Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-2930

SSLContextFactory throws Exception when Keystore password differs from Key password

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.0.0
    • None
    • Core Framework
    • None

    Description

      The SSLContextFactory class currently does not retrieve both key password and keystore password (only the keystore password is retrieved). The keystore password value in that class is used to load the keystore as well as initialize the KeyManagerFactory. However the KeyManagerFactory appears to expect the key password. If the key password has a different value from the keystore password, then the following exception occurs:

      Caused by: java.security.UnrecoverableKeyException: Cannot recover key
      at sun.security.provider.KeyProtector.recover(KeyProtector.java:328) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56) ~[na:1.8.0_77]
      at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96) ~[na:1.8.0_77]
      at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70) ~[na:1.8.0_77]
      at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_77]
      at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) ~[na:1.8.0_77]
      at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_77]
      at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_77]
      at org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:69) ~[nifi-socket-utils-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.apache.nifi.cluster.protocol.spring.ServerSocketConfigurationFactoryBean.getObject(ServerSocketConfigurationFactoryBean.java:45) ~[nifi-framework-cluster-protocol-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.apache.nifi.cluster.protocol.spring.ServerSocketConfigurationFactoryBean.getObject(ServerSocketConfigurationFactoryBean.java:30) ~[nifi-framework-cluster-protocol-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
      at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]

      I believe the fix is to also retrieve the key password from nifi properties and provide that value when initializing the KeyManagerFactory.

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1478 Audit SSLContextFactory and SSLSocketFactory usage throughout application

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-2466 SSLContextService should support specifying Key Password

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              YolandaMDavis Yolanda M. Davis
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: