Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-2930

SSLContextFactory throws Exception when Keystore password differs from Key password

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.0.0
    • None
    • Core Framework
    • None

    Description

      The SSLContextFactory class currently does not retrieve both key password and keystore password (only the keystore password is retrieved). The keystore password value in that class is used to load the keystore as well as initialize the KeyManagerFactory. However the KeyManagerFactory appears to expect the key password. If the key password has a different value from the keystore password, then the following exception occurs:

      Caused by: java.security.UnrecoverableKeyException: Cannot recover key
      at sun.security.provider.KeyProtector.recover(KeyProtector.java:328) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56) ~[na:1.8.0_77]
      at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70) ~[na:1.8.0_77]
      at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_77]
      at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) ~[na:1.8.0_77]
      at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_77]
      at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_77]
      at org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:69) ~[nifi-socket-utils-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.apache.nifi.cluster.protocol.spring.ServerSocketConfigurationFactoryBean.getObject(ServerSocketConfigurationFactoryBean.java:45) ~[nifi-framework-cluster-protocol-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.apache.nifi.cluster.protocol.spring.ServerSocketConfigurationFactoryBean.getObject(ServerSocketConfigurationFactoryBean.java:30) ~[nifi-framework-cluster-protocol-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]

      I believe the fix is to also retrieve the key password from nifi properties and provide that value when initializing the KeyManagerFactory.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            YolandaMDavis Yolanda M. Davis

            Dates

              Created:
              Updated:

              Slack

                Issue deployment