Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-2930

SSLContextFactory throws Exception when Keystore password differs from Key password

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.0.0
    • Fix Version/s: None
    • Component/s: Core Framework
    • Labels:
      None

      Description

      The SSLContextFactory class currently does not retrieve both key password and keystore password (only the keystore password is retrieved). The keystore password value in that class is used to load the keystore as well as initialize the KeyManagerFactory. However the KeyManagerFactory appears to expect the key password. If the key password has a different value from the keystore password, then the following exception occurs:

      Caused by: java.security.UnrecoverableKeyException: Cannot recover key
      at sun.security.provider.KeyProtector.recover(KeyProtector.java:328) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56) ~[na:1.8.0_77]
      at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70) ~[na:1.8.0_77]
      at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_77]
      at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) ~[na:1.8.0_77]
      at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_77]
      at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_77]
      at org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:69) ~[nifi-socket-utils-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.apache.nifi.cluster.protocol.spring.ServerSocketConfigurationFactoryBean.getObject(ServerSocketConfigurationFactoryBean.java:45) ~[nifi-framework-cluster-protocol-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.apache.nifi.cluster.protocol.spring.ServerSocketConfigurationFactoryBean.getObject(ServerSocketConfigurationFactoryBean.java:30) ~[nifi-framework-cluster-protocol-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]

      I believe the fix is to also retrieve the key password from nifi properties and provide that value when initializing the KeyManagerFactory.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                YolandaMDavis Yolanda M. Davis
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: