Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3079

Unable to use PKCS11 keystore from provider defined specified in Elytron provider-loader resource

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta29
    • 3.0.0.Beta28
    • Security
    • None
    • Hide

      Use a hardware token with pkcs11 driver (e.g. an OpenSC ready token) or use an NSS keystore:

      mkdir /tmp/nssdb
echo "pass123+" > /tmp/newpass.txt
echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" > /tmp/noise.txt
MODUTIL_CMD="modutil -force -dbdir /tmp/nssdb"
$MODUTIL_CMD -create
$MODUTIL_CMD -changepw "NSS Certificate DB" -newpwfile /tmp/newpass.txt
certutil -S -v 240 -k rsa -n "CN=localhost"  -t "u,u,u" -x -s "CN=localhost" -d /tmp/nssdb -f /tmp/newpass.txt -z /tmp/noise.txt

$JBOSS_HOME/bin/standalone.sh
# wait until started
sleep 10

$JBOSS_HOME/bin/jboss-cli.sh -c << EOT
/subsystem=elytron/provider-loader=nss:add(class-names=["sun.security.pkcs11.SunPKCS11"], configuration={name=testPkcs11, nssLibraryDirectory=/usr/lib/x86_64-linux-gnu, nssSecmodDirectory=/tmp/nssdb, nssModule=keystore, name=testPkcs11})
/subsystem=elytron/key-store=pkcs11ks:add(credential-reference={clear-text=pass123+}, type=PKCS11, providers=nss)
EOT
      Show
      Use a hardware token with pkcs11 driver (e.g. an OpenSC ready token) or use an NSS keystore: mkdir /tmp/nssdb echo "pass123+" > /tmp/newpass.txt echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" > /tmp/noise.txt MODUTIL_CMD= "modutil -force -dbdir /tmp/nssdb" $MODUTIL_CMD -create $MODUTIL_CMD -changepw "NSS Certificate DB" -newpwfile /tmp/newpass.txt certutil -S -v 240 -k rsa -n "CN=localhost" -t "u,u,u" -x -s "CN=localhost" -d /tmp/nssdb -f /tmp/newpass.txt -z /tmp/noise.txt $JBOSS_HOME/bin/standalone.sh # wait until started sleep 10 $JBOSS_HOME/bin/jboss-cli.sh -c << EOT /subsystem=elytron/provider-loader=nss:add(class-names=[ "sun.security.pkcs11.SunPKCS11" ], configuration={name=testPkcs11, nssLibraryDirectory=/usr/lib/x86_64-linux-gnu, nssSecmodDirectory=/tmp/nssdb, nssModule=keystore, name=testPkcs11}) /subsystem=elytron/key-store=pkcs11ks:add(credential-reference={clear-text=pass123+}, type=PKCS11, providers=nss) EOT

      I'm not able to use PKCS11 keystore type if the security provider is defined in Elytron's provider-loader resource.

      /subsystem=elytron/provider-loader=opensc:add(class-names=["sun.security.pkcs11.SunPKCS11"], configuration={name=OpenSC, library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so, slotListIndex=1})
{"outcome" => "success"}
/subsystem=elytron/key-store=pkcs11ks:add(credential-reference={clear-text=123456}, type=PKCS11, providers=opensc)
{
    "outcome" => "failed",
    "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.pkcs11ks" => "WFLYELY00004: Unable to start the service.
    Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'PKCS11'"}},
    "rolled-back" => true
}

      The server log contains:

      10:54:17,503 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.pkcs11ks: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.pkcs11ks: WFLYELY00004: Unable to start the service.
	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:146)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'PKCS11'
	at org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:154)
	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:109)
	... 5 more

10:54:17,508 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("key-store" => "pkcs11ks")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.pkcs11ks" => "WFLYELY00004: Unable to start the service.
    Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'PKCS11'"}}

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: