Trying to connect to the SFTP server with a private key in Airflow
I have used the option private_key in the extra options
Gave connection details as below
"sftp_conn_id": {
"host": "sftp.xxxx.com",
"login": "sftp.age",
"password": "XXXXX",
"port": 22,
"conn_extra": {
"private_key":"-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B8D80099CE363B08
nkmagDeESjucz2UKbiIVNBxerx7hoPuvhDz8BeCrwf0o55ILUQaa1tKz+B5dvA5N
w9Wai9bx1xUfo+e9u2Nu67ytDiUUxlGWZNTxaM+Un2mdq5TwIayOsoVAmqcsHoY8
LdTJaxpF8DmjHKwAARcCL02L8byulin8BShGGKj4wKKUc+ZucLYKIPTQXqYTLPcZ
qfjsJvzee2/V4R7PwkHBRJaZRv2WvmF/GGHp1nrMBx1QyJBCOdr9Fc7R0aqOzREV
3YMGPVKaYQp+DrjSTtrQPE5mjxWNKU7uPbAlEaDI/ttzH3ObosK9O8381tvYHkGk
Wdi1o3PudQ8ewR0GtL6TMjBjcqHJjqGMxd1hRv/4vIRVJUMIz3w+TYftMNGobSKc
38pMg4P9ZS7nqwU0vmBIhcc/8vkafU/BFYx8xWpdfgrN+ilcRp2Ki5QhwUHZFymZ
E7yCYZJZsHbBZmGW3J69jY0OCHbR9LkUKqHZpBakQDijyUvUHqbhuvORwJEvTxvj
uG7OemCrZu/tjNnKeu+ES3nC6p678OIm3P7g4v32+ot/ymiz0EnC+vE1vHS+/8qt
4pZgmzQlZbdswT1krxCIpSiVipq4JsnvOjcl/xO1L85wN0lVqPZowA==
-----END RSA PRIVATE KEY-----"
}
}
Error:
[2020-09-30 23:03:15,088] {taskinstance.py:1145} ERROR - not a valid RSA private key file
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/airflow/models/taskinstance.py", line 978, in _run_raw_task
result = task_copy.execute(context=context)
File "/usr/local/airflow/dags/plugins/bi_plugin.py", line 4418, in execute
ssh_hook = SSHHook(ssh_conn_id=self.sftp_conn_id)
File "/usr/local/lib/python3.6/site-packages/airflow/contrib/hooks/ssh_hook.py", line 108, in __init__
self.pkey = paramiko.RSAKey.from_private_key(StringIO(private_key))
File "/usr/local/lib/python3.6/site-packages/paramiko/pkey.py", line 256, in from_private_key
key = cls(file_obj=file_obj, password=password)
File "/usr/local/lib/python3.6/site-packages/paramiko/rsakey.py", line 52, in __init__
self._from_private_key(file_obj, password)
File "/usr/local/lib/python3.6/site-packages/paramiko/rsakey.py", line 179, in _from_private_key
data = self._read_private_key("RSA", file_obj, password)
File "/usr/local/lib/python3.6/site-packages/paramiko/pkey.py", line 324, in _read_private_key
raise SSHException("not a valid {} private key file".format(tag))
In Talend it works fine as bash as below :
spawn sftp -oIdentityFile=/home/talenduser/.ssh/hq sftp.age#sftp.XXXX.com
expect "sftp.age#sftp.XXXX.com's password:"
send "BuGuhbu7"
expect "sftp>"
send "cd data/\n"
expect "sftp>"
The trick for me was including \n in the private key. So your json for Extra in SSH connection would look like
{"private_key": "-----BEGIN RSA PRIVATE KEY-----\n***************\n-----END RSA PRIVATE KEY-----"}
You are supposed to pass the conn values like:
{"key_file":"path/to/your/keyfile", "no_host_key_check":true}
Related
I'm trying to manually create an ES256 JWT token. I've a small script written in python which signs a sha256 hash which uses ecdsa-python. But the signature is invalid on jwt.io.
Steps to reproduce:
Create base64 header + payload:
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0
Create SHA256 hash from the base64 header + payload:
FFC89E33091FFDD3C61798A0A74BF7C2D1A6FD231A6CB519F33952F7696BBE9F
Generate ec_private key:
openssl ec -in ec_private.pem -noout -text
Use the small python program to ecdsa sign the SHA256 hash
from json import dumps
from ellipticcurve.ecdsa import Ecdsa
from ellipticcurve.privateKey import PrivateKey
import base64
def toBase64Url(input):
return input.replace("+", "-").replace("/", "_").rstrip("=")
# Generate privateKey from PEM string
privateKey = PrivateKey.fromPem("""
-----BEGIN EC PARAMETERS-----
BgUrgQQACg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJfChy9fKFItzqcb8DKBm+2oH0YTZ7N61SQpyABgVZANoAoGCCqGSM49
AwEHoUQDQgAE1TG2uvIMdfWkteiDWeHNYbQNSW/0uoYcvX4Z7ROUIgYRvgfpsjBa
Iv70SuYpmBLwl0AuEBoXIVTCclCme6SdEQ==
-----END EC PRIVATE KEY-----
""")
# Create message from json
message = "FFC89E33091FFDD3C61798A0A74BF7C2D1A6FD231A6CB519F33952F7696BBE9F"
signature = Ecdsa.sign(message, privateKey)
# Generate Signature in base64. This result can be sent to Stark Bank in the request header as the Digital-Signature parameter.
print("Base64: " + signature.toBase64())
print("Base64Url: " +toBase64Url(signature.toBase64()))
# To double check if the message matches the signature, do this:
publicKey = privateKey.publicKey()
print("Hash verification succesfull: " + str(Ecdsa.verify(message, signature, publicKey)))
The output:
Base64: MEQCIFyP4IoZGhzGfDCPX6fVxjtB+nrXDVhOTQwdc5vu8z4eAiBNalfGHqdaO3nCmTqimpAHF+IHzxk8em+OMMHrJkPOhA==
Base64Url: MEQCIFyP4IoZGhzGfDCPX6fVxjtB-nrXDVhOTQwdc5vu8z4eAiBNalfGHqdaO3nCmTqimpAHF-IHzxk8em-OMMHrJkPOhA
Hash verification succesfull: True
Check the signature in jwt.io gives Invalid signature
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.MEQCIFyP4IoZGhzGfDCPX6fVxjtB-nrXDVhOTQwdc5vu8z4eAiBNalfGHqdaO3nCmTqimpAHF-IHzxk8em-OMMHrJkPOhA
Keys:
Public:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1TG2uvIMdfWkteiDWeHNYbQNSW/0
uoYcvX4Z7ROUIgYRvgfpsjBaIv70SuYpmBLwl0AuEBoXIVTCclCme6SdEQ==
-----END PUBLIC KEY-----
Private:
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJfChy9fKFItzqcb8DKBm+2oH0YTZ7N61SQpyABgVZANoAoGCCqGSM49
AwEHoUQDQgAE1TG2uvIMdfWkteiDWeHNYbQNSW/0uoYcvX4Z7ROUIgYRvgfpsjBa
Iv70SuYpmBLwl0AuEBoXIVTCclCme6SdEQ==
-----END EC PRIVATE KEY-----
I know that there are many jwt signing python libraries but the use of this is to understand how a jwt token is created.
EDIT:
As #Topaco pointed out this library uses curve secp256k1 instead of secp256r1. secp256r1 | prime256v1 | NIST P-256 are all different names chosen by different standards organizations for the same curve (Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)). I changed the library to python-ecdsa and the code to:
from ecdsa import SigningKey, NIST256p
import base64
def toBase64Url(input):
return input.replace("+", "-").replace("/", "_").rstrip("=")
sk = SigningKey.from_pem("""
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJfChy9fKFItzqcb8DKBm+2oH0YTZ7N61SQpyABgVZANoAoGCCqGSM49
AwEHoUQDQgAE1TG2uvIMdfWkteiDWeHNYbQNSW/0uoYcvX4Z7ROUIgYRvgfpsjBa
Iv70SuYpmBLwl0AuEBoXIVTCclCme6SdEQ==
-----END EC PRIVATE KEY-----
""")
vk = VerifyingKey.from_pem("""
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1TG2uvIMdfWkteiDWeHNYbQNSW/0
uoYcvX4Z7ROUIgYRvgfpsjBaIv70SuYpmBLwl0AuEBoXIVTCclCme6SdEQ==
-----END PUBLIC KEY-----
""")
signature = sk.sign(b"FFC89E33091FFDD3C61798A0A74BF7C2D1A6FD231A6CB519F33952F7696BBE9F")
print(base64.b64encode(signature))
print("Base64: " + base64.b64encode(signature).decode("utf-8"))
print("Base64Url: " + toBase64Url(base64.b64encode(signature).decode("utf-8")))
assert vk.verify(signature, b"FFC89E33091FFDD3C61798A0A74BF7C2D1A6FD231A6CB519F33952F7696BBE9F")
print("Hash verification succesfull: " + str(vk.verify(signature, b"FFC89E33091FFDD3C61798A0A74BF7C2D1A6FD231A6CB519F33952F7696BBE9F")))
The output:
Base64: rMBgC0ismGdd5rd7n1L+LDsQ2UO5+cjBwPNYh+xBZvO6fKoJIfmfyNpxw+kxmyKWlK+55dF5eMH1u327DMJvvA==
Base64Url: rMBgC0ismGdd5rd7n1L-LDsQ2UO5-cjBwPNYh-xBZvO6fKoJIfmfyNpxw-kxmyKWlK-55dF5eMH1u327DMJvvA
Hash verification succesfull: True
But the signature is still invalid.
The library you are using hashes implicitly, applying SHA1 by default. I.e. for compatibility with ES256 SHA256 must be explicitly specified and the unhashed JWT must be used, e.g.:
from ecdsa import SigningKey, VerifyingKey
import base64
from hashlib import sha256
def toBase64Url(input):
return input.replace("+", "-").replace("/", "_").rstrip("=")
jwt = b"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0"
sk = SigningKey.from_pem("""
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJfChy9fKFItzqcb8DKBm+2oH0YTZ7N61SQpyABgVZANoAoGCCqGSM49
AwEHoUQDQgAE1TG2uvIMdfWkteiDWeHNYbQNSW/0uoYcvX4Z7ROUIgYRvgfpsjBa
Iv70SuYpmBLwl0AuEBoXIVTCclCme6SdEQ==
-----END EC PRIVATE KEY-----
""")
vk = VerifyingKey.from_pem("""
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1TG2uvIMdfWkteiDWeHNYbQNSW/0
uoYcvX4Z7ROUIgYRvgfpsjBaIv70SuYpmBLwl0AuEBoXIVTCclCme6SdEQ==
-----END PUBLIC KEY-----
""")
signature = sk.sign(jwt, hashfunc=sha256)
print("Base64: " + base64.b64encode(signature).decode("utf-8"))
print("Base64Url: " + toBase64Url(base64.b64encode(signature).decode("utf-8")))
assert vk.verify(signature, jwt, hashfunc=sha256)
print("Hash verification succesfull: " + str(vk.verify(signature, jwt, hashfunc=sha256)))
A possible output is:
Base64: Mr4/DF87ek66E2GcAc+2H3ulHplCnxygz65h9dkdvm8QsZBbm2N5EjIgyiWsynza9zCGjjnzBUiXYvij9LLikA==
Base64Url: Mr4_DF87ek66E2GcAc-2H3ulHplCnxygz65h9dkdvm8QsZBbm2N5EjIgyiWsynza9zCGjjnzBUiXYvij9LLikA
Hash verification succesfull: True
The resulting signed token
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.Mr4_DF87ek66E2GcAc-2H3ulHplCnxygz65h9dkdvm8QsZBbm2N5EjIgyiWsynza9zCGjjnzBUiXYvij9LLikA
can then be successfully verified on https://jwt.io/ with the public key used here.
I need to verify a SHA256 signature where we receive in every communication the message, signature and public key.
I'm trying to load a public key we receive in an Azure Function (.net core 3.1) into a X509Certificate2 object to be able to verify the signature of a received message and signature.
The following code is used:
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
var data = JsonConvert.DeserializeObject<RequestObject>(requestBody);
var keyBytes = Convert.FromBase64String(data.key);
X509Certificate2 cert = new X509Certificate2(keyBytes);
When the last statement fires, the following exception comes up:
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] data)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData)
at leo_signing_library.Function1.<Run>d__0.MoveNext() in
C:\Users\Leo\source\repos\leo-signing-library\Function1.cs:line 30
When running in debug the following error comes up in the debug window:
System.Private.CoreLib: Exception while executing function:
CheckSignature. System.Security.Cryptography.X509Certificates: Geen
overeenkomend object gevonden.
Just for clarity a screenshot of the debug window:
screenshot
I've added the nuget package System.Security.Cryptography.X509Certificates (version 4.3.2), but no effect.
Does anyone know how to overcome this? Or has a working example of verifying a signature based on a public key not stored in the certificate store?
Edit 1:
I'm trying to load the following public key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1iyta8F+SLHhbfy+f7fL
8LrsS1LKs05UaHm6muOTlzIdSDwo4dNiWg6rbiL2v4IwpglgL8kvbXLZ8Z3/E6Uu
uUi/IW1Hakgx65Qy4LkGxsnZ/jnLu3DxfY9xycMYq9TfNxIIvFPkbEJY/pwGjZ+q
13WegTJG7m+tqf5GbA3xTLz2DSHXPc7y77OnsDawHsOEou9IZZQCdxCg3L186gU4
yj6mC07Eop3lKMjsqNAXdVmnzcUc+PixQFCSjOcL9Fpbq+aHyYW+Pk9h5dWCGGNQ
wixTIJKTeDxAEkbZ2eLuqQZOCNbkHBn9x+IBxeKMmsmRg/J4/QqwCm+t+wd4VNAJ
ewIDAQAB
-----END PUBLIC KEY-----
Notice: I'm a cryptography n00b, so please take that into account.
I have a .net core 3.1 console app where I need to load a public key certificate from a .pem file into x509Certificate2.
The test file I'm using is this:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkG2geTjB2kGqnpHsrM6s
5nza9uuNpSXFb6qckxTzKV6x7THfd9C2kthWnQX5VebfERyIevSeFHwdUaAuCl99
L12FqLi6Cj5G9V/yPxKQfvRzLYGatOTq6NPcNHQybcxOr4P5baATLykn03Jl2OgI
q5TKPAuldAn40hMAtvx9c5NjZCkFoBdzYu9mITAgbwuxDhEuhJZg7m/6wqS5T2mE
cIYF/111zaLxrVAmtVBAAWW/xc4D+rFPgh5HYo7FxgzZTtLA8JvU8XLJ6PmPhEsP
v6Q75e/Mb0ORLH+BDqui3t1WNKtHxqK2qSQcOU3QbmS/tevwWeY8rpuxBQk2MAMk
GlnZ0pzcV7OW/U5c7yEvdmY6ezB2E9358RrimdzcDFziWnNPJ9MTKsKMn8H2468q
C0n5+orFd66eu1Wv7eduYVoiOKGk57On9jHBVSTEw0B2X8e1ppIvp2I2a2VoXcej
/koQpb8/h7DzS03eD2VNwQR3+GyQHokSNnBi1t6YKg8FYSB/iwtDl+0avKwtwPh9
GOQo4L7wwJTD03GBKHuGtQ92Vrg4LKsiecpsW6VVY+RhXY6LOu5dJZ8ol8+Rp1vx
DbJW0MrybyBRnBMXPsCNbbc8HK4rB8KD1vtUFSX3wmh1rQiJCuOnKC5kBW4UkXLj
pJ6paqv7fPyOeVjyZpYV67ECAwEAAQ==
-----END PUBLIC KEY-----
And the code loading it:
public static string GetPublicKeyXml(string path)
{
if (string.IsNullOrWhiteSpace(path))
throw new ArgumentNullException(nameof(path));
var file = new FileInfo(path);
if (!file.Exists)
throw new FileNotFoundException($"{path} neexistuje!");
var certificate = new X509Certificate2(file.FullName);
.....
}
But when I try to load the file I get:
{"Požadovaný objekt nebyl nalezen."} Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException
Which translated into english is:
Required object not found
and stack trace:
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName)
at XXXXXXXXXXXX.Decryptor.GetPublicKeyXml(String path) in XXXXXXXXXXXXX\Decryptor.cs:line 43
How to load the file into x509Certificate2?
I have a web service that runs on Tomcat and decided to try using Undertow instead. Generally, it's quite good, but I need HTTPS support and cannot enable it. Here is some helloworld code:
DeploymentInfo servletBuilder = deployment()
.setClassLoader(ServletServer.class.getClassLoader())
.setContextPath("/")
.setDeploymentName("AuthenticationService.war")
.addServlet(servlet("WSServlet", WSServlet.class))
.addListener(listener(WSServletContextListener.class))
.setResourceManager(new FileResourceManager(new File("src/main/webapp"), 100));
DeploymentManager manager = defaultContainer().addDeployment(servletBuilder);
manager.deploy();
HttpHandler servletHandler = manager.start();
SSLContext context = createSSLContext(loadKeyStore("server-keystore.jsk"), loadKeyStore("server-truststore.jks"));
PathHandler path = Handlers.path(servletHandler);
Undertow server = Undertow.builder()
.addHttpsListener(8443, "localhost", context)
.setHandler(path)
.build();
server.start();
And the createSSLContext method:
private static SSLContext createSSLContext(final KeyStore keyStore, final KeyStore trustStore) throws Exception {
KeyManager[] keyManagers;
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, /* password */);
keyManagers = keyManagerFactory.getKeyManagers();
TrustManager[] trustManagers;
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
trustManagers = trustManagerFactory.getTrustManagers();
SSLContext sslContext;
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, trustManagers, null);
return sslContext;
}
And loadKeyStore method:
private static KeyStore loadKeyStore(String name) throws Exception {
final InputStream stream = new FileInputStream(name);
try(InputStream is = stream) {
KeyStore loadedKeystore = KeyStore.getInstance("JKS");
loadedKeystore.load(is, /* password */);
return loadedKeystore;
}
}
The server is starting, but trying to send requests to https://localhost:8443/... has no effect, no logs or exceptions or some reaction. When using http://localhost:8443 it throws exception
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
I am new to all web technologies, so all that may be strange. So what's wrong here?
I have it working. First generate your keys if you've not done so already:
#!/usr/bin/env bash
KEYSTORE=my-keystore.jks
TRUSTSTORE=my-truststore.ts
CERT=my-client.cer
rm $KEYSTORE
rm $CERT
rm $TRUSTSTORE
# these passwords must be copied to the private config file(s)
KEYSTORE_STOREPASS=password1
KEYSTORE_KEYPASS=password2
TRUSTSTORE_STOREPASS=password3
keytool -genkey -alias pomochatserver \
-keyalg RSA -keystore $KEYSTORE \
-dname "cn=localhost, ou=IT, o=Continuent, c=US" \
-storepass $KEYSTORE_STOREPASS -keypass $KEYSTORE_KEYPASS
# enter the *KEYSTORE_STOREPASS* when prompted
keytool -export -alias pomochatserver -file $CERT -keystore $KEYSTORE
keytool -import -trustcacerts -alias pomochatserver -file $CERT \
-keystore $TRUSTSTORE -storepass $TRUSTSTORE_STOREPASS -noprompt
... then in your java code:
public static SSLContext serverSslContext(String password1, String password2, String password3) {
try {
KeyStore keyStore = loadKeyStore("my-keystore.jks", password1);
KeyStore trustStore = loadKeyStore("my-truststore.ts", password3);
return createSSLContext(keyStore, trustStore, password2);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
private static SSLContext createSSLContext(final KeyStore keyStore, final KeyStore trustStore, String keyStorePassword) throws IOException {
try {
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
return sslContext;
} catch (Exception e) {
throw new IOException("Unable to create and initialise the SSLContext", e);
}
}
private static KeyStore loadKeyStore(final String name, String password) throws IOException {
try(InputStream stream = new FileInputStream(name)) {
KeyStore loadedKeystore = KeyStore.getInstance("JKS");
loadedKeystore.load(stream, password.toCharArray());
return loadedKeystore;
} catch (Exception e) {
throw new IOException(String.format("Unable to load KeyStore %s", name), e);
}
}
and finally to create the server
Undertow webAppServer = Undertow.builder()
.addHttpsListener(
port,
hostname,
serverSslContext(password1, password2, password3)
)
.setHandler(handlers, manager.start()))
.build();
I'm not sure, but the self-signed and/or not trusted certificates would cause the issue, but you are supposed to get some exception asbout this
I don't know know what is undertow, but you may check the SSL configs from the doc.
You also need to check if both the server and client supports common cipher(s) and protocol(s)
For instance default package of JRE does not support AES_256.
I'm getting the following exception when i try to encrypt a byte array with a EC public key :
java.security.InvalidKeyException: No installed provider supports this key:
sun.security.ec.ECPublicKeyImpl
This exception is generated when i call Cipher.init(). The lines below show what I did in my program:
ECPublicKey publicKey ;
ECPrivateKey privateKey;
//Generating key paire (public and private keys)
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC", "SunEC");
SecureRandom random = SecureRandom.getInstance("SHA1PRNG", "SUN");
keyGen.initialize(571, random);
KeyPair pair = keyGen.generateKeyPair();
privateKey = (ECPrivateKey) pair.getPrivate();
publicKey = (ECPublicKey) pair.getPublic();
// get an AES cipher object with CTR encription mode
Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
// encrypt the sharedSecret using the public key
cipher.init(Cipher.ENCRYPT_MODE, publicKey);**
byte[] result = cipher.doFinal(data);
Must I add a provider to support this public key ??
Finally, I found the source of this exception. The problem was initialization of cipher :
//This is the wrong initialization
Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
//This is the right initialization
Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding","SunJCE");
But now, i have another exception which is (it is less important than the previous one) :
java.security.InvalidKeyException: Invalid AES key length: 170 bytes
So what must I use as encrypting algorithm with ECDSA public key now ?