Created attachment 38142 [details] The RSA key and certificate Failed to resolve private key PEM encrypted with AES-CBC, the exception message as follows: 25-Dec-2021 10:57:48.133 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1059) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1012) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:747) at org.apache.catalina.startup.Catalina.load(Catalina.java:769) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Caused by: java.lang.IllegalArgumentException: 1.2.840.113549.1.5.13 SecretKeyFactory not available at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:70) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:204) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1174) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1187) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1056) ... 13 more Caused by: java.security.NoSuchAlgorithmException: 1.2.840.113549.1.5.13 SecretKeyFactory not available at java.base/javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122) at java.base/javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:168) at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:184) at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:126) at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:90) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:314) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:96) ... 20 more server.xml <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateFile="conf/rsa.crt" certificateKeyFile="conf/rsa_enc_pkcs8.key" certificateKeyPassword="12345678" certificateKeyAlias="test" > </Certificate> </SSLHostConfig> </Connector> Command: openssl genrsa -out rsa.key openssl req -new -key rsa.key -out rsa.csr openssl x509 -req -days 3650 -in rsa.csr -signkey rsa.key -out rsa.crt openssl pkcs8 -topk8 -inform PEM -in rsa.key -outform pem -out rsa_enc_pkcs8.key -v2 aes-256-cbc -passin pass:12345678 -passout pass:12345678
AES-CBC is used to encrypt the key or certificate of pkcs12 keystore. The same error is reported when Tomcat is started
This is actually a bug in the JRE itself and not Tomcat, but it's something that we can probably work around. The definition of this thing is here: https://datatracker.ietf.org/doc/html/rfc2898#appendix-A.2 Once the KDF OID, salt, iteration count, cipher OID, initialization vector, and encrypted key are unpacked from the ASN.1 structure, you just have to re-assemble them into the objects provided by the JRE. I see you have PR. I'll have a look at it.
Is this maybe related to https://github.com/kaikramer/keystore-explorer/issues/308? Which Java version do you use?
Sorry, I misunderstood the request, slightly.
"Bug" may be a strong work, here. I should have said something closer to "missing feature". https://bugs.openjdk.java.net/browse/JDK-8231581 Fetching all the information from the ASN.1 structure manually is a PITA when the JRE could do it very easily.
(In reply to Christopher Schultz from comment #5) > "Bug" may be a strong work, here. I should have said something closer to > "missing feature". > > https://bugs.openjdk.java.net/browse/JDK-8231581 > > Fetching all the information from the ASN.1 structure manually is a PITA > when the JRE could do it very easily. This is exactly the same I have with my keys. See the KSE issue.
(In reply to Michael Osipov from comment #3) > Is this maybe related to > https://github.com/kaikramer/keystore-explorer/issues/308? > > Which Java version do you use? jdk11.0.12
PR https://github.com/apache/tomcat/pull/462
Fixed in: - 10.1.x for 10.1.0-M9 onwards - 10.0.x for 10.0.15 onwards - 9.0.x for 9.0.57 onwards - 8.5.x for 8.5.74 onwards