You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/05/24 17:03:12 UTC
[jira] [Assigned] (QPID-7264) Model attributes that are derived and
secure (such as AutoGeneratedSelfSignedKeyStore) do not get stored
encrypted causing Broker to fail on restart
[ https://issues.apache.org/jira/browse/QPID-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall reassigned QPID-7264:
--------------------------------
Assignee: Keith Wall
> Model attributes that are derived and secure (such as AutoGeneratedSelfSignedKeyStore) do not get stored encrypted causing Broker to fail on restart
> ----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: QPID-7264
> URL: https://issues.apache.org/jira/browse/QPID-7264
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: qpid-java-6.0, qpid-java-6.0.1, qpid-java-6.0.2
> Reporter: Keith Wall
> Assignee: Keith Wall
> Priority: Minor
>
> Model Attributes that are derived/secure do not get encrypted by the configuration encryptor. If you add an {{AutoGeneratedSelfSignedCert}} then turn on encryption, the Broker continues to work until it is restarted, at which point it fails as it tries to read the secure value as if it were AES ciphered data.
> The only feature that currently has such an attribute is AutoGeneratedSelfSignedCert. This problem means that AutoGeneratedSelfSignedCert cannot be used at if configuration encrpytion is also in use.
> The work around is to create the self signed keystore externally (keytool/openssl etc), and import into Qpid as a Java or Non-Java Keystore.
> {noformat}
> 12:12:27.170 [main] INFO qpid.message.keystore.create - [Broker] KST-1001 : Create "myks"
> 12:12:27.595 [main] ERROR org.apache.qpid.server.Broker - Exception during startup
> java.lang.IllegalArgumentException: Unable to encrypt secret
> at org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.decrypt(AESKeyFileEncrypter.java:106) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.decryptSecrets(AbstractConfiguredObject.java:2788) ~[classes/:na]
> at org.apache.qpid.server.store.GenericRecoverer.resolveObjects(GenericRecoverer.java:187) ~[classes/:na]
> at org.apache.qpid.server.store.GenericRecoverer.performRecover(GenericRecoverer.java:91) ~[classes/:na]
> at org.apache.qpid.server.store.GenericRecoverer.access$000(GenericRecoverer.java:41) ~[classes/:na]
> at org.apache.qpid.server.store.GenericRecoverer$1.execute(GenericRecoverer.java:59) ~[classes/:na]
> at org.apache.qpid.server.store.GenericRecoverer$1.execute(GenericRecoverer.java:55) ~[classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270) ~[classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl.submitWrappedTask(TaskExecutorImpl.java:154) ~[classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl.run(TaskExecutorImpl.java:182) ~[classes/:na]
> at org.apache.qpid.server.store.GenericRecoverer.recover(GenericRecoverer.java:54) ~[classes/:na]
> at org.apache.qpid.server.store.BrokerStoreUpgraderAndRecoverer.perform(BrokerStoreUpgraderAndRecoverer.java:846) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractSystemConfig.activate(AbstractSystemConfig.java:232) ~[classes/:na]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_66]
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_66]
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_66]
> at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_66]
> at org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1309) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1288) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:909) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:903) ~[classes/:na]
> at com.google.common.util.concurrent.Futures$6.run(Futures.java:1319) ~[guava-18.0.jar:na]
> at com.google.common.util.concurrent.MoreExecutors$DirectExecutor.execute(MoreExecutors.java:457) ~[guava-18.0.jar:na]
> at com.google.common.util.concurrent.ExecutionList.executeListener(ExecutionList.java:156) ~[guava-18.0.jar:na]
> at com.google.common.util.concurrent.ExecutionList.add(ExecutionList.java:101) ~[guava-18.0.jar:na]
> at com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:170) ~[guava-18.0.jar:na]
> at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1322) ~[guava-18.0.jar:na]
> at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1258) ~[guava-18.0.jar:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.doAttainState(AbstractConfiguredObject.java:902) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.access$300(AbstractConfiguredObject.java:81) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:514) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:501) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:562) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:555) ~[classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270) ~[classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper$1.run(TaskExecutorImpl.java:342) ~[classes/:na]
> at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_66]
> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_66]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper.call(TaskExecutorImpl.java:335) ~[classes/:na]
> at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_66]
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_66]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_66]
> at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_66]
> Caused by: java.io.IOException: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher
> at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:121) ~[na:1.8.0_60]
> at javax.crypto.CipherInputStream.read(CipherInputStream.java:239) ~[na:1.8.0_60]
> at org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.readFromCipherStream(AESKeyFileEncrypter.java:132) ~[classes/:na]
> at org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.decrypt(AESKeyFileEncrypter.java:99) ~[classes/:na]
> ... 42 common frames omitted
> Caused by: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher
> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:913) ~[sunjce_provider.jar:1.8.0_60]
> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824) ~[sunjce_provider.jar:1.8.0_60]
> at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436) ~[sunjce_provider.jar:1.8.0_60]
> at javax.crypto.Cipher.doFinal(Cipher.java:2048) ~[na:1.8.0_60]
> at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:118) ~[na:1.8.0_60]
> ... 45 common frames omitted
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org