Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-1801

Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.3.0
    • 1.3.0
    • Server
    • None

    Description

      Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled. 

      Steps to reproduce

      1. Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
      2. Specify the custom TLS keystore details in gateway-site.xml
        • gateway.tls.keystore.password.alias
        • gateway.tls.keystore.path
        • gateway.tls.keystore.type
        • gateway.tls.key.alias
        • gateway.tls.key.passphrase.alias (optional)
      3. Turn on client-auth
        • gateway.client.auth.needed : true
      4. Create password alias for the custom keystore using Knox CLI
        • bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>
      5. (Re)Start the Gateway

      The Gateway will fail to start with the following error in the gateway.log:

      2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect
      java.io.IOException: keystore password was incorrect
              at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
              at java.security.KeyStore.load(KeyStore.java:1445)
              at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
              at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
              at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
              at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
              at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
              at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
              at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
              at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
              at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
              at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
      Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
              ... 17 more
      

      Solution
      Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.

      Attachments

        Issue Links

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 50m
                  1h 50m