You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alex Rudyy (JIRA)" <ji...@apache.org> on 2016/04/07 19:04:25 UTC
[jira] [Comment Edited] (QPID-7174) [JavaBroker] Broker fails to
open ManagedPeerCertificateTrustStore containing certificates added via
port
[ https://issues.apache.org/jira/browse/QPID-7174?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15230570#comment-15230570 ]
Alex Rudyy edited comment on QPID-7174 at 4/7/16 5:03 PM:
----------------------------------------------------------
ConfiguredObjectJacksonModule declares JsonSerializer for Certificate objects. The Certificate JsonSerializer calls JsonGenerator#writeBinary(byte[]) to save Certificate encoded bytes. Internally JsonGenerator#writeBinary calls Base64 encoder to encode bytes and creates bas64 encoded string.
org.apache.qpid.server.model.AttributeValueConverter#CERTIFICATE_CONVERTER converts certificate represented as String into byte array without performing any Base64 decoding which results in IllegalArgumentException: Cannot convert '...'
The simplest fix for the issue would be to add base64 decoding of certificates represented as String:
{code}
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
index 4a0a379..071c05a 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
@@ -36,6 +36,7 @@ import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
@@ -206,7 +207,8 @@ abstract class AttributeValueConverter<T>
else if(value instanceof String)
{
String strValue = AbstractConfiguredObject.interpolate(object, (String) value);
- return convert(strValue.getBytes(StandardCharsets.UTF_8), object);
+ byte[] certificateBytes = Base64.getDecoder().decode(strValue);
+ return convert(certificateBytes, object);
}
else if(value == null)
{
{code}
Additionally, It worth considering an adding a prefix to base64 encoded value similar to what we have for encoded octet streams: data:application/octet-stream;base64,...
was (Author: alex.rufous):
ConfiguredObjectJacksonModule declares JsonSerializer for Certificate objects. The Certificate JsonSerializer calls JsonGenerator#writeBinary(byte[]) to save Certificate encoded bytes. Internally JsonGenerator#writeBinary calls Base64 encoder to encode bytes and creates bas64 encoded string.
org.apache.qpid.server.model.AttributeValueConverter#CERTIFICATE_CONVERTER converts certificate represented as String into byte array without performing any Base64 decoding which results in IllegalArgumentException: Cannot convert '...'
The simplest fix for the issue would be to add base64 decoding of certificates represented as String:
{code:diff}
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
index 4a0a379..071c05a 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
@@ -36,6 +36,7 @@ import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
@@ -206,7 +207,8 @@ abstract class AttributeValueConverter<T>
else if(value instanceof String)
{
String strValue = AbstractConfiguredObject.interpolate(object, (String) value);
- return convert(strValue.getBytes(StandardCharsets.UTF_8), object);
+ byte[] certificateBytes = Base64.getDecoder().decode(strValue);
+ return convert(certificateBytes, object);
}
else if(value == null)
{
{code}
Additionally, It worth considering an adding a prefix to base64 encoded value similar to what we have for encoded octet streams: data:application/octet-stream;base64,...
> [JavaBroker] Broker fails to open ManagedPeerCertificateTrustStore containing certificates added via port
> ---------------------------------------------------------------------------------------------------------
>
> Key: QPID-7174
> URL: https://issues.apache.org/jira/browse/QPID-7174
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Reporter: Alex Rudyy
>
> After configuring of ManagedPeerCertificateTrustStore as port clientCertRecorder and capturing one or more certificates via open TLS connections, the following exception is reported on Broker restart:
> {noformat}
> ERROR [Broker-Config] (o.a.q.s.m.AbstractConfiguredObject) - Failed to open object with name 'managing'. Object will be put into ERROR state.
> java.lang.IllegalArgumentException: Cannot convert '[MIIC4TCCAkqgAwIBAgIFAKI1xCswDQYJKoZIhvcNAQEFBQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15Um9vdENBMB4XDTE1MDMyMDAxMjEwNVoXDTIwMDMyMDAxMjEwNVowYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCviLTH6Vl6gP3M6gmmm0sVlCcBFfo2czDTsr93D1cIQpnyY1r3znBdFT3cbXE2LtHeLpnlXc+dTo9/aoUuBCzRIpi4CeaGgD3ggIl9Ws5hUgfxJCWBg7nhzMUlBC2C+VgIUHWHqGPuaQ7VzXOEC7xF0mihMZ4bwvU6wxGK2uUoruXE/iti/+jtzxjq0PO7ZgJ7GUI2ZDqGMad5OnLur8jz+yKsVdetXlXsOyHmHi/47pRuA115pYiIaZKu1+vs6IBl4HnEUgw5JwIww6oyTDVvXc1kCw0QCtUZMcNSH2XGhh/zGM/M2Bt2lgEEW0xWTwQcT1J7wnngfbIYbzoupEkRAgMBAAGjQTA/MB0GA1UdDgQWBBRI+VUMRkfNYp/xngM9y720hvxmXTAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAJnedohhbqoY7O6oAm+hPScBCng/fl0erVjexL9W8l8g5NvIGgioUfjUDvGOnwB5LOoTnZUCRaLFhQFcGFMIjdHpg0qt/QkEFX/0m+849RK6muHT1CNlcXtCFXwPTJ+9h+1auTP+Yp/6ii9SU3W1dzYawy2p9IhkMZEpJaHCLnaC]' into a java.util.List<java.security.cert.Certificate> for attribute storedCertificates (java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input)
> at org.apache.qpid.server.model.ConfiguredObjectMethodAttribute.convert(ConfiguredObjectMethodAttribute.java:72) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.automatedSetValue(AbstractConfiguredObject.java:415) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.resolveAutomatedAttribute(AbstractConfiguredObject.java:1259) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.onResolve(AbstractConfiguredObject.java:1213) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.doResolution(AbstractConfiguredObject.java:1025) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$11.performAction(AbstractConfiguredObject.java:1037) ~[classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.applyToChildren(AbstractConfiguredObject.java:1095) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.doResolution(AbstractConfiguredObject.java:1027) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:510) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:500) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:561) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:554) [classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270) [classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl.submitWrappedTask(TaskExecutorImpl.java:154) [classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl.submit(TaskExecutorImpl.java:142) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.doOnConfigThread(AbstractConfiguredObject.java:553) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.openAsync(AbstractConfiguredObject.java:499) [classes/:na]
> at org.apache.qpid.server.model.AbstractSystemConfig.activate(AbstractSystemConfig.java:238) [classes/:na]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_66]
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_66]
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_66]
> at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_66]
> at org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1308) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1287) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:908) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:902) [classes/:na]
> at com.google.common.util.concurrent.Futures$6.run(Futures.java:1319) [guava-18.0.jar:na]
> at com.google.common.util.concurrent.MoreExecutors$DirectExecutor.execute(MoreExecutors.java:457) [guava-18.0.jar:na]
> at com.google.common.util.concurrent.ExecutionList.executeListener(ExecutionList.java:156) [guava-18.0.jar:na]
> at com.google.common.util.concurrent.ExecutionList.add(ExecutionList.java:101) [guava-18.0.jar:na]
> at com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:170) [guava-18.0.jar:na]
> at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1322) [guava-18.0.jar:na]
> at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1258) [guava-18.0.jar:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.doAttainState(AbstractConfiguredObject.java:901) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject.access$300(AbstractConfiguredObject.java:80) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:513) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:500) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:561) [classes/:na]
> at org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:554) [classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270) [classes/:na]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper$1.run(TaskExecutorImpl.java:342) [classes/:na]
> at java.security.AccessController.doPrivileged(Native Method) [na:1.8.0_66]
> at javax.security.auth.Subject.doAs(Subject.java:360) [na:1.8.0_66]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper.call(TaskExecutorImpl.java:335) [classes/:na]
> at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_66]
> at javax.security.auth.Subject.doAs(Subject.java:360) [na:1.8.0_66]
> at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper.call(TaskExecutorImpl.java:335) [classes/:na]
> at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_66]
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_66]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_66]
> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_66]
> Caused by: java.lang.IllegalArgumentException: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input
> at org.apache.qpid.server.model.AttributeValueConverter$6.convert(AttributeValueConverter.java:203) ~[classes/:na]
> at org.apache.qpid.server.model.AttributeValueConverter$6.convert(AttributeValueConverter.java:209) ~[classes/:na]
> at org.apache.qpid.server.model.AttributeValueConverter$6.convert(AttributeValueConverter.java:174) ~[classes/:na]
> at org.apache.qpid.server.model.AttributeValueConverter$GenericListConverter.convert(AttributeValueConverter.java:743) ~[classes/:na]
> at org.apache.qpid.server.model.AttributeValueConverter$GenericListConverter.convert(AttributeValueConverter.java:724) ~[classes/:na]
> at org.apache.qpid.server.model.ConfiguredObjectMethodAttribute.convert(ConfiguredObjectMethodAttribute.java:65) ~[classes/:na]
> ... 47 common frames omitted
> Caused by: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input
> at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:108) ~[na:1.8.0_66]
> at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) ~[na:1.8.0_66]
> at org.apache.qpid.server.model.AttributeValueConverter$6.convert(AttributeValueConverter.java:199) ~[classes/:na]
> ... 52 common frames omitted
> Caused by: java.io.IOException: Empty input
> at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:104) ~[na:1.8.0_66]
> ... 54 common frames omitted
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org