[jira] [Created] (KNOX-1801) Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled

Mon, 04 Mar 2019 08:18:34 -0800 

Robert Levas created KNOX-1801:
----------------------------------

             Summary: Master secret is incorrectly assumed when a custom 
truststore is not specified when clientauth is enabled
                 Key: KNOX-1801
                 URL: https://issues.apache.org/jira/browse/KNOX-1801
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
    Affects Versions: 1.3.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 1.3.0


Master secret is incorrectly assumed when a custom truststore is not specified 
when clientauth is enabled. 

*Steps to reproduce*
 # Create custom TLS keystore for Knox with a custom keystore password (not the 
master secret)
 # Specify the custom TLS keystore details in {{gateway-site.xml}}
 ** {{gateway.tls.keystore.password.alias}}
 ** {{gateway.tls.keystore.path}}
 ** {{gateway.tls.keystore.type}}
 ** {{gateway.tls.key.alias}}
 ** {{gateway.tls.key.passphrase.alias}} (optional)
 # Turn on client-auth
 ** {{gateway.client.auth.needed}} : {{true}}
 # Create password alias for the custom keystore using Knox CLI
 ** {{bin/knoxcli.sh create-alias gateway-identity-keystore-password --value 
<password>}}
 # (Re)Start the Gateway

The Gateway will fail to start with the following error in the gateway.log:
{noformat}
2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - 
Failed to start gateway: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
        at 
sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at 
org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
        at 
org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
        at 
org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
        at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
        at 
org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
        at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
        at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
        at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
        at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
        at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: javax.crypto.BadPaddingException: Given final block not 
properly padded. Such issues can arise if a bad key is used during decryption.
        ... 17 more
{noformat}

*Solution*
Lookup password for the truststore using the appropriate alias name, falling 
back to the master secret if an alias is not configured or not set. 





--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to