You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2019/03/05 17:05:00 UTC
[jira] [Work logged] (KNOX-1801) Master secret is incorrectly
assumed when a custom truststore is not specified when clientauth is
enabled
[ https://issues.apache.org/jira/browse/KNOX-1801?focusedWorklogId=207878&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-207878 ]
ASF GitHub Bot logged work on KNOX-1801:
----------------------------------------
Author: ASF GitHub Bot
Created on: 05/Mar/19 17:04
Start Date: 05/Mar/19 17:04
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #63: KNOX-1801 - Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled
URL: https://github.com/apache/knox/pull/63
## What changes were proposed in this pull request?
Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled.
**Steps to reproduce**
1. Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
2. Specify the custom TLS keystore details in `gateway-site.xml`
- `gateway.tls.keystore.password.alias`
- `gateway.tls.keystore.path`
- `gateway.tls.keystore.type`
- `gateway.tls.key.alias`
- `gateway.tls.key.passphrase.alias` (optional)
3. Turn on client-auth
- `gateway.client.auth.needed` : {{true}}
4. Create password alias for the custom keystore using Knox CLI
- `bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>`
5. (Re)Start the Gateway
The Gateway will fail to start with the following error in the gateway.log:
```
2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 17 more
```
**Solution**
Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.
While at it, cleaned up `org.apache.knox.gateway.services.security.impl.JettySSLService` to remove unneeded `MasterService` calls.
## How was this patch tested?
Added new unit tests - `org.apache.knox.gateway.services.security.impl.JettySSLServiceTest`
Manually tested various scenarios.
Please review [Knox Contributing Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow) before opening a pull request.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 207878)
Time Spent: 10m
Remaining Estimate: 0h
> Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled
> ---------------------------------------------------------------------------------------------------------
>
> Key: KNOX-1801
> URL: https://issues.apache.org/jira/browse/KNOX-1801
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.3.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Major
> Fix For: 1.3.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled.
> *Steps to reproduce*
> # Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
> # Specify the custom TLS keystore details in {{gateway-site.xml}}
> ** {{gateway.tls.keystore.password.alias}}
> ** {{gateway.tls.keystore.path}}
> ** {{gateway.tls.keystore.type}}
> ** {{gateway.tls.key.alias}}
> ** {{gateway.tls.key.passphrase.alias}} (optional)
> # Turn on client-auth
> ** {{gateway.client.auth.needed}} : {{true}}
> # Create password alias for the custom keystore using Knox CLI
> ** {{bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>}}
> # (Re)Start the Gateway
> The Gateway will fail to start with the following error in the gateway.log:
> {noformat}
> 2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect
> java.io.IOException: keystore password was incorrect
> at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
> at java.security.KeyStore.load(KeyStore.java:1445)
> at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
> at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
> at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
> at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
> at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
> at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
> at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
> at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
> at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
> Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
> ... 17 more
> {noformat}
> *Solution*
> Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)