Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TrustAnchor does not support PKCS#1 #9

Open
f11h opened this issue Apr 30, 2021 · 0 comments
Open

TrustAnchor does not support PKCS#1 #9

f11h opened this issue Apr 30, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@f11h
Copy link
Contributor

f11h commented Apr 30, 2021
edited
Loading

Describe the bug

When creating TrustAnchor signatures the CLI currently does not support private keys in PKCS#1 format.
Doing this results in:

org.bouncycastle.openssl.PEMException: problem parsing PRIVATE KEY: java.lang.IllegalArgumentException: unknown object in getInstance: org.bouncycastle.asn1.ASN1Integer
        at org.bouncycastle.openssl.PEMParser$PrivateKeyParser.parseObject(Unknown Source)
        at org.bouncycastle.openssl.PEMParser.readObject(Unknown Source)
        at eu.europa.ec.dgc.cli.utils.CliUtils.readKeyFromFile(CliUtils.java:50)
        at eu.europa.ec.dgc.cli.trustanchor.Sign.call(Sign.java:83)
        at eu.europa.ec.dgc.cli.trustanchor.Sign.call(Sign.java:47)
        at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
        at picocli.CommandLine.access$1300(CommandLine.java:145)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
        at picocli.CommandLine.execute(CommandLine.java:2078)
        at eu.europa.ec.dgc.cli.Main.main(Main.java:28)
Caused by: java.lang.IllegalArgumentException: unknown object in getInstance: org.bouncycastle.asn1.ASN1Integer
        at org.bouncycastle.asn1.ASN1Sequence.getInstance(Unknown Source)
        at org.bouncycastle.asn1.x509.AlgorithmIdentifier.getInstance(Unknown Source)
        at org.bouncycastle.asn1.pkcs.PrivateKeyInfo.<init>(Unknown Source)
        at org.bouncycastle.asn1.pkcs.PrivateKeyInfo.getInstance(Unknown Source)
        ... 13 more

Expected behaviour

dgc ta sign -c cert_ta.pem -k key_ta-unenc.pem -i cert.pem

with a PKCS#1 PrivateKey should succesfully sign a certificate with TrustAnchor.

Steps to reproduce the issue

  1. Create Cert --> openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
  2. Create TA --> openssl req -x509 -newkey rsa:4096 -keyout ta-key.pem -out ta-cert.pem -days 365
  3. Unencrypt Key --> openssl rsa -in ta-key.pem -out ta-unenc.pem
  4. Try to sign -->dgc ta sign -c ta-cert.pem -k ta-unenc.pem -i cert.pem

Workaround

See #4 for a workaround

Possible Fix

The problem is in eu.europa.ec.dgc.cli.utils.CliUtils#readKeyFromFile method. This method only tries to parse content of pem file into PrivateKeyInfo. This should be reworked in order to support other Private Key format.
@f11h f11h added the bug Something isn't working label Apr 30, 2021
@f11h f11h changed the title TrustAnchor does not support PKCS1 TrustAnchor does not support PKCS#1 Apr 30, 2021
@f11h f11h mentioned this issue Apr 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@f11h