Azure
[BUG] ClientCertificateCredential with ECC algorithm certificate
Describe the bug
I'm trying to create a Certificate credential with the ClientCertificateCredentialBuilder class and provide a PEM certificate with ECC (EC (prime256v1)) algorithm, but the call fails with java.security.spec.InvalidKeySpecException: Unexpected key type
Exception or Stack Trace
java.security.spec.InvalidKeySpecException: Unexpected key type
at com.android.org.conscrypt.OpenSSLKey.getPrivateKey(OpenSSLKey.java:341)
at com.android.org.conscrypt.OpenSSLRSAKeyFactory.engineGeneratePrivate(OpenSSLRSAKeyFactory.java:72)
at java.security.KeyFactory.generatePrivate(KeyFactory.java:399)
at com.azure.identity.implementation.util.CertificateUtil.privateKeyFromPem(CertificateUtil.java:52)
at com.azure.identity.implementation.IdentityClientBase.getConfidentialClient(IdentityClientBase.java:220)
at com.azure.identity.implementation.IdentitySyncClient.lambda$new$2$com-azure-identity-implementation-IdentitySyncClient(IdentitySyncClient.java:94)
at com.azure.identity.implementation.IdentitySyncClient$$ExternalSyntheticLambda3.get(D8$$SyntheticClass:0)
at com.azure.identity.implementation.SynchronousAccessor.getValue(SynchronousAccessor.java:45)
at com.azure.identity.implementation.IdentitySyncClient.authenticateWithConfidentialClient(IdentitySyncClient.java:133)
at com.azure.identity.ClientCertificateCredential.getTokenSync(ClientCertificateCredential.java:155)
To Reproduce Steps to reproduce the behavior: Create a PEM certificate but use an ECC algorithm instead of RSA algorithm.
Code Snippet
public static PrivateKey privateKeyFromPem(byte[] pem) {
Pattern pattern = Pattern.compile("(?s)-----BEGIN PRIVATE KEY-----.*-----END PRIVATE KEY-----");
Matcher matcher = pattern.matcher(new String(pem, StandardCharsets.UTF_8));
if (!matcher.find()) {
throw LOGGER.logExceptionAsError(new IllegalArgumentException(
"Certificate file provided is not a valid PEM file."));
}
String base64 = matcher.group()
.replace("-----BEGIN PRIVATE KEY-----", "")
.replace("-----END PRIVATE KEY-----", "")
.replace("\n", "")
.replace("\r", "");
byte[] key = Base64Util.decode(base64.getBytes(StandardCharsets.UTF_8));
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(key);
try {
KeyFactory kf = KeyFactory.getInstance("RSA");
return kf.generatePrivate(spec);
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
throw LOGGER.logExceptionAsError(new IllegalStateException(e));
}
}
Expected behavior I believe both ECC and RSA algorithms should be accepted by Azure as ClientCertificateCredential..
Setup (please complete the following information):
- OS: Android 14
- IDE: IntelliJ
- Library/Libraries: com.azure:azure-identity:1.14.0
- Java version: 8
- App Server/Environment: Android application using azure-identity Java library
- Frameworks:
Additional context
Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report
- [x] Bug Description Added
- [x] Repro Steps Added
- [x] Setup information Added
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for your feedback. Tagging and routing to the team member best able to assist.
Hi @eblis. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.
Hi @eblis, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.