You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2019/03/05 17:04:28 UTC
[GitHub] [knox] rlevas opened a new pull request #63: KNOX-1801 - Master
secret is incorrectly assumed when a custom truststore is not specified
when clientauth is enabled
rlevas opened a new pull request #63: KNOX-1801 - Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled
URL: https://github.com/apache/knox/pull/63
## What changes were proposed in this pull request?
Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled.
**Steps to reproduce**
1. Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
2. Specify the custom TLS keystore details in `gateway-site.xml`
- `gateway.tls.keystore.password.alias`
- `gateway.tls.keystore.path`
- `gateway.tls.keystore.type`
- `gateway.tls.key.alias`
- `gateway.tls.key.passphrase.alias` (optional)
3. Turn on client-auth
- `gateway.client.auth.needed` : {{true}}
4. Create password alias for the custom keystore using Knox CLI
- `bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>`
5. (Re)Start the Gateway
The Gateway will fail to start with the following error in the gateway.log:
```
2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 17 more
```
**Solution**
Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.
While at it, cleaned up `org.apache.knox.gateway.services.security.impl.JettySSLService` to remove unneeded `MasterService` calls.
## How was this patch tested?
Added new unit tests - `org.apache.knox.gateway.services.security.impl.JettySSLServiceTest`
Manually tested various scenarios.
Please review [Knox Contributing Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow) before opening a pull request.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services