Armando's Gemlog

Chat released! (1/18/2025)

This is just a short announcement of my recent deployment of this capsule's chat which can be found here:

=> Chat!

When you visit /chat you will be redirected to /chat/{id} where id in an autogenerated UUID. This is your authentication now, don't share this url with others and bookmark it to keep your identity.

The chat will show newest messages on top, marked with a public identifier (different from your private autogenerated uuid). For convenience, you can also define an alias that will be prepended to the identifier for the messages you post in the future.

Thank you to while:197012d17c1a79bf7ff6 who helped me identify inputs that needed sanitization.

Let's Encrypt in JVM... what a pain (circa 1/15/2025)

This is a rant. In summary, configuring Let's Encrypt on my Kotlin server was a pain on the ass.

This is my first gemini server and my first VPS. Sure, all of this is new to me, but even after I managed to make HTTPS work via nginx and I had the certificates in my computer... well it was still an ungodly amount of work left.

The biggest shocker is that in nginx (at least apparently) only a few config lines are updated to provide the cert, private key and a random seed. In JVM there is no such facility.

To be fair you can point to keystores and trust-stores with properties but I am dumb, lazy and obstinant, so. I wanted my Java program to achieve the same nginx was doing, same inputs, same results.

I am not a security expert, but I was in for a ride, I didn't know anything about the stores and certs and I was completely lost for a while. It doesn't help that there are so many Stringy dimensions in cryptography which really seemed to point to an infinite number of combinations. I almost gave up.

Then it clicked. Ok I am generating a keyStore programmatically, I need to read the files use the key and the cert to create a keystore...

But:

• what algos, what formats? so many choices. OK, JKS is fine, it is java centric but I don't care... no, somewhere else I read it sucks, I shouldn't use it.

• Then my key, whats the format?, what is an EC curve or something ok sure, how do I eat that?

And I was hit again and again with the hammer of too many bytes, something about DER, essentially my key was corrupted or something.

• But no, I knew it was fine, because nginx was fine. turns out it was Symlinks. My program was reading completely wrong bytes

So success right? no. I can't find the file? Oh it was a relative reference? okay, okay Path.resolve ok then.

• I see the bytes, the right ones this time, Success you say? NO too many bytes, DER wrong etc. but this time i am sure it is my key...

• I went to RFC, etc. Turns out the key is base64 encoded. So you are supposed to manually remove header, footer and Base64 the stuff

• I was about to loose it. Then... illegal character 'a'. I was at the brink of collapse, but kept going

Turns out that my removing of whitespace wasn't removing those pesky linebreaks the file has, for whatever reason.

And then, finally, finally happened, right? RIIIIIIIIIIIIIIIGHT?????

NO

I heard you like cryptography and it changes so fast that we won't even bother update stuff in java. Apparently now you kinda HAVE TO use libraries if you want to keep up with modern keys and algos in java (or at least that's the impression I got).

And there it was, Bouncy Castle, in all it's ridiculously named packages glory. To the rescue.

Funnily enough I still had to do everything I did manually, but it had the magical classes to convert that stream of bytes into the Private Key I wanted

And badabim, badabam, we got a green lock in gemini.

=> rfc5915 Elliptic Curve Private Key Structure | rfc5915 Elliptic Curve Private Key Structure | Those classes aren't in my JVM! (Here I learn about Bouncy Castle) | Bouncy Castle | Bouncy Castle's unhinged library names

=> Back