You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/05/13 11:23:12 UTC
[jira] [Commented] (QPID-7264) Model attributes that are derived and secure (such as AutoGeneratedSelfSignedKeyStore) do not get stored encrypted causing Broker to fail on restart

    [ https://issues.apache.org/jira/browse/QPID-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15282627#comment-15282627 ] 

Keith Wall commented on QPID-7264:
----------------------------------

Looks to me like the problem lies within AbstractConfiguredObject#asObjectRecord().  The derived path needs to encrypt the attributes value too.

> Model attributes that are derived and secure (such as AutoGeneratedSelfSignedKeyStore) do not get stored encrypted causing Broker to fail on restart
> ----------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7264
>                 URL: https://issues.apache.org/jira/browse/QPID-7264
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: qpid-java-6.0, qpid-java-6.0.1, qpid-java-6.0.2
>            Reporter: Keith Wall
>            Priority: Minor
>
> Model Attributes that are derived/secure do not get encrypted by the configuration encryptor.   If you add an {{AutoGeneratedSelfSignedCert}}  then turn on encryption, the Broker continues to work until it is restarted, at which point it fails as it tries to read the secure value as if it were AES ciphered data.
> The only feature that currently has such an attribute is AutoGeneratedSelfSignedCert.  This problem means that AutoGeneratedSelfSignedCert cannot be used at if configuration encrpytion is also in use.
> The work around is to create the self signed keystore externally (keytool/openssl etc), and import into Qpid as a Java or Non-Java Keystore.
> {noformat}
> 12:12:27.170 [main] INFO  qpid.message.keystore.create - [Broker] KST-1001 : Create "myks"
> 12:12:27.595 [main] ERROR org.apache.qpid.server.Broker - Exception during startup
> java.lang.IllegalArgumentException: Unable to encrypt secret
> 	at org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.decrypt(AESKeyFileEncrypter.java:106) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject.decryptSecrets(AbstractConfiguredObject.java:2788) ~[classes/:na]
> 	at org.apache.qpid.server.store.GenericRecoverer.resolveObjects(GenericRecoverer.java:187) ~[classes/:na]
> 	at org.apache.qpid.server.store.GenericRecoverer.performRecover(GenericRecoverer.java:91) ~[classes/:na]
> 	at org.apache.qpid.server.store.GenericRecoverer.access$000(GenericRecoverer.java:41) ~[classes/:na]
> 	at org.apache.qpid.server.store.GenericRecoverer$1.execute(GenericRecoverer.java:59) ~[classes/:na]
> 	at org.apache.qpid.server.store.GenericRecoverer$1.execute(GenericRecoverer.java:55) ~[classes/:na]
> 	at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270) ~[classes/:na]
> 	at org.apache.qpid.server.configuration.updater.TaskExecutorImpl.submitWrappedTask(TaskExecutorImpl.java:154) ~[classes/:na]
> 	at org.apache.qpid.server.configuration.updater.TaskExecutorImpl.run(TaskExecutorImpl.java:182) ~[classes/:na]
> 	at org.apache.qpid.server.store.GenericRecoverer.recover(GenericRecoverer.java:54) ~[classes/:na]
> 	at org.apache.qpid.server.store.BrokerStoreUpgraderAndRecoverer.perform(BrokerStoreUpgraderAndRecoverer.java:846) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractSystemConfig.activate(AbstractSystemConfig.java:232) ~[classes/:na]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_66]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_66]
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_66]
> 	at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_66]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1309) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1288) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:909) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:903) ~[classes/:na]
> 	at com.google.common.util.concurrent.Futures$6.run(Futures.java:1319) ~[guava-18.0.jar:na]
> 	at com.google.common.util.concurrent.MoreExecutors$DirectExecutor.execute(MoreExecutors.java:457) ~[guava-18.0.jar:na]
> 	at com.google.common.util.concurrent.ExecutionList.executeListener(ExecutionList.java:156) ~[guava-18.0.jar:na]
> 	at com.google.common.util.concurrent.ExecutionList.add(ExecutionList.java:101) ~[guava-18.0.jar:na]
> 	at com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:170) ~[guava-18.0.jar:na]
> 	at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1322) ~[guava-18.0.jar:na]
> 	at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1258) ~[guava-18.0.jar:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject.doAttainState(AbstractConfiguredObject.java:902) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject.access$300(AbstractConfiguredObject.java:81) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:514) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:501) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:562) ~[classes/:na]
> 	at org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:555) ~[classes/:na]
> 	at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270) ~[classes/:na]
> 	at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper$1.run(TaskExecutorImpl.java:342) ~[classes/:na]
> 	at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_66]
> 	at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_66]
> 	at org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper.call(TaskExecutorImpl.java:335) ~[classes/:na]
> 	at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_66]
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_66]
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_66]
> 	at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_66]
> Caused by: java.io.IOException: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher
> 	at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:121) ~[na:1.8.0_60]
> 	at javax.crypto.CipherInputStream.read(CipherInputStream.java:239) ~[na:1.8.0_60]
> 	at org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.readFromCipherStream(AESKeyFileEncrypter.java:132) ~[classes/:na]
> 	at org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.decrypt(AESKeyFileEncrypter.java:99) ~[classes/:na]
> 	... 42 common frames omitted
> Caused by: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher
> 	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:913) ~[sunjce_provider.jar:1.8.0_60]
> 	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824) ~[sunjce_provider.jar:1.8.0_60]
> 	at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436) ~[sunjce_provider.jar:1.8.0_60]
> 	at javax.crypto.Cipher.doFinal(Cipher.java:2048) ~[na:1.8.0_60]
> 	at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:118) ~[na:1.8.0_60]
> 	... 45 common frames omitted
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org