eclipse-ditto
EC Private Key rejected in MQTT-Connector
When setting up an MQTT-Connector over the HTTP-REST API and devops commands ditto responds with a 504 and the following message.
/credentials/key: bad format. Expect PEM-encoded PKCS #8 data specified by RFC-7468 starting with '-----BEGIN PRIVATE KEY-----'
The key is working in other scenarios and is indeed in the compatibility PKCS8 form as EC key. The used curve is secp384r1.
How to reproduce
- Setup ditto 0.9.0
- Generate an ec key e.g. with
easyrsa --use-algo=ec build-client-full ditto* (if supplying any certs the error should occur, although the certs are not related to the key) - Issue a devops-command for testing the mqtt connection
*or alternatively with
openssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-384 \
-pkeyopt ec_param_enc:named_curve |
openssl pkcs8 -topk8 -nocrypt -outform PEM > p384-private-key.pem
What happens
The server rejects the valid PEM PKCS8 formatted key as invalid formatted, if it's an EC-P key.
What should happen
Either
a. The server should be able to handle any key algorithm b. The documentation should limit the algorithms and give information about this
Hi @w4tsn,
Thanks for this very detailed issue. It's a nice catch and I was able to reproduce this issue thanks to your description.
With a bit of googling I found out that docker client happened to have a similar issue which was fixed by using also a KeyFactory for EC.
In ditto's code base we would need to test multiple key factories in SSLContextCreator#233, (at least RSA and EC, probably all of the defined ones in the StandardNames docs).
We would be very happy to accept a PR for this one.
Best regards, Florian
Happy to help!
Thanks for the explanation, where the problem lies and how to fix it. I'll have to see for myself if the issue is urgent enough for me to send a PR.