Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2704

Missing keystore password does not throw a meaningful exception

XMLWordPrintable

      When configuring a client keystore for use with TLS, as in the example from elytron-examples/ejb-mutual-tls:

      <key-stores>
    <key-store name="tlsClientTrustStore" type="PKCS12">
        <file name="/home/nrla/projects/elytron-examples-git-repo/ejb-mutual-tls/tlsClient.truststore"/>
        <key-store-clear-password password="clientTrustSecret"/>
    </key-store>
</key-stores>

      if the client keystore password is incorrect, this configuration error is detected and results in a meaningful statck trace:

      Exception in thread "main" java.lang.ExceptionInInitializerError
	at org.wildfly.security.auth.client.AuthenticationContext.lambda$static$0(AuthenticationContext.java:54)
	at org.wildfly.common.context.ContextManager.getPrivileged(ContextManager.java:286)
	at org.wildfly.security.auth.client.AuthenticationContext.captureCurrent(AuthenticationContext.java:86)
	at org.wildfly.naming.client.ProviderEnvironment$1.get(ProviderEnvironment.java:87)
	at org.wildfly.naming.client.ProviderEnvironment$1.get(ProviderEnvironment.java:85)
	at org.jboss.ejb.client.EJBClientInvocationContext.<init>(EJBClientInvocationContext.java:92)
	at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:171)
	at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:116)
	at com.sun.proxy.$Proxy2.getSecurityInfo(Unknown Source)
	at org.wildfly.security.examples.RemoteClient.main(RemoteClient.java:46)
Caused by: org.wildfly.security.auth.client.InvalidAuthenticationConfigurationException: org.wildfly.client.config.ConfigXMLParseException: ELY01135: Failed to load keystore data
	at file:/home/nrla/projects/elytron-examples-git-repo/ejb-mutual-tls/target/classes/wildfly-config.xml:32:65
	at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:40)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.<clinit>(DefaultAuthenticationContextProvider.java:36)
	... 10 more
Caused by: org.wildfly.client.config.ConfigXMLParseException: ELY01135: Failed to load keystore data
	at file:/home/nrla/projects/elytron-examples-git-repo/ejb-mutual-tls/target/classes/wildfly-config.xml:32:65
	at org.wildfly.security.auth.client.ElytronXmlParser$AbstractLoadingKeyStoreFactory.get(ElytronXmlParser.java:3626)
	at org.wildfly.security.auth.client.ElytronXmlParser$AbstractLoadingKeyStoreFactory.get(ElytronXmlParser.java:3606)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:385)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:261)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:201)
	at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:38)
	... 12 more
Caused by: java.io.IOException: keystore password was incorrect
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2116)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
	at java.base/java.security.KeyStore.load(KeyStore.java:1479)
	at org.wildfly.security.auth.client.ElytronXmlParser$AbstractLoadingKeyStoreFactory.get(ElytronXmlParser.java:3622)
	... 17 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	... 21 more
[ERROR] Command execution failed.

      On the otherhand, if the keystore password is not specificed at all (e.g. by leaving out the <key-store-clear-password/> element entirely from the truststore definition:

      <key-stores>
    <key-store name="tlsClientTrustStore" type="PKCS12">
        <file name="/home/nrla/projects/elytron-examples-git-repo/ejb-mutual-tls/tlsClient.truststore"/>
    </key-store>
</key-stores>

      a very confusing TLS stack trace is presented:

      Nov 18, 2023 4:05:47 PM org.xnio.ChannelListeners invokeChannelListener
ERROR: XNIO001007: A channel event listener threw an exception
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
	at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
	at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:246)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:478)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1081)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1068)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1015)
	at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:547)
	at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:311)
	at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:203)
	at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)
	at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)
	at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)
	at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)
	at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
	at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
	at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)
	... 26 more

      A different but similarly cryptic message is presented if the password for the keystore is accidently omitted.

      It would make the use of the wildfly client authentication-configuration more user-friendly if such missing keystore passwords were detected and raised as meaningful exceptions.

       

       

       

              lvydra Lukas Vydra
              rachmato@redhat.com Richard Achmatowicz
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: