[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] Jetty 10 SSL Problem
|
Ive just checked a couple more things.
If i don't supply jetty.sslContext.keyManagerPassword or if the
KeyManagerPassword and the key password do not match i get the
following stacktrace.
Which seems appropriate.
Once the password actually matches i get thrown the keystore
password was incorrect stacktrace as before.
java.lang.reflect.InvocationTargetException
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at
java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:229)
at org.eclipse.jetty.start.Main.start(Main.java:528)
at org.eclipse.jetty.start.Main.main(Main.java:76)
Caused by: java.security.UnrecoverableKeyException: Get Key
failed: Given final block not properly padded. Such issues can
arise if a bad key is used during decryption.
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
at
java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
at
java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
at
java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
at
java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76)
at
java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
at
org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167)
at
org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289)
at
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342)
at
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at org.eclipse.jetty.server.Server.start(Server.java:470)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89)
at
org.eclipse.jetty.server.Server.doStart(Server.java:415)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
... 7 more
Mit freundlichen Grüßen/Best Regards
Timo Brunn
Website:
timo-brunn.de
Um ihre Echtheit zu bestätigen, wurde diese
E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally
signed.
On 29/06/2023 01:07, Timo Brunn wrote:
So i just change it to the following (quote from
--list-config). Truststore config is removed.
jetty.sslContext.keyManagerPassword = changeit
jetty.sslContext.keyStorePassword = changeit
jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12
jetty.sslContext.keyStoreType = PKCS12
But it sadly still throws the same stacktrace:
Exception in thread "main" java.io.IOException: keystore
password was incorrect
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
at
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
at
java.base/java.security.KeyStore.load(KeyStore.java:1473)
at
org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)
at
org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121)
at
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291)
at
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367)
at
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75)
at
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.server.Server.doStart(Server.java:428)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
Caused by: java.security.UnrecoverableKeyException: failed to
decrypt safe contents entry: javax.crypto.BadPaddingException:
Given final block not properly padded. Such issues can arise if
a bad key is used during decryption.
... 21 more
Mit freundlichen Grüßen/Best Regards
Timo Brunn
Website:
timo-brunn.de
Um ihre Echtheit zu bestätigen, wurde diese
E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally
signed.
On 29/06/2023 00:55, Joakim Erdfelt
wrote:
Also, eliminate the trustStore configurations
(temporarily).
Inline ...
I just checked.
Running --debug gave me 23 command line entries
with one being a temporary "start_XXX.properties"
file.
I checked that file while the JVM was running and
it does contain the correct password/settings.
Running --list-config showed the following system
properties:
System Properties:
------------------
java.io.tmpdir = tmp
(/opt/shibboleth-idp/start.d/start.ini)
java.security.egd = file:/dev/urandom
(/opt/shibboleth-idp/start.d/start.ini)
Disabling those obviously removed the need for
jetty to fork the JVM.
--list-config also showed the correct keystore
configuration with no extra whitespace or similar.
jetty.sslContext.keyManagerPassword = changeit
jetty.sslContext.keyStorePassword = changeit
jetty.sslContext.keyStorePath = jetty.p12
jetty.sslContext.keyStoreType = PKCS12
jetty.sslContext.trustStorePassword = changeit
jetty.sslContext.trustStorePath = jetty.p12
jetty.sslContext.trustStoreType = PKCS12
Make your values for
`jetty.sslContext.keyStorePath` and
`jetty.sslContext.trustStorePath` absolute path
references and try again.
- Joakim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature