Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5381

Wildfly doesn't support Java jdk8u292-b10 whe using PKCS12 keystore out of the box

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 15.0.1.Final
    • Security
    • None
    • Undefined

      When using PKCS12 keystores instead of JKS for the TLS private keys and running Wildfly under Java jdk8u292-b10, the following exception is shown at startup:

      Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
 at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:147)
 at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:175)
 ... 10 more
Caused by: java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
 at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:677)
 at sun.security.pkcs12.PKCS12KeyStore.engineSetEntry(PKCS12KeyStore.java:1384)
 at java.security.KeyStore.setEntry(KeyStore.java:1557)
 at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:135)
 ... 11 more
Caused by: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
 at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:921)
 at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:614)
 ... 14 more
Caused by: java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede
 at sun.security.x509.AlgorithmId.get(AlgorithmId.java:448)
 at sun.security.pkcs12.PKCS12KeyStore.mapPBEAlgorithmToOID(PKCS12KeyStore.java:938)
 at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:895)
 ... 15 more

      The problem arises at FileKeystore.java. That class is creating a new KeyStore instance using the same provider and default key protection algorithm. The default one for PKCS12 is PBEWithSHA1AndDESede and it is being disabled by default, I presume it is another round of disabling SHA1 usage.

      If java.security file is modified to add:

      keystore.PKCS12.keyProtectionAlgorithm=PBEWithHmacSHA256AndAES_128

      Wildfly start without problems. It shouldn't be needed to modify or append to java.security to use PKCS12 files (JKS is being deprecated).

      FileKeystore should use a supported key protection algorithm, but this should mean it will probably need new settings for a future update when the selected algorithm is disabled too.

      I am not taking into account all the security implications here but why the new in memory keystore created on FileKeystore has to use one like PKCS12?, it is a memory keystore, why not a new simpler implementation for in memory usage only?

              Unassigned Unassigned
              robert@marcanoonline.com Robert Marcano (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: