Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PEM formatted elliptic-curve TLS keys are an unrecognized private key format #32646

Closed
omallo opened this issue Oct 9, 2022 · 1 comment
Closed

PEM formatted elliptic-curve TLS keys are an unrecognized private key format #32646

omallo opened this issue Oct 9, 2022 · 1 comment
Assignees
@philwebb
Labels
type: bug A general bug
Milestone
2.6.13

Comments

@omallo
Copy link

omallo commented Oct 9, 2022

I'm using Spring Boot 2.7.3 and would like to use the following, recently introduced, properties for specifying TLS keys in PEM format:

server.ssl.enabled=true
server.ssl.certificate=classpath:tls.crt
server.ssl.certificate-private-key=classpath:tls.key

This works for RSA keys but not for ECDSA keys. The issue can be reproduced with the following tls.crt and tls.key files:

-----BEGIN CERTIFICATE-----
MIIBizCCATKgAwIBAgIQZxEvez9NKMDPcbiMcIBw9TAKBggqhkjOPQQDAjAaMRgw
FgYDVQQDEw9jZXJ0LW1hbmFnZXItY2EwHhcNMjIxMDA5MTEzMzMzWhcNMjMwMTA3
MTEzMzMzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscyFplNscAIeHo78
ldXLOAa7NE/Iv+rwcaidetXi52UocD3nPmajeYWUjqI2dJcCgRsJNkqFSv8vdPfK
iOpxr6N0MHIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNV
HSMEGDAWgBRgyewFvP7jOj2gSlxuotpHDlBc2DAsBgNVHREBAf8EIjAggh5zaG93
Y2FzZS5kZXYuc3ZjLmNsdXN0ZXIubG9jYWwwCgYIKoZIzj0EAwIDRwAwRAIgIOlX
HEoCMwGzRA9ZvuEU56GTnKLOEJoYBdCPYHI0FyACIEx/nC3UWfdWeekx2lPzqOlc
ukNsHL/Jf9YACcc6SAe/
-----END CERTIFICATE-----

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFlNVej0A5XWAR3PjOvwyQrYYwYgwrYy6wRk5Myk0DFtoAoGCCqGSM49
AwEHoUQDQgAEscyFplNscAIeHo78ldXLOAa7NE/Iv+rwcaidetXi52UocD3nPmaj
eYWUjqI2dJcCgRsJNkqFSv8vdPfKiOpxrw==
-----END EC PRIVATE KEY-----

I'm getting the following exception:

Caused by: java.lang.IllegalStateException: Unrecognized private key format in classpath:tls.key
        at org.springframework.boot.web.server.PrivateKeyParser.parse(PrivateKeyParser.java:79) ~[spring-boot-2.7.4.jar:2.7.4]
        at org.springframework.boot.web.server.CertificateFileSslStoreProvider.createKeyStore(CertificateFileSslStoreProvider.java:83) ~[spring-boot-2.7.4.jar:2.7.4]
        at org.springframework.boot.web.server.CertificateFileSslStoreProvider.getKeyStore(CertificateFileSslStoreProvider.java:51) ~[spring-boot-2.7.4.jar:2.7.4]
        at org.springframework.boot.web.embedded.tomcat.SslConnectorCustomizer.configureSslStoreProvider(SslConnectorCustomizer.java:129) ~[spring-boot-2.7.4.jar:2.7.4]
        ... 15 common frames omitted

The problem seems to lie in the patterns used by the PrivateKeyParser which supports "RSA" in the header/footer but not "EC".
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 9, 2022
@philwebb philwebb added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 11, 2022
@philwebb philwebb added this to the 2.6.x milestone Oct 11, 2022
@philwebb philwebb self-assigned this Oct 12, 2022
@philwebb philwebb changed the title Elliptic-curve TLS keys in PEM format are not supported Unrecognized private key format thrown when using PEM formatted elliptic-curve TLS keys Oct 12, 2022
@philwebb philwebb changed the title Unrecognized private key format thrown when using PEM formatted elliptic-curve TLS keys PEM formatted elliptic-curve TLS keys are an unrecognized private key format Oct 12, 2022
@philwebb philwebb mentioned this issue Oct 12, 2022
Closed
@philwebb philwebb modified the milestones: 2.6.x, 2.6.13 Oct 12, 2022
scottfrederick added a commit that referenced this issue Oct 12, 2022
@scottfrederick
Support PEM formatted elliptic-curve TLS keys
6c1103c 
Apply the changes from e0c79ce
to the `PrivateKeyParser` used for web server SSL configuration.

See gh-32646
@scottfrederick
Copy link
Contributor

Certificate and private key files can also be used to configure the connection to the Docker daemon when using the Maven spring-boot:build-image goal and Gradle bootBuildImage task. We've added support for ECDSA keys to the Docker configuration in Spring Boot 2.6, in addition to supporting ECDSA keys with server.ssl.certificate-private-key and server.ssl.trust-certificate-private-key in Spring Boot 2.7.

@philwebb philwebb mentioned this issue Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philwebb philwebb

Labels
type: bug A general bug
Projects
None yet
Milestone
2.6.13
Development

No branches or pull requests
4 participants
@scottfrederick @omallo @philwebb @spring-projects-issues