Keystore with 256 bit ECDSA key for Mutual TLS

Abesh · 05-13-2024 11:16 AM

Hello All,

We are trying to establish mutual TLS connection with one of our backend target systems. We have been shared with private key and certificate. While trying to create the required keystore for the connection, the following error is shown :

"Invalid rsa key, reason - expecting an rsa key"

Upon inspecting the key and cert, we found that the key is of 256bit ECDSA and certificate signature algorithm is ecdsa-with-SHA512.

Hence, looking for some guidance on if Keystore allows key/cert with ECDSA. If not, are there any workarounds.

Please note, we are using Apigee Edge SaaS and previously have made connections to other systems with 2048bit RSA Key and certificate with sha256WithRSAEncryption.

Thanks in advance!

dchiesa1

@Abesh wrote:

While trying to create the required keystore for the connection, the following error is shown :

what specifically were you doing, when you encountered this error? Are you using the UI, the API? If the former, can you share a screenshot of the page? If the latter, can you show the API command you're using?

Abesh

Thanks for your response. We are receiving this error while trying to create the keystore. We have tried form UI and also using apigee-config-maven-plugin. Tried both pfx and pem format. Please find below the screenshots,

Using pfx:

Using Pem:

Maven plugin generated API command and error,

POST  https://api.enterprise.apigee.com/v1/organizations/<my_org>/environments/<env>/keystores/<my_keystore_name>/aliases?ignoreNewlineValidation=true&format=keycertfile&privateKeyExportable=false&alias=<my_alias_name>&ignoreExpiryValidation=false
  accept: [application/json]
  accept-encoding: [gzip]
  authorization: [Bearer [Not shown in log]
  content-type: multipart/form-data; boundary=----ApigeeKeystoreBoundary1715617843322
   [Request body may contain sensitive data, not shown] 
  
  [ERROR] Apigee call failed 400 Bad Request
  {
    "code" : "messaging.config.beans.KeyParseFailure",
    "message" : "Failed to parse the Key file : <my_alias_name>",
    "contexts" : [ ],
    "cause" : {
      "message" : "Invalid rsa key, reason - expecting an rsa key",
      "contexts" : [ ]
    }
  }

It seems, Apigee keystore is not supporting EC key/pair. Are there any alternative solutions other than using a keystore for southbound mTLS.

dchiesa1

Thanks. I tried this here and observed the same error you observed.

   curl -i -X POST \
      -H "Authorization: Bearer ${TOKEN}"  \
      -H "Content-Type: multipart/form-data" \
      -F certFile="@ecdsa-signed-certificate.pem" \
      -F keyFile="@ecdsa-privatekey.pem" \
      ${mgmtserver}/v1/o/${org}/e/${env}/keystores/${keystore}/aliases\?alias=${alias}\&format=keycertfile

and the output was:

HTTP/1.1 400 Bad Request
Access-Control-Allow-Headers: origin, x-requested-with, accept, authorization
Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3628800
Content-Type: application/json
Date: Wed, 15 May 2024 16:19:56 GMT
Server: Apigee LB
Content-Length: 235
Connection: keep-alive

{
  "code" : "messaging.config.beans.KeyParseFailure",
  "message" : "Failed to parse the Key file : cert2",
  "contexts" : [ ],
  "cause" : {
    "message" : "Invalid rsa key, reason - expecting an rsa key",
    "contexts" : [ ]
  }
}

I raised a defect for that behavior. Internal ref is: b/340877159

Sorry I don't have a workaround to offer to you, for supporting ECDSA keys on TLS. I suggest that you open a support ticket to track this bug. Give the support team the bug number and they'll track it for you. The team is looking into this now.

BTW It is only Edge SaaS that is affected by this deficiency. this works on Apigee X and hybrid:

 curl -i -X POST \
   -H "Authorization: Bearer ${TOKEN}"  \
   -H "Content-Type: multipart/form-data" \
   -F certFile="@ecdsa-signed-certificate.pem" \
   -F keyFile="@ecdsa-privatekey.pem" \
   ${apigeeapis}/v1/organizations/${ORG}/environments/${ENV}/keystores/${keystore}/aliases\?alias=cert2\&format=keycertfile

DgApi

Hi @dchiesa1 , i just ran into same error, are their any news or perhaps workarround ?
Thank You

dchiesa1

I just checked - this ticket is still in the backlog. I suggest that you contact the Google support desk and escalate your request for this support, if you consider it to be important.

sk89

We have the same requirement. Is there any progress with that issue yet?

And how does one look up these internal reference issues?

Thank you!

dchiesa1

@sk89 wrote:

Is there any progress with that issue yet?

No. This is still a limitation in Apigee Edge. The team have diagnosed the issue and understand how to fix it, but have not prioritized releasing that fix. This limitation does not appear in Apigee X or hybrid.

@sk89 wrote:

how does one look up these internal reference issues?

External people cannot lookup "internal references" - that's what I mean when I describe it as internal.

If you want to see progress on this, I suggest you contact Apigee support, and ask for progress on the ticket, cite the reference, and make it clear that it's important. The Support staff can route your concern appropriately. If you would like to escalate the issue contact your customer account team, and ask them to intervene. I don't think there's a big technical blocker for this issue. It's a matter of prioritizing it. You may be able to induce progress by being the squeaky wheel.

sk89

Hi @dchiesa1

thank you for your response. I have indeed created a Support case last week after finally being able to login to the new Support Portal.

Case ID: 56959961

Abesh

If you are looking for workaround specific to EC Keys and southbound mTLS, I would think of creating a java callout to establish the connection where key/cert pair will be read from KVM to create a keystore in memory and then used for creating the connection with target endpoint. This could be looked at as a tactical solution till Apigee edge supports EC keys in keystores.

Abesh

Thanks @dchiesa1 for looking into this. Will share the Internal ref through support ticket.