Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-6205

Encrypted expressions in system properties do not use default resolver

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 20.0.0.Final
    • 20.0.0.Beta5
    • Security
    • None

      As explained in section 16 of the WildFly Elytron Security guide, encrypted expressions have two forms: one with a resolver name and one without. In the latter case, the default resolver is supposed to be used. But that does not seem to work for encrypted expressions in system properties.

      With this in the Elytron subsystem:

                  <expression-resolver default-resolver="tpm">
                      <resolver name="tpm" credential-store="tpm" secret-key="primary"/>
                  </expression-resolver> 

      I did this as a simple test:

          <system-properties>
              <property name="jboss.bind.address" value="${ENC::RUxZAUMQM/nQVZekEP5bBFwdDkHummKGlVoMys1136PWnzwH3X4=}"/>
          </system-properties> 

      WildFly fails to start. This error appears in the log, implying that WildFly looked for a system property named ENC and then used the "default" (after the first colon) because that did not exist:

      2022-11-15 13:12:25,694 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("interface" => "public")]) - failure description: "WFLYCTL0101: Invalid address ${jboss.bind.address:127.0.0.1} (:RUxZAUMQM/nQVZekEP5bBFwdDkHummKGlVoMys1136PWnzwH3X4=: invalid IPv6 address)"
      

      However, WildFly starts correctly if I specify the resolver name:

          <system-properties>
              <property name="jboss.bind.address" value="${ENC::tpm:RUxZAUMQM/nQVZekEP5bBFwdDkHummKGlVoMys1136PWnzwH3X4=}"/>
          </system-properties> 

            mpetrov@redhat.com Michal Petrov
            rdicroce Richard DiCroce
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: