FsVault: Better compatibility of FsVault with OpenSSL for EC key generation

[thomasrutger]

Feature Request

When using the FsVault, I tried to use OpenSSL together with keytool to generate the Keystore with the EC keys. However, this is apparently not supported and I read that I should use Keystore Explorer instead to generate keys. This is inconvenient when you want to generate keys from a script.

Additionally, it seems that the keys are converted to PEM format before they are used. So why not just configure the keys in PEM files directly, instead of using JKS?

Which Areas Would Be Affected?

FsVault

Why Is the Feature Desired?

Better compatibility with standard tooling

Solution Proposal

• Change current implementation such that EC keys created using OpenSSL + keytool are accepted
• Configure using PEM files directly instead of JKS (considering they are converted to PEM anyway)

[github-actions[bot]]

Thanks for your contribution 🔥 We will take a look asap 🚀

[paullatzelsperger]

@thomasrutger thanks for raising this, although i'm not 100% sure what your ask is. Do you want to replace JKS with PEM? if so, why?

Please consider, that PEMs are not drop-in replacements for JKS, as they only contain one key(-pair). So you'd need some way of resolving the correct PEM file for any given alias, or switch over to *.pfx.

*.pfx files can host multiple keys, and they can be password-protected, so there would roughly be feature parity, but at that point, we're just replacing one thing with another without added value.

Next, if there really is a bug with storing EC Keys in a JKS, please provide some references for that, like an official bugreport or a known-issue. Also, that would be outside of the purview of EDC.

If there is a bug in EDC when reading EC Keys from a JKS, then please provide a log, or some added info.

[thomasrutger]

Thanks for your reply. The specific issue I am facing is that I could not get the file system vault to work with EC keys generated using openssl + keytool. It turned out I had to use a tool called Keystore Explorer to generate the EC keys. From the README of the MVD: KeyStore Explorer should be used to manage keystores (from UI). Using openssl combined with keytool to obtain a JKS keystore will result in a keystore the EDC cannot read (incompatible inclusion of key parameters).

Using openssl + keystore to generate the keys is more convenient to use as it can be used to automate the process of key generation.

(the suggestion of using pem instead of keystores was based on the observation that keys are converted to PEM anyway. I understand that given the context, this might not actually be such a good idea if many keys have to be managed)

[paullatzelsperger]

Unless there is an actual problem with the FsVault - in which case i'd ask for a log - I don't see a reason do anything.

FYI, the Keystore Explorer seems to use regular, well-known libraries like Nimbus and BouncyCastle, so you should be able to have the same possibilites there as in the CLI. In any event, this is not an issue for EDC.