| Re: [jetty-users] Jetty 10 SSL Problem |
Hi,
I just found the problem.
While taking apart the whole servlet i found the following:
One of shibboleths mod files was loading another PKCS12.
(idp-backchannel for SOAP Support)
And the password for that one was not set correctly.
So the error message was correct the whole time.
Thanks for all the help and joakim if i can get you a coffee or
something let me know :)
Thanks for your quick responses!
I just ran the code you provided and it does print the keystore contents.
Since the code was already correct for the self-signed keystore, i didnt change anything.
The file permissions are pretty open right now with rw-rw-r-- with the p12 file owner being the jetty user.
administrator@ffm-idp-01:~/test$ java LoadKeyStore.java
KeyStore.size = 1
Certificate: [
[
Version: V3
Subject: CN=idp.xxx.de
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: 31324817986779005776590223853928318440472700290023475014482142452462362977819943367530423004662174014864178000053166687295602930314789162830253123327485868501990479214212233860982715789859917240039541551771623851721250353020248898281091763082420524255851604109548822531439107213768381031822106018445358680633787482308232674730181365066191923305128575616374863416692343901559693520315586739370455056012526230965759968993479164184273538037683247975782048560648220822868237841133441722525686180407153618650506730829124425700609218649225906255867016831266031482697973105430866690279570822277051110691508694583394587600401
public exponent: 65537
Validity: [From: Thu Jun 29 17:00:21 UTC 2023,
To: Sun Jun 29 17:00:21 UTC 2223]
Issuer: CN=idp.xxx.de
SerialNumber: [ 649db8a5]
]
Algorithm: [SHA256withRSA]
Signature:
0000: C6 52 71 BF 65 DA F4 F3 AD 7C F5 D1 0F 17 18 B3 .Rq.e...........
0010: 35 76 AE EF 8B 42 70 1B 0F 93 44 B1 DD 55 3F 9F 5v...Bp...D..U?.
0020: 86 D9 E5 4E 0C 0F 6E 54 10 62 9D 92 44 6E E3 AF ...N..nT.b..Dn..
0030: 35 06 F3 88 89 63 FC 2A DD BA DB 70 CB 49 B1 AC 5....c.*...p.I..
0040: 82 A7 F0 47 A0 E0 75 D9 F4 50 1D E1 B4 15 B9 8B ...G..u..P......
0050: 89 C8 17 7F 8F 61 33 67 1A 6C 05 E8 BC F6 CC A2 .....a3g.l......
0060: 3D CB 3D 39 B7 39 4B B6 74 90 09 35 06 AB EC 60 =.=9.9K.t..5...`
0070: B6 18 6B 17 1A 6B C8 43 C3 E0 2A C1 DB 7D 43 3E ..k..k.C..*...C>
0080: 5C 3E FA 27 61 EA 51 74 74 47 49 DA 22 C9 91 FB \>.'a.QttGI."...
0090: 77 D4 19 73 4E B4 2A FD 78 50 3F 94 AE 3C 28 A4 w..sN.*.xP?..<(.
00A0: 88 E7 04 B1 CC 91 49 7E EF 7A 2A E6 6C 96 B1 95 ......I..z*.l...
00B0: 83 FA E3 59 53 CA D3 73 04 DE B7 E0 02 91 99 D1 ...YS..s........
00C0: 65 48 2C A7 2A 69 83 0A E6 2A 76 4D E2 38 C0 35 eH,.*i...*vM.8.5
00D0: AA 60 6C 55 CB 28 AE 6E F7 3F 2C D7 7F C1 A5 7B .`lU.(.n.?,.....
00E0: F0 38 97 1C C3 1F C3 16 A5 95 8F 73 23 F8 96 5B .8.........s#..[
00F0: 7A 51 DA B2 6A 3E 6B C8 35 44 3A AD 40 A6 7B 08 zQ..j>k.5D:.@...
]
Mit freundlichen Grüßen/Best Regards
Timo Brunn
Website: timo-brunn.de
Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed.On 29/06/2023 19:57, Joakim Erdfelt wrote:
There is something wrong with either your KeyStore or Password.
Do this.In Java, create this class and execute it.It uses only core Java classes, no Jetty involved.Lets verify that your KeyStore can be loaded by the same version of Java as you are running Jetty with.
package security;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Enumeration;
public class LoadKeyStore
{
public static void main(String[] args) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException
{
KeyStore keyStore = KeyStore.getInstance("PKCS12");
char[] password = "changeit".toCharArray();
Path keyStorePath = Paths.get("/opt/shibboleth-idp/jetty.p12");
try (InputStream input = Files.newInputStream(keyStorePath))
{
keyStore.load(input, password);
}
System.out.println("KeyStore.size = " + keyStore.size());
Enumeration<String> aliases = keyStore.aliases();
while(aliases.hasMoreElements())
{
String alias = aliases.nextElement();
Certificate cert = keyStore.getCertificate(alias);
System.out.println("Certificate: " + cert);
}
}
}
Obviously change the password and keystorePath to suit your needs.If it works, then you likely have a proper KeyStore and password combination.If it doesn't work, then you have something wrong and have to address it with the KeyStore file itself.Also, pay attention to file permissions.
On Thu, Jun 29, 2023 at 12:40 PM Timo Brunn <timo@xxxxxxxxxxxxx> wrote:
_______________________________________________Ive just checked a couple more things.
If i don't supply jetty.sslContext.keyManagerPassword or if the KeyManagerPassword and the key password do not match i get the following stacktrace.
Which seems appropriate.
Once the password actually matches i get thrown the keystore password was incorrect stacktrace as before.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:229)
at org.eclipse.jetty.start.Main.start(Main.java:528)
at org.eclipse.jetty.start.Main.main(Main.java:76)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76)
at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167)
at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at org.eclipse.jetty.server.Server.start(Server.java:470)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89)
at org.eclipse.jetty.server.Server.doStart(Server.java:415)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
... 7 more
Mit freundlichen Grüßen/Best Regards
Timo Brunn
Website: timo-brunn.de
Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed.On 29/06/2023 01:07, Timo Brunn wrote:
So i just change it to the following (quote from --list-config). Truststore config is removed.
jetty.sslContext.keyManagerPassword = changeit
jetty.sslContext.keyStorePassword = changeit
jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12
jetty.sslContext.keyStoreType = PKCS12
But it sadly still throws the same stacktrace:
Exception in thread "main" java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
at java.base/java.security.KeyStore.load(KeyStore.java:1473)
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at org.eclipse.jetty.server.Server.doStart(Server.java:428)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 21 more
Mit freundlichen Grüßen/Best Regards
Timo Brunn
Website: timo-brunn.de
Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed.On 29/06/2023 00:55, Joakim Erdfelt wrote:
Also, eliminate the trustStore configurations (temporarily).
On Wed, Jun 28, 2023 at 5:55 PM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
Inline ...
On Wed, Jun 28, 2023 at 4:15 PM Timo Brunn <timo@xxxxxxxxxxxxx> wrote:
I just checked.
Running --debug gave me 23 command line entries with one being a temporary "start_XXX.properties" file.
I checked that file while the JVM was running and it does contain the correct password/settings.
Running --list-config showed the following system properties:
System Properties:
------------------
java.io.tmpdir = tmp (/opt/shibboleth-idp/start.d/start.ini)
java.security.egd = file:/dev/urandom (/opt/shibboleth-idp/start.d/start.ini)
Disabling those obviously removed the need for jetty to fork the JVM.
--list-config also showed the correct keystore configuration with no extra whitespace or similar.
jetty.sslContext.keyManagerPassword = changeit
jetty.sslContext.keyStorePassword = changeit
jetty.sslContext.keyStorePath = jetty.p12
jetty.sslContext.keyStoreType = PKCS12
jetty.sslContext.trustStorePassword = changeit
jetty.sslContext.trustStorePath = jetty.p12
jetty.sslContext.trustStoreType = PKCS12
Make your values for `jetty.sslContext.keyStorePath` and `jetty.sslContext.trustStorePath` absolute path references and try again.
- Joakim
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list jetty-users@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list jetty-users@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature