Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1466

Wildfly SSL Setup Fails on HSM-Backed Keystore

    XMLWordPrintable

    Details

      Description

      Using a keystore type that does not allow or returns empty from getEncoded() on private keys causes a KeyStoreException at startup. This is common in HSM-backed key operations.

      Storing SSL keys and certs in an HSM is a common method of securing keys and offloading SSL overhead.

      FileKeyStore.java copies a KeyStore.Entry value into a JKS KeyStore but JKS and PKCS12 KeyStore implementations maintain a copy of the encoded PKCS#8 data for private keys. When applying a KeyStore.Entry from a source that does not return the data for security reasons, the import fails.

      While it's still not guaranteed to work with all KeyStore providers, switching KeyStore.getInstance("JKS") to KeyStore.getInstance(provider) fixes the issue for SafeNet "Luna" and SunPKCS11 "PKCS11" KeyStore implementations while not breaking the "PKCS12" and "JKS" cases.

      See https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java#L126

      Log output:

      2016-04-04 18:53:51,100 i-4b6f79d1 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service jboss.server.controller.management.security_realm.test.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.test.key-manager: JBAS015229: Unable to start service
      	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:148)
      	at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_60]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_60]
      	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_60]
      Caused by: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
      	at sun.security.provider.KeyProtector.protect(KeyProtector.java:174) [rt.jar:1.8.0_60]
      	at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267) [rt.jar:1.8.0_60]
      	at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56) [rt.jar:1.8.0_60]
      	at java.security.KeyStoreSpi.engineSetEntry(KeyStoreSpi.java:537) [rt.jar:1.8.0_60]
      	at sun.security.provider.KeyStoreDelegator.engineSetEntry(KeyStoreDelegator.java:179) [rt.jar:1.8.0_60]
      	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetEntry(JavaKeyStore.java:70) [rt.jar:1.8.0_60]
      	at java.security.KeyStore.setEntry(KeyStore.java:1557) [rt.jar:1.8.0_60]
      	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:136)
      	... 6 more
      

        Attachments

          Activity

            People

            Assignee:
            dlofthouse Darran Lofthouse
            Reporter:
            crogman Valued Customer (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: