EC256 Private Key Issue

[doodi-v1]

I'm encountering an "Invalid PEM key." error while attempting to encode a token. What is strange is that when I walk through the code withing the parsePEMEncodedKey() function, the if( find( '-----BEGIN PRIVATE KEY-----', pemKey ) ) is triggered, the RSA block throws an exception and is caught as intended, but when the EC block is executed, it seems to throw a silent exception. I updated the catch to rethrow, and nothing is triggered but the return instruction is not executed, so I am assuming a silent exception.

Have you seen this behavior before?

I was able to port a bouncy castle pem reader example to CF. I then passed the private key to encode and public key to decode and it worked. The pem reader code I ported was from: https://connect2id.com/products/nimbus-jose-jwt/openssl-key-generation

[jcberquist]

I am not sure what is up. How did you generate your key? I presume you encoded your key in pkcs8 format? Also, could you tell me which version of ACF/Lucee are you on?

[doodi-v1]

CF-2016. Key generation was openssl via similar instruction to your read.me: https://developers.google.com/pay/api/web/guides/resources/payment-data-cryptography#using-openssl

[jcberquist]

Ok, so to be clear, after you run:

openssl ecparam -name prime256v1 -genkey -noout -out key.pem

you should run:

openssl pkcs8 -topk8 -nocrypt -in key.pem -out key.pk8

The output of this second command (the .pk8 extension is not required) is the format of the key that is needed to use with this library. Is that what you did?

[doodi-v1]

Correct. Strange. I can send you a snippet on how I fixed the issue. With bouncy castle I'm able to use the key.pem file directly, which is nice. Quick question, the signing appears the be a single direction. Is this correct? Meaning I can sign with private key and validate the signature with the public key, but the other way around fails, unlike PKI encryption which can encrypt & decrypt in both directions.

On Tue, Aug 18, 2020 at 3:38 PM John Berquist ***@***.***> wrote: Ok, so to be clear, after you run: openssl ecparam -name prime256v1 -genkey -noout -out key.pem you should run: openssl pkcs8 -topk8 -nocrypt -in key.pem -out key.pk8 The output of this second command (the .pk8 extension is not required) is the format of the key that is needed to use with this library. Is that what you did? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABU4Z75DNDKMYQ5WKRRCNN3SBL7FXANCNFSM4QECZZAQ> . --

Steve Sommers Chief Application Architect Shift4 Payments 702.597.2480 ext.3121