Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1322

Found multiple secret keys sharing same CKA_LABEL

    Details

    • Steps to Reproduce:
      Hide

      -Dfips.java.home must use nss db from /scripts/prepared_artifacts/fipsdb

      git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git
      cd fips
      ./build-fips.sh clean test   -Dversion.jboss.bom=7.1.0.Beta1 -Dversion.wildfly.core=3.0.0.Beta26-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.Beta1-maven-repository/maven-repository   -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.ER1.zip   -Dfips.java.home=/usr/java/jdk1.8.0_66_fips_mode/jre -fae -Dmaven.test.failure.ignore=true -Dtest=SSLMasterSlaveTwoWayTestCase -DtestLogToFile=false
      
      Show
      -Dfips.java.home must use nss db from /scripts/prepared_artifacts/fipsdb git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git cd fips ./build-fips.sh clean test -Dversion.jboss.bom=7.1.0.Beta1 -Dversion.wildfly.core=3.0.0.Beta26-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.Beta1-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.ER1.zip -Dfips.java.home=/usr/java/jdk1.8.0_66_fips_mode/jre -fae -Dmaven.test.failure.ignore= true -Dtest=SSLMasterSlaveTwoWayTestCase -DtestLogToFile= false

      Description

      When multiple PKCS11 keystores are configured in domain [1][2]. And PKCS11 store contains secret key. Then this exception is thrown on startup intermittently (but very often, cca 50%).

      Unable to find source-code formatter for language: server.log. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      [Host Controller] 10:15:05,526 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.key-store.oneWayKS: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.oneWayKS: WFLYELY00004: Unable to start the service.
      [Host Controller] 	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:146)
      [Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
      [Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
      [Host Controller] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      [Host Controller] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      [Host Controller] 	at java.lang.Thread.run(Thread.java:745)
      [Host Controller] Caused by: java.io.IOException: load failed
      [Host Controller] 	at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:763)
      [Host Controller] 	at java.security.KeyStore.load(KeyStore.java:1445)
      [Host Controller] 	at org.wildfly.security.keystore.AtomicLoadKeyStoreSpi.engineLoad(AtomicLoadKeyStoreSpi.java:55)
      [Host Controller] 	at java.security.KeyStore.load(KeyStore.java:1445)
      [Host Controller] 	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:137)
      [Host Controller] 	... 5 more
      [Host Controller] Caused by: java.security.KeyStoreException: invalid KeyStore state: found multiple secret keys sharing same CKA_LABEL [my-key]
      [Host Controller] 	at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2408)
      [Host Controller] 	at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:755)
      [Host Controller] 	... 9 more
      

      Storing secret key into PKCS11 store is necessary for FIPS Credential store implementation.

      sun.security.pkcs11.P11KeyStore.java
                 for (long handle : handles) {
                      attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) };
                      token.p11.C_GetAttributeValue(session.id(), handle, attrs);
                      if (attrs[0].pValue != null) {
                          // there is a CKA_LABEL
                          String cka_label = new String(attrs[0].getCharArray());
                          if (sKeyMap.get(cka_label) == null) {
                              sKeyMap.put(cka_label, new AliasInfo(cka_label));
                          } else {
                              throw new KeyStoreException("invalid KeyStore state: " +
                                      "found multiple secret keys sharing same " +
                                      "CKA_LABEL [" +
                                      cka_label +
                                      "]");
                          }
                      }
                  }
      

      It seems to me problem will be PKCS11 store (system wide) is loaded concurrently multiple times and therefore sometimes JDK check triggers false positive alarm [3].

      [1] https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-security/blob/7.x/fips/src/test/resources/host-configs/elytron/host-master-ssl-2way.xml
      [2] https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-security/blob/7.x/fips/src/test/resources/host-configs/elytron/host-slave-ssl-2way.xml
      [3] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/pkcs11/P11KeyStore.java#2408

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pskopek Peter Škopek
                  Reporter:
                  pskopek Peter Škopek
                  Need Info from:
                  Darran Lofthouse, Peter Škopek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: