom I can send an example kubeconfig with the keys and certificates for testing? I am not allowed to post it here though.

[brendandburns]

I'd rather not have a working kubeconfig. Is there any chance you can re-create a similar kubeconfig with fake (or deleted) certificates?

[clouddistortion]

Hi, why not? It's not a problem working with it cause the certificates are created by an in company CA. The ones I have sent you already expired.

Or do you see another issue?

[brendandburns]

I don't want to be in a situation where I have access to someone else's cluster. If the config is no longer valid, then I'm fine with it.

…

________________________________________ From: jevin36 <[email protected]> Sent: Friday, February 16, 2018 7:43 AM To: kubernetes-client/java Cc: Brendan Burns; Comment Subject: Re: [kubernetes-client/java] java.io.IOException: Invalid DER: object is not integer (continued) (#185) Hi, why not? It's not a problem working with it cause the certificates are created by an in company CA. The ones I have sent you already expired. Or do you see another issue? — You are receiving this because you commented. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes-client%2Fjava%2Fissues%2F185%23issuecomment-366271298&data=04%7C01%7Cbburns%40microsoft.com%7C634315788b224731925708d575540f1d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636543926262528364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=LYbXxpxOas6M0xp3riebYLcZMOX118zQ4nfaf8Rev70%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFfDgof4nmLSK8zZUrmPk-Mj0pqYPawsks5tVaIugaJpZM4SFP7S&data=04%7C01%7Cbburns%40microsoft.com%7C634315788b224731925708d575540f1d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636543926262528364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=27SiDUR0fXcnMFQamX1dFW1C7yatfXVq34JeTCXckSs%3D&reserved=0>.

[clouddistortion]

Yeah, you re fine. The cluster was removed a couple of weeks again - also only available within the local company network

[brendandburns]

Ok cool. What email address did you send it to?

…

--brendan

________________________________ From: jevin36 <[email protected]> Sent: Saturday, February 17, 2018 1:45:50 AM To: kubernetes-client/java Cc: Brendan Burns; Comment Subject: Re: [kubernetes-client/java] java.io.IOException: Invalid DER: object is not integer (continued) (#185) Yeah, you re fine. The cluster was removed a couple of weeks again - also only available within the local company network — You are receiving this because you commented. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes-client%2Fjava%2Fissues%2F185%23issuecomment-366429912&data=04%7C01%7Cbburns%40microsoft.com%7C1de79d079c8544a3b6ba08d575eb3b14%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636544575529263689%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=VpwPCt6nxmeK%2FXS9ZsEWL4sEth84W6HKIYTKJdf2BZA%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFfDgmr3qLo7MRxW-JLd1FBbJ2dG9fUSks5tVp_OgaJpZM4SFP7S&data=04%7C01%7Cbburns%40microsoft.com%7C1de79d079c8544a3b6ba08d575eb3b14%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636544575529263689%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=bLttyXAFmgrv69a0NBw3mjHOc0PviD3NLk%2F8iX0qIZ0%3D&reserved=0>.

[clouddistortion]

Hi, to [email protected]

[brendandburns]

Ok, I found the problem.

We are hard-coding "RSA" here:

java/util/src/main/java/io/kubernetes/client/util/credentials/ClientCertificateAuthentication.java

Line 29 in 505a812

final KeyManager[] keyManagers =

And your key is an eliptical curve key.

For now, you need to use an RSA key, or manually edit the library SSHUtils.java code to change 'RSA' to 'EC'

I'll work to add EC support to the library...

[brendandburns]

I took a stab at EC support today, it did not end well... I think the short term fix is to convert to RSA. I'll continue to try to convince Java to load an EC key, but it might take a while...

[brendandburns]

Ok, that took longer than it should have, but the fix is now in PR, I'd love it if you could try it out and verify...

[clouddistortion]

Hi,
just had a quick test and I am not sure if I am doin sth wrong now. This is the code I quickly tried:

ApiClient client = Config.fromConfig("/Users/minime/Desktop/kubeconfig");
Configuration.setDefaultApiClient(client);

CoreV1Api api = new CoreV1Api();
V1PodList list = api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null);
for (V1Pod item : list.getItems()) {
    System.out.println(item.getMetadata().getName());
}

seems like the certificates are empty (see IllegalArgumentException)

ApiClient.applySslSettings

else if (sslCaCert != null) {
     char[] password = null; // Any password will work.

     CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

     Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(sslCaCert);
     if (certificates.isEmpty()) {
         throw new IllegalArgumentException("expected non-empty set of trusted certificates");
     }
}

[ceeaspb]

@jevin36 looks like I may have hit the same thing in #197

[karthikkondapally]

@jevin36

initially verifySSL by default was false. but after push #175, verifySSL by default is true.
Even i got the error:
Exception in thread "main" java.lang.IllegalArgumentException: expected non-empty set of trusted certificates
but if you add insecure-skip-tls-verify: true in (kubeconfig.yaml in cluster section)
it works then.

we can also skip verify ssl instead of adding above key value pair to config

ApiClient client = ClientBuilder
				   .kubeconfig(KubeConfig.loadKubeConfig(new FileReader("/home/karthik/.kube/config")))
				   .setVerifyingSsl(false)
				   .build();

[clouddistortion]

#198 fixes the problem correctly for me too