Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-10138

TLS using PKCS11 and JDK9+ does not work by default

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Critical
    • None
    • 12.0.0.Final
    • Documentation, Security
    • None

    Description

      Since JDK 9.0.4 default behaviour changed and extended master secret extension is turned on by default [1].
      This fails on java using sun.security.pkcs11.SunPKCS11 provider. (FIPS compliant java)

      17:32:48,377 INFO  [stdout] (default task-1) SESSION KEYGEN:
17:32:48,378 INFO  [stdout] (default task-1) PreMaster Secret:
17:32:48,378 INFO  [stdout] (default task-1) (key bytes not available)
17:32:48,378 INFO  [stdout] (default task-1) RSA master secret generation error:
17:32:48,378 INFO  [stdout] (default task-1) java.security.InvalidAlgorithmParameterException: Key format must be RAW
17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterSecretGenerator.java:69)
17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:477)
17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:453)
17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1334)
17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:1235)
17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:318)
17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1092)
17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker$1.run(Handshaker.java:1031)
17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker$1.run(Handshaker.java:1028)
17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/java.security.AccessController.doPrivileged(Native Method)
17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1534)
17:32:48,379 INFO  [stdout] (default task-1) 	at io.undertow.core@2.0.0.SP1-redhat-1//io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1047)
17:32:48,379 INFO  [stdout] (default task-1) 	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
17:32:48,379 INFO  [stdout] (default task-1) 	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
17:32:48,379 INFO  [stdout] (default task-1) 	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
17:32:48,379 INFO  [stdout] (default task-1) 	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/java.lang.Thread.run(Thread.java:844)
17:32:48,379 INFO  [stdout] (default I/O-7) default I/O-7, fatal error: 80: problem unwrapping net record
17:32:48,379 INFO  [stdout] (default I/O-7) java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: Key format must be RAW

      This default extension behaviour can be switched off by system property -Djdk.tls.useExtendedMasterSecret=false on client or on server side.

      [1] https://bugs.java.com/view_bug.do?bug_id=JDK-8148421

      Attachments

        Issue Links

          is cloned by

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBEAP-14517 [Doc] TLS using PKCS11 (FIPS) and JDK9+ does not work by default

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: