Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Blocker
Fix Version/s: None
Affects Version/s: 7.1.0.ER1
Component/s: Security
Labels:
- eap7.1-rfe-failure

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Running on IBM JDK, having set two way SSL Elytron server-ssl-context [1], and trying to add trust-manager with certificate-revocation-list set [2] (and algorithm unset), the X509CRLExtendedTrustManager is unable to load CRL file.

ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.trust-manager.trustManager-UndertowCrlTestCase: org.jboss.msc.service.StartException in service org.wildfly.security.trust-manager.trustManager-UndertowCrlTestCase: Failed to start service
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.lang.Thread.run(Thread.java:785)
Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager [org.wildfly.security.ssl.X509CRLExtendedTrustManager]
	at org.wildfly.security.ssl.X509CRLExtendedTrustManager.<init>(X509CRLExtendedTrustManager.java:98)
	at org.wildfly.extension.elytron.SSLDefinitions$4.lambda$createX509CRLExtendedTrustManager$1(SSLDefinitions.java:595)
	at org.wildfly.extension.elytron.SSLDefinitions$4$$Lambda$911.00000000EC012990.get(Unknown Source)
	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
	... 3 more
Caused by: java.security.cert.CRLException: Fail to parse input stream
	at com.ibm.crypto.provider.X509Factory.c(Unknown Source)
	at com.ibm.crypto.provider.X509Factory.engineGenerateCRLs(Unknown Source)
	at java.security.cert.CertificateFactory.generateCRLs(CertificateFactory.java:522)
	at org.wildfly.security.ssl.X509CRLExtendedTrustManager.getCRLs(X509CRLExtendedTrustManager.java:171)
	at org.wildfly.security.ssl.X509CRLExtendedTrustManager.<init>(X509CRLExtendedTrustManager.java:80)
	... 8 more

The CRL functionality is required by EAP7-203, hence Blocker priority is set. The issue follows up on ~~JBEAP-11221~~.

[1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSinWildFlyforApplications
[2] https://docs.jboss.org/author/display/WFLY/SSL+Configuration+using+Elytron+Subsystem#SSLConfigurationusingElytronSubsystem-UsingaCertificateRevocationList

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

intermediate.crl.pem
1 kB
2017/06/15 7:33 AM
standalone.xml
30 kB
2017/06/14 3:52 AM
UndertowCrlTestCase.crl
0.7 kB
2017/06/14 3:52 AM
UndertowCrlTestCase.keystore
3 kB
2017/06/14 3:52 AM
UndertowCrlTestCase.truststore
1.0 kB
2017/06/14 3:52 AM
X509CRLExtendedTrustManagerTest.java
2 kB
2017/06/14 4:56 PM

relates to

JBEAP-11221 Elytron CRL do not reflect maximum-cert-path

Resolved

Assignee:: Pedro Igor Craveiro

Reporter:: Ondrej Kotek

Tester:: Ondrej Kotek

QA Contact:: Ondrej Kotek

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2017/06/13 9:29 AM

Updated:: 2022/09/09 7:09 AM

Resolved:: 2017/06/16 8:01 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates