Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-19984

[GSS] (7.3.z) Incorrect use of KeyManagerFactory.getDefaultAlgorithm instead of TrustManagerFactory

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide
      • Create a certificate for the server and copy default trust-store in the conf directory:
      cd ${JBOSS_HOME}/bin
      keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore ../standalone/configuration/keystore.jks -dname "CN=localhost" -storepass secret -ext san=dns:localhost,ip:127.0.0.1
      cp ${JAVA_HOME}/jre/lib/security/cacerts ../standalone/configuration/cacerts
      
      • Configure an old certificate realm and configure it in the https listener:
      /core-service=management/security-realm=CertificateRealm:add()
      /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias="localhost", keystore-relative-to=jboss.server.config.dir, keystore-path="keystore.jks", keystore-password=secret)
      /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-relative-to=jboss.server.config.dir, keystore-path="cacerts", keystore-password=changeit)
      batch 
      /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=ssl-context)
      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value="CertificateRealm")
      run-batch
      
      • Using openjdk create a properties issue.policy file that overrides default factories:
      ssl.KeyManagerFactory.algorithm=NewSunX509
      ssl.TrustManagerFactory.algorithm=SunPKIX
      
      • Modify standalone.conf to add that security file as override:
      JAVA_OPTS="$JAVA_OPTS -Djava.security.properties=issue.policy"
      
      • Start the server and see the error:
      ./standalone.sh
      ...
      11:29:38,429 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: WFLYDM0018: Unable to start service
      	at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:113)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
      	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.security.NoSuchAlgorithmException: NewSunX509 TrustManagerFactory not available
      	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
      	at javax.net.ssl.TrustManagerFactory.getInstance(TrustManagerFactory.java:139)
      	at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:111)
      	... 8 more
      
      Show
      Create a certificate for the server and copy default trust-store in the conf directory: cd ${JBOSS_HOME}/bin keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore ../standalone/configuration/keystore.jks -dname "CN=localhost" -storepass secret -ext san=dns:localhost,ip:127.0.0.1 cp ${JAVA_HOME}/jre/lib/security/cacerts ../standalone/configuration/cacerts Configure an old certificate realm and configure it in the https listener: /core-service=management/security-realm=CertificateRealm:add() /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias= "localhost" , keystore-relative-to=jboss.server.config.dir, keystore-path= "keystore.jks" , keystore-password=secret) /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-relative-to=jboss.server.config.dir, keystore-path= "cacerts" , keystore-password=changeit) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=ssl-context) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=security-realm, value= "CertificateRealm" ) run-batch Using openjdk create a properties issue.policy file that overrides default factories: ssl.KeyManagerFactory.algorithm=NewSunX509 ssl.TrustManagerFactory.algorithm=SunPKIX Modify standalone.conf to add that security file as override: JAVA_OPTS= "$JAVA_OPTS -Djava.security.properties=issue.policy" Start the server and see the error: ./standalone.sh ... 11:29:38,429 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:113) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363) at java.lang. Thread .run( Thread .java:748) Caused by: java.security.NoSuchAlgorithmException: NewSunX509 TrustManagerFactory not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at javax.net.ssl.TrustManagerFactory.getInstance(TrustManagerFactory.java:139) at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:111) ... 8 more
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Use the new elytron configuration for the ssl.

      Show
      Use the new elytron configuration for the ssl.
    • QE Test Coverage:
      +

      Description

      When configuring https using the old security-realm the trust-manager factory is selected using the line:

                  trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
      

      Which is incorrect and should use the TrustManagerFactory. Therefore by default in openjdk we are using the SunX509 factory instead of the default PKIX implementation. The default values for both factories are defined in the java.security file from the jdk:

      #
      # Determines the default key and trust manager factory algorithms for
      # the javax.net.ssl package.
      #
      ssl.KeyManagerFactory.algorithm=SunX509
      ssl.TrustManagerFactory.algorithm=PKIX
      

      Using a exotic configuration can lead to an error if the KeyManagerFactory is configured to an algorithm that is not valid for the TrustManagerFactory (NewSunX509 for example).

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  rhn-support-rmartinc Ricardo Martin Camarero
                  Reporter:
                  rhn-support-rmartinc Ricardo Martin Camarero
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: