You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/12/30 21:45:00 UTC

[jira] [Commented] (NIFI-11015) registry ApplicationServerConnectorFactory uses NiFiRegistryProperties.SECURITY_KEYSTORE_TYPE instead of NiFiRegistryProperties.SECURITY_TRUSTSTORE_TYPE for buildTrustStore

    [ https://issues.apache.org/jira/browse/NIFI-11015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17653195#comment-17653195 ] 

David Handermann commented on NIFI-11015:
-----------------------------------------

Thanks for the detailed issue description [~ltheisen@mitre.org]! I have submitted a pull request to correct the behavior.

> registry ApplicationServerConnectorFactory uses NiFiRegistryProperties.SECURITY_KEYSTORE_TYPE instead of NiFiRegistryProperties.SECURITY_TRUSTSTORE_TYPE for buildTrustStore
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-11015
>                 URL: https://issues.apache.org/jira/browse/NIFI-11015
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: NiFi Registry
>    Affects Versions: 1.19.0, 1.19.1
>            Reporter: lucas theisen
>            Assignee: David Handermann
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Our server has been configured to use PKCS12 for the keystore and JKS for the truststore, but when we attempted to upgrade (from 1.16 to 1.19.1) the registry fails to start with:
> {code}
> 2022-12-28 15:33:01,442 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2022-12-28 15:33:01,442 INFO [main] org.eclipse.jetty.util.log Logging initialized @632ms to org.eclipse.jetty.util.log.Slf4jLog
> 2022-12-28 15:33:01,533 ERROR [NiFi logging handler] org.apache.nifi.registry.StdErr Failed to start web server: Key Store loading failed
> 2022-12-28 15:33:01,533 ERROR [NiFi logging handler] org.apache.nifi.registry.StdErr Shutting down...
> 2022-12-28 15:33:01,534 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2022-12-28 15:33:01,534 WARN [main] o.apache.nifi.registry.jetty.JettyServer Failed to start web server... shutting down.
> 2022-12-28 15:33:01,534 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut org.apache.nifi.security.ssl.BuilderConfigurationException: Key Store loading failed
> 2022-12-28 15:33:01,534 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.security.ssl.StandardKeyStoreBuilder.build(StandardKeyStoreBuilder.java:56)
> 2022-12-28 15:33:01,534 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildStore(ApplicationServerConnectorFactory.java:181)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildTrustStore(ApplicationServerConnectorFactory.java:167)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildSslContext(ApplicationServerConnectorFactory.java:141)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.<init>(ApplicationServerConnectorFactory.java:74)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.registry.jetty.JettyServer.configureConnectors(JettyServer.java:150)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.registry.jetty.JettyServer.<init>(JettyServer.java:101)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:114)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:168)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at sun.security.util.DerInputStream.getLength(DerInputStream.java:588)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at sun.security.util.DerValue.init(DerValue.java:412)
> 2022-12-28 15:33:01,535 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at sun.security.util.DerValue.<init>(DerValue.java:353)
> 2022-12-28 15:33:01,545 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at sun.security.util.DerValue.<init>(DerValue.java:366)
> 2022-12-28 15:33:01,545 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1946)
> 2022-12-28 15:33:01,545 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at java.security.KeyStore.load(KeyStore.java:1445)
> 2022-12-28 15:33:01,545 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     at org.apache.nifi.security.ssl.StandardKeyStoreBuilder.build(StandardKeyStoreBuilder.java:54)
> 2022-12-28 15:33:01,545 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut     ... 8 common frames omitted
> {code}
> A quick check of the source shows the use of [{{NiFiRegistryProperties.SECURITY_KEYSTORE_TYPE}} instead of {{NiFiRegistryProperties.SECURITY_TRUSTSTORE_TYPE}}|https://github.com/apache/nifi/blob/rel/nifi-1.19.1/nifi-registry/nifi-registry-core/nifi-registry-jetty/src/main/java/org/apache/nifi/registry/jetty/connector/ApplicationServerConnectorFactory.java#L165]:
> {code}
>     private KeyStore buildTrustStore(final NiFiRegistryProperties properties) {
>         final String trustStore = getRequiredProperty(properties, NiFiRegistryProperties.SECURITY_TRUSTSTORE);
>         final String trustStoreType = getRequiredProperty(properties, NiFiRegistryProperties.SECURITY_KEYSTORE_TYPE);
>         final String trustStorePassword = getRequiredProperty(properties, NiFiRegistryProperties.SECURITY_TRUSTSTORE_PASSWD);
>         return buildStore(trustStore, trustStoreType, trustStorePassword);
>     }
> {code}
> This means that to workaround this in the current code we will need to use the same keystore type for both the keystore and the trust store and use the {{nifi.registry.security.keystoreType}} to configure that type.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)