Re: [jetty-users] Jetty 10 SSL Problem

Thu, 29 Jun 2023 10:40:48 -0700 

Ive just checked a couple more things.
If i don't supply jetty.sslContext.keyManagerPassword or if the KeyManagerPassword and the key password do not match i get the following stacktrace. 
Which seems appropriate.
Once the password actually matches i get thrown the keystore password was incorrect stacktrace as before. 

java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.eclipse.jetty.start.Main.invokeMain(Main.java:229)
        at org.eclipse.jetty.start.Main.start(Main.java:528)
        at org.eclipse.jetty.start.Main.main(Main.java:76)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.         at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)         at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) 
        at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
        at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)         at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76)         at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)         at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167)         at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289)         at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342)         at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) 
        at org.eclipse.jetty.server.Server.start(Server.java:470)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)         at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89) 
        at org.eclipse.jetty.server.Server.doStart(Server.java:415)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)         at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875) 
        ... 7 more

Mit freundlichen Grüßen/Best Regards
*Timo Brunn*

Website: timo-brunn.de <https://timo-brunn.de>
/Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed./
On 29/06/2023 01:07, Timo Brunn wrote:
So i just change it to the following (quote from --list-config). Truststore config is removed. 

 jetty.sslContext.keyManagerPassword = changeit
 jetty.sslContext.keyStorePassword = changeit
 jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12
 jetty.sslContext.keyStoreType = PKCS12


But it sadly still throws the same stacktrace:
Exception in thread "main" java.io.IOException: keystore password was incorrect         at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)         at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) 
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
        at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)         at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121)         at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291)         at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)         at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112)         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)         at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367)         at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75)         at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228)         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) 
        at org.eclipse.jetty.server.Server.doStart(Server.java:428)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)         at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875) Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
        ... 21 more

Mit freundlichen Grüßen/Best Regards
*Timo Brunn*

Website: timo-brunn.de <https://timo-brunn.de>
/Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed./
On 29/06/2023 00:55, Joakim Erdfelt wrote:

Also, eliminate the trustStore configurations (temporarily).

Joakim Erdfelt / [email protected]
On Wed, Jun 28, 2023 at 5:55 PM Joakim Erdfelt <[email protected]> wrote: 

    Inline ...

    On Wed, Jun 28, 2023 at 4:15 PM Timo Brunn <[email protected]>
    wrote:

        I just checked.

        Running --debug gave me 23 command line entries with one
        being a temporary "start_XXX.properties" file.
        I checked that file while the JVM was running and it does
        contain the correct password/settings.

        Running --list-config showed the following system properties:

        System Properties:
        ------------------
         java.io.tmpdir = tmp (/opt/shibboleth-idp/start.d/start.ini)
         java.security.egd = file:/dev/urandom
        (/opt/shibboleth-idp/start.d/start.ini)

        Disabling those obviously removed the need for jetty to fork
        the JVM.
        --list-config also showed the correct keystore configuration
        with no extra whitespace or similar.

         jetty.sslContext.keyManagerPassword = changeit
         jetty.sslContext.keyStorePassword = changeit
         jetty.sslContext.keyStorePath = jetty.p12
         jetty.sslContext.keyStoreType = PKCS12
         jetty.sslContext.trustStorePassword = changeit
         jetty.sslContext.trustStorePath = jetty.p12
         jetty.sslContext.trustStoreType = PKCS12


    Make your values for `jetty.sslContext.keyStorePath` and
    `jetty.sslContext.trustStorePath` absolute path references and
    try again.

    - Joakim

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
jetty-users mailing list
[email protected]
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to