Hi Sai Chandra Mouli T, Glad you found out the PKCS#8 pbe-sha1-rc4-128 (-v1) works well. In Kafka's unit test, we use the algorithm: pbeWithSHA1And3-KeyTripleDES-CBC (v1) to encrypt the key to do test.
Actually, the v1/v2 means the algorithm in PCKS#5 v1/v2 (check here: https://www.openssl.org/docs/man1.1.1/man1/pkcs8.html ). I checked the PCKS#5 version 2 spec: https://datatracker.ietf.org/doc/html/rfc2898#section-6.2 , it said the v2 supported algorithm is "PBES2". If you check the sunJCE.java in openJDK source code: https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java , you'll find the number in your error message: *1.2.840.113549.1.5.13 SecretKeyFactory not available, *and the it maps to "OID_PKCS5_PBES2" name. That is the new algorithm for PCKS#5 v2: "PBES2". Unfortunately, it is not supported in "SecretKeyFactory" engine. You can check the java documentation for the list of supported cipher/algorithms here: https://docs.oracle.com/javase/9/security/oracleproviders.htm#JSSEC-GUID-A47B1249-593C-4C38-A0D0-68FA7681E0A7 , and it confirms that the "PBES2" algorithm doesn't support for "SecretKeyFactory" engine. So, before java have any update, we can only stick to the PCKS#5 v1 encryption in PKCS#8's key. That's all I know. FYI. Thank you. Luke On Thu, Nov 25, 2021 at 1:04 PM sai chandra mouli <tsaimouli1...@gmail.com> wrote: > Hello community, > I intend to use Kafka and zookeeper with PEM certificates for SSL/TLS on > my system. But when I try to use the encrypted Private key and the > certificate created using openssl rsa I get error messages saying "*DER > Input Integer Tag error"* and " > *Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: > Invalid PEM keystore configsCaused by: > java.security.NoSuchAlgorithmException: 1.2.840.113549.1.5.13 > SecretKeyFactory not available* > ". > > On browsing the internet, I found out that the private keys created using > openssl are of PKCS#1 format. A blog on the internet ( > *https://codingharbour.com/apache-kafka/using-pem-certificates-with-apache-kafka/#3-providing-certificates-as-files > <https://codingharbour.com/apache-kafka/using-pem-certificates-with-apache-kafka/#3-providing-certificates-as-files> > * > ) has achieved usage of PEM files by converting the private key from PKCS#1 > format to PKCS#8 format . Even in PKCS#8 format latest and strong > encryption algorithms (-v2 algorithms of pkcs#8) are throwing errors but > downgrading the encryption algorithm of PKCS#8 to pbe-sha1-rc4-128 (-v1) > only works. But both sha1 and rc4 are very weak and are not strong enough > for present day usage. > > Can anyone please suggest a measure to use the latest encryption > algorithms in PEM files that Kafka currently supports? > > I am attaching the log file of the kafka for reference. In case of any > more logs or information needed, please feel free to message me. Hoping > for a solution..Thank you for your time > > Regards, > Sai Chandra Mouli T >
