Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
2.1.0.Final
-
None
Description
When configuring a client keystore for use with TLS, as in the example from elytron-examples/ejb-mutual-tls:
<key-stores> <key-store name="tlsClientTrustStore" type="PKCS12"> <file name="/home/nrla/projects/elytron-examples-git-repo/ejb-mutual-tls/tlsClient.truststore"/> <key-store-clear-password password="clientTrustSecret"/> </key-store> </key-stores>
if the client keystore password is incorrect, this configuration error is detected and results in a meaningful statck trace:
Exception in thread "main" java.lang.ExceptionInInitializerError at org.wildfly.security.auth.client.AuthenticationContext.lambda$static$0(AuthenticationContext.java:54) at org.wildfly.common.context.ContextManager.getPrivileged(ContextManager.java:286) at org.wildfly.security.auth.client.AuthenticationContext.captureCurrent(AuthenticationContext.java:86) at org.wildfly.naming.client.ProviderEnvironment$1.get(ProviderEnvironment.java:87) at org.wildfly.naming.client.ProviderEnvironment$1.get(ProviderEnvironment.java:85) at org.jboss.ejb.client.EJBClientInvocationContext.<init>(EJBClientInvocationContext.java:92) at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:171) at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:116) at com.sun.proxy.$Proxy2.getSecurityInfo(Unknown Source) at org.wildfly.security.examples.RemoteClient.main(RemoteClient.java:46) Caused by: org.wildfly.security.auth.client.InvalidAuthenticationConfigurationException: org.wildfly.client.config.ConfigXMLParseException: ELY01135: Failed to load keystore data at file:/home/nrla/projects/elytron-examples-git-repo/ejb-mutual-tls/target/classes/wildfly-config.xml:32:65 at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:40) at java.base/java.security.AccessController.doPrivileged(Native Method) at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.<clinit>(DefaultAuthenticationContextProvider.java:36) ... 10 more Caused by: org.wildfly.client.config.ConfigXMLParseException: ELY01135: Failed to load keystore data at file:/home/nrla/projects/elytron-examples-git-repo/ejb-mutual-tls/target/classes/wildfly-config.xml:32:65 at org.wildfly.security.auth.client.ElytronXmlParser$AbstractLoadingKeyStoreFactory.get(ElytronXmlParser.java:3626) at org.wildfly.security.auth.client.ElytronXmlParser$AbstractLoadingKeyStoreFactory.get(ElytronXmlParser.java:3606) at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:385) at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:261) at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:201) at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:38) ... 12 more Caused by: java.io.IOException: keystore password was incorrect at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2116) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) at java.base/java.security.KeyStore.load(KeyStore.java:1479) at org.wildfly.security.auth.client.ElytronXmlParser$AbstractLoadingKeyStoreFactory.get(ElytronXmlParser.java:3622) ... 17 more Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 21 more [ERROR] Command execution failed.
On the otherhand, if the keystore password is not specificed at all (e.g. by leaving out the <key-store-clear-password/> element entirely from the truststore definition:
<key-stores> <key-store name="tlsClientTrustStore" type="PKCS12"> <file name="/home/nrla/projects/elytron-examples-git-repo/ejb-mutual-tls/tlsClient.truststore"/> </key-store> </key-stores>
a very confusing TLS stack trace is presented:
Nov 18, 2023 4:05:47 PM org.xnio.ChannelListeners invokeChannelListener ERROR: XNIO001007: A channel event listener threw an exception java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102) at java.base/sun.security.validator.Validator.getInstance(Validator.java:181) at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:246) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:478) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1081) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1068) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1015) at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:547) at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:311) at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:203) at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98) at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72) at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150) at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385) at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94) at org.xnio.nio.WorkerThread.run(WorkerThread.java:591) Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99) ... 26 more
A different but similarly cryptic message is presented if the password for the keystore is accidently omitted.
It would make the use of the wildfly client authentication-configuration more user-friendly if such missing keystore passwords were detected and raised as meaningful exceptions.
