Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11527

Elytron CRL, unable to load CRL on IBM JDK

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Blocker Blocker
    • None
    • 7.1.0.ER1
    • Security

      Running on IBM JDK, having set two way SSL Elytron server-ssl-context [1], and trying to add trust-manager with certificate-revocation-list set [2] (and algorithm unset), the X509CRLExtendedTrustManager is unable to load CRL file.

      ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.trust-manager.trustManager-UndertowCrlTestCase: org.jboss.msc.service.StartException in service org.wildfly.security.trust-manager.trustManager-UndertowCrlTestCase: Failed to start service
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      	at java.lang.Thread.run(Thread.java:785)
      Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager [org.wildfly.security.ssl.X509CRLExtendedTrustManager]
      	at org.wildfly.security.ssl.X509CRLExtendedTrustManager.<init>(X509CRLExtendedTrustManager.java:98)
      	at org.wildfly.extension.elytron.SSLDefinitions$4.lambda$createX509CRLExtendedTrustManager$1(SSLDefinitions.java:595)
      	at org.wildfly.extension.elytron.SSLDefinitions$4$$Lambda$911.00000000EC012990.get(Unknown Source)
      	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
      	... 3 more
      Caused by: java.security.cert.CRLException: Fail to parse input stream
      	at com.ibm.crypto.provider.X509Factory.c(Unknown Source)
      	at com.ibm.crypto.provider.X509Factory.engineGenerateCRLs(Unknown Source)
      	at java.security.cert.CertificateFactory.generateCRLs(CertificateFactory.java:522)
      	at org.wildfly.security.ssl.X509CRLExtendedTrustManager.getCRLs(X509CRLExtendedTrustManager.java:171)
      	at org.wildfly.security.ssl.X509CRLExtendedTrustManager.<init>(X509CRLExtendedTrustManager.java:80)
      	... 8 more
      

      The CRL functionality is required by EAP7-203, hence Blocker priority is set. The issue follows up on JBEAP-11221.

      [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSinWildFlyforApplications
      [2] https://docs.jboss.org/author/display/WFLY/SSL+Configuration+using+Elytron+Subsystem#SSLConfigurationusingElytronSubsystem-UsingaCertificateRevocationList

        1. standalone.xml
          30 kB
        2. UndertowCrlTestCase.keystore
          3 kB
        3. UndertowCrlTestCase.crl
          0.7 kB
        4. UndertowCrlTestCase.truststore
          1.0 kB
        5. X509CRLExtendedTrustManagerTest.java
          2 kB
        6. intermediate.crl.pem
          1 kB

              psilva@redhat.com Pedro Igor Craveiro
              okotek@redhat.com Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: