Loading...

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 1.2.0.Beta12
Affects Version/s: 1.2.0.Beta10
Component/s: KeyStores
Labels:
None

Steps to Reproduce:
Hide

run EAP with PKCS11 FIPS java

/subsystem=elytron/credential-store=fips-credential-store:add(credential-reference={clear-text => pass123+}, create=true, modifiable=true, implementation-properties={keyStoreType => PKCS11, external => true, externalPath => /external/secure-data-file, keyAlias => my-key}) { "outcome" => "failed", "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service. Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/eap-versions/7.1.0.CR2/jboss-eap-7.1/bin/fips-credential-store"}}, "rolled-back" => true }
Show
run EAP with PKCS11 FIPS java /subsystem=elytron/credential-store=fips-credential-store:add(credential-reference={clear-text => pass123+}, create= true , modifiable= true , implementation-properties={keyStoreType => PKCS11, external => true , externalPath => /external/secure-data-file, keyAlias => my-key}) { "outcome" => "failed" , "failure-description" => { "WFLYCTL0080: Failed services" => { "org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service. Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/eap-versions/7.1.0.CR2/jboss-eap-7.1/bin/fips-credential-store"}}, "rolled-back" => true }
Workaround:

Workaround Exists
Workaround Description:
Hide

use location instead of externalPath. Because if external=true then externalPath defaults to location.

/subsystem=elytron/credential-store=fips-credential-store:add(location => /external/secure-data-file, credential-reference={clear-text => pass123+}, create=true, modifiable=true, implementation-properties={keyStoreType => PKCS11, external => true, keyAlias => my-key})

create location path manually. PKCS11 probably ignores this
Show
use location instead of externalPath. Because if external=true then externalPath defaults to location. /subsystem=elytron/credential-store=fips-credential-store:add(location => /external/secure-data-file, credential-reference={clear-text => pass123+}, create= true , modifiable= true , implementation-properties={keyStoreType => PKCS11, external => true , keyAlias => my-key}) create location path manually. PKCS11 probably ignores this
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/1051

Description

To specify external secret file location externalPath is intended. However in case of PKCS11 it can't be achieved.

10:53:03,403 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.credential-store.fips-credential-store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start the service.
	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:134)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:954)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:828)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:214)
	at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159)
	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:126)
	... 5 more
Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store
	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
	at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
	at java.nio.file.Files.newByteChannel(Files.java:361)
	at java.nio.file.Files.newByteChannel(Files.java:407)
	at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
	at java.nio.file.Files.newInputStream(Files.java:152)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:943)
	... 9 more

10:53:03,409 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("credential-store" => "fips-credential-store")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service.
    Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
    Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store"}}

Problem seems to be in method

KeyStoreCredentialStore.java

    private void setupExternalStorage(final String keyContainingKeyStoreType, final Path keyContainingKeyStoreLocation) throws CredentialStoreException {
        KeyStore keyContainingKeyStore = getKeyStoreInstance(keyContainingKeyStoreType);
        keyStore = getKeyStoreInstance("JCEKS");
        externalStorage = new ExternalStorage();
        try {
            final char[] storePassword = getStorePassword(protectionParameter);
            if (keyContainingKeyStoreLocation != null) {
                try (InputStream is = Files.newInputStream(keyContainingKeyStoreLocation)) {
                    keyContainingKeyStore.load(is, storePassword);
                }
            } else {
                // keystore without file (e.g. PKCS11)
                synchronized (EmptyProvider.getInstance()) {
                    keyContainingKeyStore.load(null, storePassword);
                }
            }
            externalStorage.init(cryptographicAlgorithm, encryptionKeyAlias, keyContainingKeyStore, storePassword, keyStore);
        } catch(IOException | GeneralSecurityException e) {
            throw log.cannotInitializeCredentialStore(e);
        }
    }

Although location is not specified in CLI command keyContainingKeyStoreLocation is not null. Because once location is not specified it becomes name of CS, in this case fips-credential-store (This default is in elytron subsystem).

Attachments

Issue Links

causes

ELY-1576 Wildfly Elytron Tool, location is required even for non-filebased type e.g. PKCS11

Resolved

clones

JBEAP-13441 (7.1.z) External CS, PKCS11 can't be configured with externalPath

Closed

is blocked by

WFCORE-3458 External CS, PKCS11 can't be configured with externalPath

Resolved

External CS, PKCS11 can't be configured with externalPath

Details

Description

Attachments

Issue Links

Activity

People

Dates