Hi, On Thu, Aug 19, 2021 at 4:25 PM Daniel Wilkins <[email protected]> wrote: > > Hi, I’ve been trying to track down a failure in using a TLS key on top of > Jetty. I had weird behavior on the app above so I downloaded standalone jetty > and tried it. This config seems to be minimal enough for me to see what’s > happening: > > --module=https > jetty.https.port=8443 > jetty.secure.port=8443 > jetty.keystore=etc/keystore > jetty.keystore.password=[secret value] > jetty.keystore.format=jks > > Everything else is the default settings in the start.ini file. I initially > tried using a truststore as well but it doesn’t get that far when it fails to > load the keystore. The key itself is just a password-protected 2048 bit rsa > key. I also tried converting the key to the pkcs12 format and jetty started > saying that the password was wrong, but that was just an aside; I’m more than > happy to get it to work with JKS. > > When I try to run it on the latest jetty 9.43 I get a trail of exceptions > which bottom out at this: > Caused by: javax.crypto.BadPaddingException: Given final block not properly > padded. Such issues can arise if a bad key is used during decryption. > at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) > at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) > at > com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:405) > at > com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:437) > at javax.crypto.Cipher.doFinal(Cipher.java:2168) > at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:371) > ... 33 more > > The error message hints at this being caused by a bad key, but I’m able to > view/manipulate the key in key tool as well as Keystore Explorer. This key is > also used without any problems in other services of ours which don’t use > Jetty. > > Does anyone have a clue what might be going on here? I know that the errors > don’t appear to come from jetty itself, but I feel like it has to be involved > somewhere considering how keytools, keystore explorer, and other java > services seem to be able to load it. >
You are using old, deprecated properties. For example, "jetty.keystore.password" has been replaced by "jetty.sslContext.keyStorePassword", etc. You should get warnings at startup about deprecated properties. If you have a password protected key, then you typically also need the KeyManager password: jetty.sslContext.keyManagerPassword=[key password] -- Simone Bordet --- Finally, no matter how good the architecture and design are, to deliver bug-free software with optimal performance and reliability, the implementation technique must be flawless. Victoria Livschitz _______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
