Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5381

Wildfly doesn't support Java jdk8u292-b10 whe using PKCS12 keystore out of the box



    • Feature Request
    • Resolution: Obsolete
    • Major
    • None
    • 15.0.1.Final
    • Security
    • None
    • Undefined


      When using PKCS12 keystores instead of JKS for the TLS private keys and running Wildfly under Java jdk8u292-b10, the following exception is shown at startup:

      Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
       at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:147)
       at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:175)
       ... 10 more
      Caused by: java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
       at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:677)
       at sun.security.pkcs12.PKCS12KeyStore.engineSetEntry(PKCS12KeyStore.java:1384)
       at java.security.KeyStore.setEntry(KeyStore.java:1557)
       at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:135)
       ... 11 more
      Caused by: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
       at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:921)
       at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:614)
       ... 14 more
      Caused by: java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede
       at sun.security.x509.AlgorithmId.get(AlgorithmId.java:448)
       at sun.security.pkcs12.PKCS12KeyStore.mapPBEAlgorithmToOID(PKCS12KeyStore.java:938)
       at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:895)
       ... 15 more

      The problem arises at FileKeystore.java. That class is creating a new KeyStore instance using the same provider and default key protection algorithm. The default one for PKCS12 is PBEWithSHA1AndDESede and it is being disabled by default, I presume it is another round of disabling SHA1 usage.

      If java.security file is modified to add:


      Wildfly start without problems. It shouldn't be needed to modify or append to java.security to use PKCS12 files (JKS is being deprecated).

      FileKeystore should use a supported key protection algorithm, but this should mean it will probably need new settings for a future update when the selected algorithm is disabled too.

      I am not taking into account all the security implications here but why the new in memory keystore created on FileKeystore has to use one like PKCS12?, it is a memory keystore, why not a new simpler implementation for in memory usage only?


        Issue Links



              Unassigned Unassigned
              robert@marcanoonline.com Robert Marcano (Inactive)
              0 Vote for this issue
              3 Start watching this issue