-
Notifications
You must be signed in to change notification settings - Fork 40.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using https with elliptic curves other than secp384r1 fails #34232
Comments
If you'd like us to spend some time investigating, please take the time to provide a complete minimal sample (something that we can unzip or git clone, build, and deploy) that reproduces the problem. |
here is the reference code, let me know if I missed anything https://github.com/krnbr/spring-https-ec-curve-issue-34232 |
Just adding some extra info @mhalbritter - RSA type cert/ key works in a single go elliptic curve on the other side, either has some JDK config requirements or cipher stuff, or something we do not know |
This looks like a bug in our This matches the error message curl gives me:
Using this works:
|
What all curves are supported? |
The |
Is the |
Sorry for accidentally clicking the close and comment, the button is actually kinda wrongly placed |
Yes, the code for the EC parsing is the same in 2.7.x and 3.0.x, that's why i labelled it as a 2.7.x bug. |
Sorry for disturbing you again, can you share the place where the specification for only supported curve is defined! |
Sure, it's here. The OID |
The JDK supports a large number of curves by default. From Java 8 using the following code: String attribute = Security.getProviders("AlgorithmParameters.EC")[0]
.getService("AlgorithmParameters", "EC").getAttribute("SupportedCurves");
for (String curve : attribute.split("\\|")) {
System.out.println(curve.substring(1, curve.length() - 1));
}
|
A private key with the header Spring Boot supports PKCS#8 EC private keys with all curves, as demonstrated in the unit tests for PrivateKeyParser. Spring Boot has limited support for PKCS#1 and the EC analog, only supporting the Supporting additional EC curves in non-PKCS#8 private keys would require Boot to do more parsing and decoding of the key content. I would argue that this would be an enhancement, not a bug, and I'm not sure it is worth doing at all given that PKCS#8 is the widely preferred format. The steps shown in the original report for creating the private key and certificate can be modified to create a PKCS#8 key as in this example:
|
We discussed this today and think that this should become a documentation issue guiding people towards using PKCS8. The last remaining piece is to decide what to do with our limited support for |
Would you consider implementing the Bouncy Castle Library? They are running under the MIT License. This could solve your PEM parsing problem: DOCs - PEMParser List of all supported Elliptic CurvesIterator<String> it = ECNamedCurveTable.getNames().asIterator();
while (it.hasNext()) {
System.out.println(it.next());
}
|
@aDramaQueen With the changes made in fd8cb74, we don't believe there's much to be gained by relying on Bouncy Castle as you should now be able to use any curve that's supported by the JDK. While that support isn't as broad as Bouncy Castle's we haven't seen demand for other curves that would justify pulling in a new dependency. |
I really like your Documentation, therefore this last suggestion for this topic: You could add the list of supported curves to your documentation. This would save some time for any developer. Maybe even better directly link to Java DOCs - Supported Elliptic Curve Names. With this approach, you could completely offload the problem to Java and not have to worry about anything. But be careful here though, since I don't know if OpenJDK uses the same implementation than Oracle does. The link is Oracles Documentation. OpenJDK sadly has nothing in comparison. I just found this Overview. |
Unable to use Elliptic Curve Self Signed Certificate in Spring boot
First Environment Details
JDK 17
Spring Boot 3.0.2
Spring Web
Tomcat (inbuilt)
Mac OS 13.x
Second Environment Details
JDK 17
Spring Boot 3.0.2
Spring Webflux
Netty (inbuilt)
Mac OS 13.x
Third Environment Details
JDK 17
Spring Boot 2.7.8
Spring Web
Tomcat (inbuilt)
Mac OS 13.x
For tomcat server I get below error:-
For netty it is slightly different but almost same
spring boot application properties
steps to generate self signed cert were as below:-
Example cert and key files are below:-
cert:-
key:-
The other strange part is - the same cert works with nodejs - expressJS
If this is a bug, some missing config or JDK support issues relating to SSL?
The text was updated successfully, but these errors were encountered: