Uploaded image for project: 'JGroups'
  1. JGroups
  2. JGRP-1375

Default 'key' password never set to 'store' password which causes java.security.UnrecoverableKeyException

XMLWordPrintable

    • Workaround Exists
    • Hide

      A workaround is to set the key password in the configuration:

      <ENCRYPT store_password="myPasswordButNotChangeit" key_password="myPasswordButNotChangeit"/>
      
      Show
      A workaround is to set the key password in the configuration: <ENCRYPT store_password= "myPasswordButNotChangeit" key_password= "myPasswordButNotChangeit" />

      Introduction

      Exception in ENCRYPT when changing the store password.

      The problem

      The org.jgroups.protocols.ENCRYPT class default password is "changeit" for both store password and key password. However, if you change the store password, without having the keyPassword in the <ENCRYPT> tag, the keyPassword is still "changeit". This produces the following exception when initializing the ENCRYPT class:

      java.security.UnrecoverableKeyException: Given final block not properly padded
      at com.ibm.crypto.provider.y.a(Unknown Source)
      at com.ibm.cryptp.provider.JceKeyStore.engineGetKey(Unknown Source)
      at java.security.KeyStore.getKey(KeyStore.java:196)
      at org.jgroups.protocols.ENCRYPT.initConfiguredKey(ENCRYPT.java:273)
      at org.jgroups.protocols.ENCRYPT.init(ENCRYPT.java:235)
      at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:892)
      at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:538)
      at org.jgroups.JChannel.init(JChannel.java:1725)
      

      Why this occurs

      The KeyStoreGenerator provided in JGroups demos use the same password for the store and the key passwords. The ENCRYPT class is designed to keyPassword=storePassord when the keyPassword is null.
      However, the keyPassword is initialized to "changeit", so it is never null and is consequently never set to the store password.

      Solution

      The solution is probably to set the initial value of ENCRYPT.keyPassword to null instead of "changeit".

            rhn-engineering-bban Bela Ban
            jkronegg_jira Julien Kronegg (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: