Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1466

Wildfly SSL Setup Fails on HSM-Backed Keystore

    Details

      Description

      Using a keystore type that does not allow or returns empty from getEncoded() on private keys causes a KeyStoreException at startup. This is common in HSM-backed key operations.

      Storing SSL keys and certs in an HSM is a common method of securing keys and offloading SSL overhead.

      FileKeyStore.java copies a KeyStore.Entry value into a JKS KeyStore but JKS and PKCS12 KeyStore implementations maintain a copy of the encoded PKCS#8 data for private keys. When applying a KeyStore.Entry from a source that does not return the data for security reasons, the import fails.

      While it's still not guaranteed to work with all KeyStore providers, switching KeyStore.getInstance("JKS") to KeyStore.getInstance(provider) fixes the issue for SafeNet "Luna" and SunPKCS11 "PKCS11" KeyStore implementations while not breaking the "PKCS12" and "JKS" cases.

      See https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java#L126

      Log output:

      2016-04-04 18:53:51,100 i-4b6f79d1 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service jboss.server.controller.management.security_realm.test.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.test.key-manager: JBAS015229: Unable to start service
      	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:148)
      	at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_60]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_60]
      	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_60]
      Caused by: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
      	at sun.security.provider.KeyProtector.protect(KeyProtector.java:174) [rt.jar:1.8.0_60]
      	at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267) [rt.jar:1.8.0_60]
      	at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56) [rt.jar:1.8.0_60]
      	at java.security.KeyStoreSpi.engineSetEntry(KeyStoreSpi.java:537) [rt.jar:1.8.0_60]
      	at sun.security.provider.KeyStoreDelegator.engineSetEntry(KeyStoreDelegator.java:179) [rt.jar:1.8.0_60]
      	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetEntry(JavaKeyStore.java:70) [rt.jar:1.8.0_60]
      	at java.security.KeyStore.setEntry(KeyStore.java:1557) [rt.jar:1.8.0_60]
      	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:136)
      	... 6 more
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                dlofthouse Darran Lofthouse
                Reporter:
                crogman Gregory Ramsperger
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: