Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-1801

Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.0
    • Fix Version/s: 1.3.0
    • Component/s: Server
    • Labels:
      None

      Description

      Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled. 

      Steps to reproduce

      1. Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
      2. Specify the custom TLS keystore details in gateway-site.xml
        • gateway.tls.keystore.password.alias
        • gateway.tls.keystore.path
        • gateway.tls.keystore.type
        • gateway.tls.key.alias
        • gateway.tls.key.passphrase.alias (optional)
      3. Turn on client-auth
        • gateway.client.auth.needed : true
      4. Create password alias for the custom keystore using Knox CLI
        • bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>
      5. (Re)Start the Gateway

      The Gateway will fail to start with the following error in the gateway.log:

      2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect
      java.io.IOException: keystore password was incorrect
              at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
              at java.security.KeyStore.load(KeyStore.java:1445)
              at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
              at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
              at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
              at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
              at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
              at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
              at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
              at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
              at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
              at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
      Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
              ... 17 more
      

      Solution
      Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rlevas Robert Levas
                Reporter:
                rlevas Robert Levas
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 50m
                  1h 50m