Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1621

BC FIPS with CLI: the trustAnchors parameter must be non-empty

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Explained
    • Affects Version/s: 1.5.1.Final
    • Fix Version/s: None
    • Component/s: SSL
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      • ./standalone.sh
      • create BCFKS keystore keystore.bcfks. It is attached to JIRA as well
        keytool \ 
            -genkeypair\
            -alias appserver\
            -keyalg RSA\ 
            -keysize 2048\
            -keypass password\
            -keystore /pat/to/keystore.bcfks\
            -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider\
            -providerpath /pat/to/1.0.1/bc-fips-1.0.1.jar\
            -storetype BCFKS\
            -storepass password\
            -dname CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ\
            -validity 730\
            -v
        
      • run CLI with FIPS java
        ./jboss-cli.sh \
            -c \
            -Dwildfly.config.url=file:///from/attachment/cli-test-wildfly-config.xml \
            --connect \
            :read-attribute\(name=server-state\)
        
      Show
      ./standalone.sh create BCFKS keystore keystore.bcfks. It is attached to JIRA as well keytool \ -genkeypair\ -alias appserver\ -keyalg RSA\ -keysize 2048\ -keypass password\ -keystore /pat/to/keystore.bcfks\ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider\ -providerpath /pat/to/1.0.1/bc-fips-1.0.1.jar\ -storetype BCFKS\ -storepass password\ -dname CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ\ -validity 730\ -v run CLI with FIPS java ./jboss-cli.sh \ -c \ -Dwildfly.config.url=file: ///from/attachment/cli-test-wildfly-config.xml \ --connect \ :read-attribute\(name=server-state\)

      Description

      I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.

      08:13:18,469 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: java.lang.ExceptionInInitializerError
              at org.wildfly.security.auth.client.AuthenticationContext.lambda$static$0(AuthenticationContext.java:54)
              at org.wildfly.common.context.ContextManager.getPrivileged(ContextManager.java:286)
              at org.wildfly.security.auth.client.AuthenticationContext.captureCurrent(AuthenticationContext.java:86)
              at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:146)
              at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
              at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
              at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
              at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
              at org.jboss.modules.Module.run(Module.java:352)
              at org.jboss.modules.Module.run(Module.java:320)
              at org.jboss.modules.Main.main(Main.java:593)
      Caused by: org.wildfly.security.auth.client.InvalidAuthenticationConfigurationException: org.wildfly.client.config.ConfigXMLParseException: java.security.KeyStoreException: initialization failed
              at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:40)
              at java.security.AccessController.doPrivileged(Native Method)
              at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.<clinit>(DefaultAuthenticationContextProvider.java:36)
              ... 14 more
      Caused by: org.wildfly.client.config.ConfigXMLParseException: java.security.KeyStoreException: initialization failed
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:525)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextRuleType$11(ElytronXmlParser.java:711)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$13(ElytronXmlParser.java:749)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:356)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:231)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:192)
              at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:38)
              ... 16 more
      Caused by: java.security.KeyStoreException: initialization failed
              at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:150)
              at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:250)
              at org.wildfly.security.auth.client.ElytronXmlParser$TrustManagerBuilder.build(ElytronXmlParser.java:590)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:523)
              ... 22 more
      Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
              at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
              at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
              at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
              at org.bouncycastle.jsse.provider.ProvX509TrustManagerImpl.<init>(ProvX509TrustManagerImpl.java:53)
              at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:146)
              ... 25 more
      

      When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
      I have double check truststore is there. Correct password is used. Server has permission to open the truststure. And truststore contains certificate
      When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.

      So it looks to me something on client side is missing? Any hint?

        Gliffy Diagrams

          Attachments

          1. cli-test-wildfly-config.xml
            1 kB
          2. jboss-cli.log
            13 kB
          3. keystore.bcfks
            3 kB

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                mchoma Martin Choma
                Need Info from:
                Farah Juma
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: