Add support for certificates private key using `ecdsa` (#28)

wojciech.kapcia@tigase.net opened 6 months ago

We should add support for certificates private keys using ecdsa algorithms as new Certbot (Let's Encrypt) defaults to it as per documentation https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys:

Certbot supports two certificate private key algorithms: rsa and ecdsa.

As of version 2.0.0, Certbot defaults to ECDSA secp256r1 (P-256) certificate private keys for all new certificates. Existing certificates will continue to renew using their existing key type, unless a key type change is requested.

The type of key used by Certbot can be controlled through the --key-type option. You can use the --elliptic-curve option to control the curve used in ECDSA certificates and the --rsa-key-size option to control the size of RSA keys.

Reproducible: java -cp jars/tigase-utils.jar tigase.cert.CertificateUtil -lc certs/<domain>.pem -simple

Exception in thread "main" java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key
	at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(Unknown Source)
	at java.base/java.security.KeyFactory.generatePrivate(Unknown Source)
	at tigase.cert. CertificateUtil parseCertificate(CertificateUtil.java:605)
	at tigase.cert.CertificateUtil.loadCertificate(CertificateUtil.java:415)
	at tigase.cert.CertificateUtil.loadCertificate(CertificateUtil.java:435)
	at tigase.cert.CertificateUtil.main (CertificateUtil.java: 484)
Caused by: java.security.InvalidKeyException: Invalid RSA private key
	at java.base/sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(Unknown Source)
	at java.base/sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(Unknown Source)
	at java.base/sun.security.rsa.RSAPrivateCrtKeyImpl. newKey (Unknown Source)
	at java.base/sun.security.rsa.RSAKeyFactory generatePrivate (Unknown Source)
	... 6 more
Caused by: java.io.I0Exception: Version must be 0
	at java.base/sun.security.rsa.RSAPrivateCrtKeỹImpl.parseASN1 (Unknown Source)
	... 10 more

wojciech.kapcia@tigase.net moved 6 months ago

Previous Value	Current Value
tigase/_server/server-core	tigase/_server/tigase-utils

wojciech.kapcia@tigase.net batch edited 6 months ago

Name	Previous Value	Current Value
Iterations	empty	tigase-server-8.4.0

Referenced from commit 6 months ago

Add support for certificates private key using `ecdsa` (#28 )

Bartosz Małkowski committed 6 months ago

fccd60ad

Bartosz Małkowski changed state to 'In Progress' 6 months ago

Previous Value	Current Value
Open	In Progress

Bartosz Małkowski changed state to 'In QA' 6 months ago

Previous Value	Current Value
In Progress	In QA

Bartosz Małkowski commented 6 months ago

I added support for PKCS#8 encoded EC keys. I added testes for key&cert parsing.

Referenced from commit 6 months ago

Reformat; #tigase/_server/tigase-utils#28 #28

wojciech.kapcia@tigase.net committed 6 months ago

2ca9e65c

wojciech.kapcia@tigase.net changed state to 'Closed' 6 months ago

Previous Value	Current Value
In QA	Closed

wojciech.kapcia@tigase.net commented 6 months ago

Thank you

Type	New Feature
Priority	Normal
Assignee	Bartosz Małkowski
Version	tigase-server-8.4.0
Target Release	1.0
Sprints	n/a
Customer	n/a

Iterations

tigase-server-8.4.0 Closed

Issue Votes (0)

Watchers (3)

Reference

tigase/_server/tigase-utils#28