Details
-
Bug
-
Resolution: Done
-
Blocker
-
None
Description
When multiple PKCS11 keystores are configured in domain [1][2]. And PKCS11 store contains secret key. Then this exception is thrown on startup intermittently (but very often, cca 50%).
[Host Controller] 10:15:05,526 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.key-store.oneWayKS: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.oneWayKS: WFLYELY00004: Unable to start the service. [Host Controller] at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:146) [Host Controller] at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) [Host Controller] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) [Host Controller] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [Host Controller] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [Host Controller] at java.lang.Thread.run(Thread.java:745) [Host Controller] Caused by: java.io.IOException: load failed [Host Controller] at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:763) [Host Controller] at java.security.KeyStore.load(KeyStore.java:1445) [Host Controller] at org.wildfly.security.keystore.AtomicLoadKeyStoreSpi.engineLoad(AtomicLoadKeyStoreSpi.java:55) [Host Controller] at java.security.KeyStore.load(KeyStore.java:1445) [Host Controller] at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:137) [Host Controller] ... 5 more [Host Controller] Caused by: java.security.KeyStoreException: invalid KeyStore state: found multiple secret keys sharing same CKA_LABEL [my-key] [Host Controller] at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2408) [Host Controller] at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:755) [Host Controller] ... 9 more
Storing secret key into PKCS11 store is necessary for FIPS Credential store implementation.
for (long handle : handles) { attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) }; token.p11.C_GetAttributeValue(session.id(), handle, attrs); if (attrs[0].pValue != null) { // there is a CKA_LABEL String cka_label = new String(attrs[0].getCharArray()); if (sKeyMap.get(cka_label) == null) { sKeyMap.put(cka_label, new AliasInfo(cka_label)); } else { throw new KeyStoreException("invalid KeyStore state: " + "found multiple secret keys sharing same " + "CKA_LABEL [" + cka_label + "]"); } } }
It seems to me problem will be PKCS11 store (system wide) is loaded concurrently multiple times and therefore sometimes JDK check triggers false positive alarm [3].
[1] https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-security/blob/7.x/fips/src/test/resources/host-configs/elytron/host-master-ssl-2way.xml
[2] https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-security/blob/7.x/fips/src/test/resources/host-configs/elytron/host-slave-ssl-2way.xml
[3] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/pkcs11/P11KeyStore.java#2408
Attachments
Issue Links
- clones
-
-
- Verified
-