Re: [jetty-users] Jetty 10 SSL Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Jetty 10 SSL Problem

From: Timo Brunn <timo@xxxxxxxxxxxxx>
Date: Thu, 29 Jun 2023 19:40:29 +0200
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
Ui-outboundreport: notjunk:1;M01:P0:LdycWbLnhm4=;IRGaiMPYTO+gXOQqd8R7Pz0KVpn MYK1VE5IosRRdGAstMLJtCNgFhrKXGp8OM2JTtxab1xeuDF8DGp7lQbG8A+EP33Hh9y0/vUXG oZV+fe1utnI1czg9LRd1TCKqoD5pTtew14NZuzkxEZ3kSQvG0fm78LUvqDwRi5kV2zKIZt//J z8B2yxOKjAp7h6fdhMqfcfKRIZIv5zQQFgUyS1h3hhNeBK0c0EV8Qa8Pae8URofGgpFVynv5I u+YLdI6jVGqZptatwGTPyE4fSs9zfu95MSnfaMp8AzQyktyWoOI83wcHQB53yW/4alJDsGE9O ghqo+J43do890Hdzq8ksGDab9qSmYl3FWU0Y2fTH3QMAZJQGKGAI/UyQvTOHR17FLi9zDEC4R 6OOf+fKYgT7QXGHB3/KHE1ek1cm2dL8KDFsT983thhRsqiaQ6EZdk4Znutl0Xj4cUb21nEePy FyOx9+FVLI1gekILCpul1pjxACBcCL/qbeVgw+RVnDTy+nYz2JTx+b1ZYWPBtA3wL17JnbSMk nWe/XoE5N3izZDpz9VbOyQVMptiSeDo+d2QKvbxaghbdWhfj4FCxKtWijSVCon25DHLq9Fb7r P4rBavctoZtfOpu/utSWp8dNZs6xxNLnae5X4hfRJQ0hlDpCU/ApQ5J5rCd8ewdY20NU10OJ0 l9ILj3neVQWbLLUQZpRtpEMfz1Z0g8K+lUyL0+JIdw==
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0

Ive just checked a couple more things.

If i don't supply jetty.sslContext.keyManagerPassword or if the KeyManagerPassword and the key password do not match i get the following stacktrace.
Which seems appropriate.

Once the password actually matches i get thrown the keystore password was incorrect stacktrace as before.

java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.eclipse.jetty.start.Main.invokeMain(Main.java:229)
        at org.eclipse.jetty.start.Main.start(Main.java:528)
        at org.eclipse.jetty.start.Main.main(Main.java:76)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
        at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
        at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
        at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
        at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76)
        at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
        at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167)
        at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
        at org.eclipse.jetty.server.Server.start(Server.java:470)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89)
        at org.eclipse.jetty.server.Server.doStart(Server.java:415)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
        ... 7 more

Mit freundlichen Grüßen/Best Regards
Timo Brunn

Website: timo-brunn.de
Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed.

On 29/06/2023 01:07, Timo Brunn wrote:

So i just change it to the following (quote from --list-config). Truststore config is removed.

jetty.sslContext.keyManagerPassword = changeit
jetty.sslContext.keyStorePassword = changeit
jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12
jetty.sslContext.keyStoreType = PKCS12

But it sadly still throws the same stacktrace:

Exception in thread "main" java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
        at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)
        at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
        at org.eclipse.jetty.server.Server.doStart(Server.java:428)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 21 more

Mit freundlichen Grüßen/Best Regards
Timo Brunn

Website: timo-brunn.de
Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed.

On 29/06/2023 00:55, Joakim Erdfelt wrote:

Also, eliminate the trustStore configurations (temporarily).

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Jun 28, 2023 at 5:55 PM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:

Inline ...

On Wed, Jun 28, 2023 at 4:15 PM Timo Brunn <timo@xxxxxxxxxxxxx> wrote:

I just checked.

Running --debug gave me 23 command line entries with one being a temporary "start_XXX.properties" file.
I checked that file while the JVM was running and it does contain the correct password/settings.

Running --list-config showed the following system properties:

System Properties:
------------------
java.io.tmpdir = tmp (/opt/shibboleth-idp/start.d/start.ini)
java.security.egd = file:/dev/urandom (/opt/shibboleth-idp/start.d/start.ini)

Disabling those obviously removed the need for jetty to fork the JVM.
--list-config also showed the correct keystore configuration with no extra whitespace or similar.

jetty.sslContext.keyManagerPassword = changeit
jetty.sslContext.keyStorePassword = changeit
jetty.sslContext.keyStorePath = jetty.p12
jetty.sslContext.keyStoreType = PKCS12
jetty.sslContext.trustStorePassword = changeit
jetty.sslContext.trustStorePath = jetty.p12
jetty.sslContext.trustStoreType = PKCS12

Make your values for `jetty.sslContext.keyStorePath` and `jetty.sslContext.trustStorePath` absolute path references and try again.

- Joakim

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Joakim Erdfelt

References:
- [jetty-users] Jetty 10 SSL Problem
  - From: Timo Brunn
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Simone Bordet
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Timo Brunn
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Simone Bordet
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Timo Brunn
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Cantor, Scott
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Timo Brunn
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Cantor, Scott
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Joakim Erdfelt
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Timo Brunn
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Joakim Erdfelt
- Re: [jetty-users] Jetty 10 SSL Problem
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-users] Jetty 10 SSL Problem
Next by Date: Re: [jetty-users] Jetty 10 SSL Problem
Previous by thread: Re: [jetty-users] Jetty 10 SSL Problem
Next by thread: Re: [jetty-users] Jetty 10 SSL Problem
Index(es):
- Date
- Thread

Breadcrumbs