Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3046

FileKeystore is hard to use with non-file-based keystores

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • None
    • None
    • Security
    • None

    Description

      We are implementing JCA KeyStore provider to get certificates and keys via external process over the network:

      https://github.com/latchset/custodia-jca-provider

      However, code in https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java makes use of such code hard.

      It seems that FileKeystore has two modes of operation – either alias is specified and then the KeyStore is treated as file (isKeyStore = true) which has to exist and it has to be able to list aliases, or the file is not required to exist (isKeyStore = false) but then alias cannot be specified (and if it is specified as alias attribute to <keystore> element, it is ignored).

      In case we'd like to be able to use our provider without additional configuration in java.security, we'd like to be able to specify alias to retrieve specified entry, especially since getting the list of aliases might be either slow (for large sets) or not possible. For that however, we need to go the isKeyStore = true route with path specified and file existing. Alas, when we try

      <ssl>
      <keystore provider="custodia-cli" path="/dev/null" alias="wildfly/server-ssl" keystore-password="thepassword" />
      </ssl>

      then due to the extra check in WildFly's code, startup fails with

      Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /dev/null does not contain any keys.
      at org.jboss.as.domain.management.security.FileKeystore.assertContainsKey(FileKeystore.java:169)
      at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:120)
      at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:189)

      Please consider removing the

      if (isKeyStore)

      { assertContainsKey(loadedKeystore); }

      code from https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java#L119 since existence of the keystore file does not guarantee that the keys will be stored in it and that the provider will be able to loop through them. The file might be just /dev/null or some config file of the provider.

      Ideally though, it should be possible to specify alias even for keystore which has no path specified.

      Attachments

        Activity

          People

            darran.lofthouse@redhat.com Darran Lofthouse
            rhn-engineering-jpazdziora Jan Pazdziora
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: