GRPC java trouble reading keys for server side authentication
1,650 views
Skip to first unread message
ricardo...@gmail.com
Nov 3, 2017, 11:23:32 AM11/3/17
to grpc.io
I have been at this for the better part of a couple of days and am at the end of my rope. I am trying to generate readable keys for a JAVA grpc server. I am using certstrap to generate the keys. Here is what I am doing:
certstrap init --common-name "GRPC"certstrap request-cert --common-name server.com
certstrap sign sdl10236.labs.teradata.com --CA "GRPC"I get the following output:GRPC.crl, GRPC.crt, GRPC.key server.crt, server.csr, and server.key
Now the problem here is when I go to load the certificates and keys. The source for reading the key in netty keeps saying that I do not have a valid private key.
Exception in thread "main" java.lang.IllegalArgumentException: File does not contain valid private key: /tmp/server.com.key5252344955683539009
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:222)
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:54)
at com.teradata.grpc.GrpcServer.serverBuilder(GrpcServer.java:152)
at com.teradata.grpc.GrpcServer.start(GrpcServer.java:69)
at com.teradata.grpc.GrpcServer.main(GrpcServer.java:111)
Caused by: java.security.KeyException: could not find a PKCS #8 private key in input stream (see http://netty.io/wiki/sslcontextbuilder-and-private-key.html for more information)
at io.netty.handler.ssl.PemReader.readPrivateKey(PemReader.java:128)
at io.netty.handler.ssl.PemReader.readPrivateKey(PemReader.java:109)
at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014)
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)
... 5 more
Here is the code I am running:
this.clientContextBuilder = GrpcSslContexts.configure(SslContextBuilder.forClient(), this.sslProvider);
try {
this.serverCertFile = this.loadCert("sdt03134.labs.teradata.com.crt");
this.serverPrivateKeyFile = this.loadCert("sdt03134.labs.teradata.com.key");
this.serverTrustedCaCerts = new X509Certificate[]{this.loadX509Cert("grpc.crt")}; <-- the barfing happens here.
} catch (IOException ex) {
The following methods I borrowed from the java unit tests to create the server:
private File loadCert(String name) throws IOException {
InputStream in = new BufferedInputStream(GrpcServer.class.getResourceAsStream("/certs/" + name));
File tmpFile = File.createTempFile(name, "");
tmpFile.deleteOnExit();
OutputStream os = new BufferedOutputStream(new FileOutputStream(tmpFile));
try {
int b;
while ((b = in.read()) != -1) {
os.write(b);
}
os.flush();
} finally {
in.close();
os.close();
}
return tmpFile;
}
private X509Certificate loadX509Cert(String fileName) throws CertificateException, IOException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
logger.info("" + fileName);
InputStream in = GrpcServer.class.getResourceAsStream("/certs/" + fileName);
if (in != null) {
logger.info("Inputstream is defined.");
}
try {
return (X509Certificate) cf.generateCertificate(in);
} finally {
in.close();
}
}
private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile,
File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
GrpcSslContexts.configure(sslContextBuilder, sslProvider);
sslContextBuilder.trustManager(serverTrustedCaCerts).clientAuth(ClientAuth.REQUIRE);
return NettyServerBuilder.forPort(port).sslContext(sslContextBuilder.build());
}
Any help would be appreciated here. Please do not reply with read the docs. I have been there many times and they just do not provide enough information to solve this problem.
Eric Anderson
Nov 3, 2017, 7:08:47 PM11/3/17
to ricardo...@gmail.com, grpc.io
Have you looked at http://netty.io/wiki/sslcontextbuilder-and-private-key.html ?
I wasn't able to completely follow your directions (the last certstrap command failed), but comparing the keys in grpc-java/testing/src/main/resources/certs to those in certstrap generated I see:
-----BEGIN PRIVATE KEY-----
vs
-----BEGIN RSA PRIVATE KEY-----
Running openssl to convert the format as suggested by the netty documentation yielded BEGIN PRIVATE KEY. I didn't try running with it, but that looked promising.
--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscribe@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/be8e5ca0-b3d7-4088-bdaf-7c414b0da06e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ricardo...@gmail.com
Nov 3, 2017, 9:39:13 PM11/3/17
to grpc.io
Hi Eric, thank you for the reply. I will take a look at that link. That may be my problem. I will post back after I try this out.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
ricardo...@gmail.com
Nov 3, 2017, 11:28:50 PM11/3/17
to grpc.io
Hi Eric you were correct! That fixed my problem. I was also using the wrong files when loading the certs. It works now.
this.serverCertFile = this.loadCert("server.crt");
this.serverPrivateKeyFile = this.loadCert("server.pem");
this.serverTrustedCaCerts = new X509Certificate[]{this.loadX509Cert("GRPC.pem")};
Also I was lazy with pasting in my example which is why it did not work for you. If you replaced server with the sdl domain it would have worked. But thanks to you everything is good now.
I appreciate it!
Dave Bartlett
Jun 14, 2022, 8:45:43 AM6/14/22
to grpc.io
Just another thank you to Eric. The link provided also solved my problem.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages