idp-backchannel.xml line 12 and idp-backchannel.ini both show the
default keystore password Shibboleth uses for its SOAP Backend.
The idp-backchannel.p12 file gets automatically created during
setup (install.sh. its using apache ant to install itself) which
also asks you to input a secure password.
Mit freundlichen Grüßen/Best Regards Timo Brunn
Website: timo-brunn.de Um ihre Echtheit zu bestätigen, wurde diese
E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally
signed.
On 29/06/2023 22:40, Joakim Erdfelt
wrote:
Can you share the mod + xml's that shibboleth uses?
While taking apart the whole servlet i found the
following:
One of shibboleths mod files was loading another PKCS12.
(idp-backchannel for SOAP Support)
And the password for that one was not set correctly.
So the error message was correct the whole time.
Thanks for all the help and joakim if i can get you a
coffee or something let me know :)
Mit freundlichen Grüßen/Best Regards Timo Brunn
Website: timo-brunn.de Um ihre Echtheit zu bestätigen, wurde
diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been
digitally signed.
On 29/06/2023 20:36, Timo Brunn wrote:
Thanks for your quick responses!
I just ran the code you provided and it does print the
keystore contents.
Since the code was already correct for the self-signed
keystore, i didnt change anything.
The file permissions are pretty open right now with
rw-rw-r-- with the p12 file owner being the jetty user.
Key: Sun RSA public key, 2048 bits
params: null
modulus:
31324817986779005776590223853928318440472700290023475014482142452462362977819943367530423004662174014864178000053166687295602930314789162830253123327485868501990479214212233860982715789859917240039541551771623851721250353020248898281091763082420524255851604109548822531439107213768381031822106018445358680633787482308232674730181365066191923305128575616374863416692343901559693520315586739370455056012526230965759968993479164184273538037683247975782048560648220822868237841133441722525686180407153618650506730829124425700609218649225906255867016831266031482697973105430866690279570822277051110691508694583394587600401
public exponent: 65537
Validity: [From: Thu Jun 29 17:00:21 UTC 2023,
To: Sun Jun 29 17:00:21 UTC 2223]
Issuer: CN=idp.xxx.de
SerialNumber: [ 649db8a5]
]
Algorithm: [SHA256withRSA]
Signature:
0000: C6 52 71 BF 65 DA F4 F3 AD 7C F5 D1 0F 17 18 B3
.Rq.e...........
0010: 35 76 AE EF 8B 42 70 1B 0F 93 44 B1 DD 55 3F 9F
5v...Bp...D..U?.
0020: 86 D9 E5 4E 0C 0F 6E 54 10 62 9D 92 44 6E E3 AF
...N..nT.b..Dn..
0030: 35 06 F3 88 89 63 FC 2A DD BA DB 70 CB 49 B1 AC
5....c.*...p.I..
0040: 82 A7 F0 47 A0 E0 75 D9 F4 50 1D E1 B4 15 B9 8B
...G..u..P......
0050: 89 C8 17 7F 8F 61 33 67 1A 6C 05 E8 BC F6 CC A2
.....a3g.l......
0060: 3D CB 3D 39 B7 39 4B B6 74 90 09 35 06 AB EC 60
=.=9.9K.t..5...`
0070: B6 18 6B 17 1A 6B C8 43 C3 E0 2A C1 DB 7D 43 3E
..k..k.C..*...C>
0080: 5C 3E FA 27 61 EA 51 74 74 47 49 DA 22 C9 91 FB
\>.'a.QttGI."...
0090: 77 D4 19 73 4E B4 2A FD 78 50 3F 94 AE 3C 28 A4
w..sN.*.xP?..<(.
00A0: 88 E7 04 B1 CC 91 49 7E EF 7A 2A E6 6C 96 B1 95
......I..z*.l...
00B0: 83 FA E3 59 53 CA D3 73 04 DE B7 E0 02 91 99 D1
...YS..s........
00C0: 65 48 2C A7 2A 69 83 0A E6 2A 76 4D E2 38 C0 35
eH,.*i...*vM.8.5
00D0: AA 60 6C 55 CB 28 AE 6E F7 3F 2C D7 7F C1 A5 7B
.`lU.(.n.?,.....
00E0: F0 38 97 1C C3 1F C3 16 A5 95 8F 73 23 F8 96 5B
.8.........s#..[
00F0: 7A 51 DA B2 6A 3E 6B C8 35 44 3A AD 40 A6 7B 08
zQ..j>k.5D:.@...
]
Mit freundlichen Grüßen/Best Regards Timo Brunn
Website: timo-brunn.de Um ihre Echtheit zu bestätigen, wurde
diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been
digitally signed.
On 29/06/2023 19:57, Joakim Erdfelt wrote:
There is something wrong with either your
KeyStore or Password.
Do this.
In Java, create this class and execute it.
It uses only core Java classes, no Jetty
involved.
Lets verify that your KeyStore can be loaded by
the same version of Java as you are running Jetty
with.
If i don't supply
jetty.sslContext.keyManagerPassword or if the
KeyManagerPassword and the key password do not
match i get the following stacktrace.
Which seems appropriate.
Once the password actually matches i get thrown
the keystore password was incorrect stacktrace
as before.
java.lang.reflect.InvocationTargetException
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at
java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.eclipse.jetty.start.Main.invokeMain(Main.java:229)
at
org.eclipse.jetty.start.Main.start(Main.java:528)
at
org.eclipse.jetty.start.Main.main(Main.java:76)
Caused by:
java.security.UnrecoverableKeyException: Get Key
failed: Given final block not properly padded.
Such issues can arise if a bad key is used
during decryption.
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
at
java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
at
java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
at
java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
at
java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76)
at
java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
at
org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167)
at
org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289)
at
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342)
at
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at
org.eclipse.jetty.server.Server.start(Server.java:470)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89)
at
org.eclipse.jetty.server.Server.doStart(Server.java:415)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
... 7 more
Mit freundlichen Grüßen/Best Regards Timo Brunn
Website: timo-brunn.de Um ihre Echtheit zu
bestätigen, wurde diese E-Mail digital
signiert.
To prove its authenticity, this E-Mail has
been digitally signed.
On 29/06/2023 01:07, Timo Brunn wrote:
So i just change it to the following (quote
from --list-config). Truststore config is
removed.
Exception in thread "main"
java.io.IOException: keystore password was
incorrect
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
at
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
at
java.base/java.security.KeyStore.load(KeyStore.java:1473)
at
org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)
at
org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121)
at
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291)
at
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
at
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367)
at
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75)
at
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.server.Server.doStart(Server.java:428)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
at
org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
Caused by:
java.security.UnrecoverableKeyException:
failed to decrypt safe contents entry:
javax.crypto.BadPaddingException: Given final
block not properly padded. Such issues can
arise if a bad key is used during decryption.
... 21 more
Mit freundlichen Grüßen/Best Regards Timo Brunn
Website: timo-brunn.de Um ihre Echtheit zu
bestätigen, wurde diese E-Mail digital
signiert.
To prove its authenticity, this E-Mail has
been digitally signed.
On 29/06/2023 00:55, Joakim Erdfelt wrote:
Also, eliminate the trustStore
configurations (temporarily).
Running --debug gave me 23
command line entries with one
being a temporary
"start_XXX.properties" file.
I checked that file while the
JVM was running and it does
contain the correct
password/settings.
Running --list-config showed the
following system properties:
Disabling those obviously
removed the need for jetty to
fork the JVM.
--list-config also showed the
correct keystore configuration
with no extra whitespace or
similar.