Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
1.19.1
-
None
-
None
Description
After upgrading NiFi Registry from 1.17.0 to 1.19.1, it stopped working with the following logged stacktrace:
nifi-registry-app.log
2023-01-20 09:09:50,530 WARN [main] o.apache.nifi.registry.jetty.JettyServer Failed to start web server... shutting down. org.apache.nifi.security.ssl.BuilderConfigurationException: Key Manager initialization failed at org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:120) at org.apache.nifi.security.ssl.StandardSslContextBuilder.build(StandardSslContextBuilder.java:55) at org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildSslContext(ApplicationServerConnectorFactory.java:147) at org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.<init>(ApplicationServerConnectorFactory.java:74) at org.apache.nifi.registry.jetty.JettyServer.configureConnectors(JettyServer.java:150) at org.apache.nifi.registry.jetty.JettyServer.<init>(JettyServer.java:101) at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:114) at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:168) Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446) at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145) at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271) at org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:118) ... 7 common frames omitted Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408) at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387) at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283) at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381) ... 13 common frames omitted
The problem is that we had an empty value for nifi.registry.security.keyPasswd in nifi-registry.properties:
nifi-registry.properties
nifi.registry.security.keystore=./ssl/foo1.p12 nifi.registry.security.keystoreType=PKCS12 nifi.registry.security.keystorePasswd=foobar nifi.registry.security.keyPasswd=
Adding nifi.registry.security.keyPasswd (samme as keystorePasswd), the application starts:
nifi-registry.properties
nifi.registry.security.keystore=./ssl/foo1.p12 nifi.registry.security.keystoreType=PKCS12 nifi.registry.security.keystorePasswd=foobar nifi.registry.security.keyPasswd=foobar
See link to Slack thread below.
NiFi itself has no problem with nifi.registry.security.keyPasswd being empty, so there is a difference in behavior between the two applications.
Attachments
Issue Links
- links to