Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3070

Found multiple secret keys sharing same CKA_LABEL

XMLWordPrintable

    • Hide

      -Dfips.java.home must use nss db from /scripts/prepared_artifacts/fipsdb

      git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git
cd fips
./build-fips.sh clean test   -Dversion.jboss.bom=7.1.0.Beta1 -Dversion.wildfly.core=3.0.0.Beta26-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.Beta1-maven-repository/maven-repository   -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.ER1.zip   -Dfips.java.home=/usr/java/jdk1.8.0_66_fips_mode/jre -fae -Dmaven.test.failure.ignore=true -Dtest=SSLMasterSlaveTwoWayTestCase -DtestLogToFile=false
      Show
      -Dfips.java.home must use nss db from /scripts/prepared_artifacts/fipsdb git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git cd fips ./build-fips.sh clean test -Dversion.jboss.bom=7.1.0.Beta1 -Dversion.wildfly.core=3.0.0.Beta26-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.Beta1-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.ER1.zip -Dfips.java.home=/usr/java/jdk1.8.0_66_fips_mode/jre -fae -Dmaven.test.failure.ignore= true -Dtest=SSLMasterSlaveTwoWayTestCase -DtestLogToFile= false

      When multiple PKCS11 keystores are configured in domain [1][2]. And PKCS11 store contains secret key. Then this exception is thrown on startup intermittently (but very often, cca 50%).

      Unable to find source-code formatter for language: server.log. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      [Host Controller] 10:15:05,526 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.key-store.oneWayKS: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.oneWayKS: WFLYELY00004: Unable to start the service.
[Host Controller] 	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:146)
[Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
[Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
[Host Controller] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[Host Controller] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[Host Controller] 	at java.lang.Thread.run(Thread.java:745)
[Host Controller] Caused by: java.io.IOException: load failed
[Host Controller] 	at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:763)
[Host Controller] 	at java.security.KeyStore.load(KeyStore.java:1445)
[Host Controller] 	at org.wildfly.security.keystore.AtomicLoadKeyStoreSpi.engineLoad(AtomicLoadKeyStoreSpi.java:55)
[Host Controller] 	at java.security.KeyStore.load(KeyStore.java:1445)
[Host Controller] 	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:137)
[Host Controller] 	... 5 more
[Host Controller] Caused by: java.security.KeyStoreException: invalid KeyStore state: found multiple secret keys sharing same CKA_LABEL [my-key]
[Host Controller] 	at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2408)
[Host Controller] 	at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:755)
[Host Controller] 	... 9 more

      Storing secret key into PKCS11 store is necessary for FIPS Credential store implementation.

      sun.security.pkcs11.P11KeyStore.java
                 for (long handle : handles) {
                attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) };
                token.p11.C_GetAttributeValue(session.id(), handle, attrs);
                if (attrs[0].pValue != null) {
                    // there is a CKA_LABEL
                    String cka_label = new String(attrs[0].getCharArray());
                    if (sKeyMap.get(cka_label) == null) {
                        sKeyMap.put(cka_label, new AliasInfo(cka_label));
                    } else {
                        throw new KeyStoreException("invalid KeyStore state: " +
                                "found multiple secret keys sharing same " +
                                "CKA_LABEL [" +
                                cka_label +
                                "]");
                    }
                }
            }

      It seems to me problem will be PKCS11 store (system wide) is loaded concurrently multiple times and therefore sometimes JDK check triggers false positive alarm [3].

      [1] https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-security/blob/7.x/fips/src/test/resources/host-configs/elytron/host-master-ssl-2way.xml
      [2] https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-security/blob/7.x/fips/src/test/resources/host-configs/elytron/host-slave-ssl-2way.xml
      [3] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/pkcs11/P11KeyStore.java#2408

              pskopek@redhat.com Peter Skopek
              pskopek@redhat.com Peter Skopek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: