Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Keystore Problems
  • From: David C Fuhs <dfuhs@xxxxxxxxxxxx>
  • Date: Tue, 26 May 2020 18:07:30 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=csuchico.edu; dmarc=pass action=none header.from=csuchico.edu; dkim=pass header.d=csuchico.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X/WUpsu7P5SCckDH8R1Fmwt9xoGVNcFwkfqpevlJvVU=; b=XCEHrPIESISvtluUZjNI+Z5tetDoRCnG9RKqt0WZrketHPFF59n3T6BbJ1xFyEs+cD4l3QaLqWAv3QftB+fSTebiKvX+U0EXBVh/4lTp3hTFXJwymLwf6maJOHoGQjXkP2UYU35PJuICGBYHpGKe6cUbPaXyNmS9oya/gtJ0Oc+iehC5h6p8b8IoyMFtqth+iGplpAGsl82yJ3KKiImESKjM5qLxNo/xqdeWz4alGfhiRXkpqN/NDoCwlRlpG9QYnLYyqIdDcMaR5TG1CrahOXr0SWPrjOEOhjG6+KyYZr33Yt/7hrbvH8Po8HVzwduzyFCFTXRCKKCDWj/kFpRjKQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XRDEDZHIlRAaXpoHUo4gwlB5RDRy7R73+fIp7N+FCM79bHqboKeRHJ0Tn/iYOopAli22VtH8psbuUGv80j8UIDTJ/8wI0rDUGLfJunF5Atufj9R60V58eSnopels4AmdIvtsHdu7rxKQOEDGI2HerXuE9HII7aGtsqkQWx5lthGT6H5vi6i0Bs70/CJhT20lgszSaN+Nk8q8JwgB/FYddtKv9mM1dZVwmzh8H4FnIS9/Z5M5gpDKmrtqVpyfUf+wbazHJTmC4p73K0rp9cXs0p447KQKghmNyJKsuQvChVdlb8UBPIiyFzaCeCqMtI8uhL8MFKihagi4TlOoPiDjSg==
  • Delivered-to: jetty-users@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
  • List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHWM4HEdKGZuhwOFkGPJtv7A0Zclqi6pOwAgAACiBg=
  • Thread-topic: [jetty-users] Keystore Problems
To generate the private key:
openssl genrsa 4096 > new_host.key

To combine the SSL certificate plus CA certificates into one file:
cat ssl_cert interm_certs > combined_certs
Results in a file with the SSL certificate first, followed by the intermediate certificates, with the root CA certificate last in the file.

Stack traces follow, the first is using the JKS version of the keystore, the second with the PKCS12 version of the keystore.

2020-05-26 09:25:18,652 - INFO [org.eclipse.jetty.server.AbstractConnector:331] - Started ServerConnector@1db9adf3{HTTP/1.1, (http/1.1)}{127.0.0.1:8080}
2020-05-26 09:25:18,653 - WARN [org.eclipse.jetty.xml.XmlConfiguration:1938] -
java.security.PrivilegedActionException: null
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
        at java.base/sun.security.provider.KeyProtector.recover(KeyProtector.java:304)
        at java.base/sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:144)
        at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
        at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
        at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
        at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
        at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
        at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1234)
        at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2260)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.server.Server.doStart(Server.java:385)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$1(XmlConfiguration.java:1929)
        ... 2 common frames omitted
2020-05-26 09:27:45,314 - INFO [org.eclipse.jetty.util.log:169] - Logging initialized @532ms to org.eclipse.jetty.util.log.Slf4jLog



2020-05-26 09:28:17,693 - INFO [org.eclipse.jetty.server.AbstractConnector:331] - Started ServerConnector@131fa25c{HTTP/1.1, (http/1.1)}{127.0.0.1:8080}
2020-05-26 09:28:17,694 - WARN [org.eclipse.jetty.xml.XmlConfiguration:1938] -
java.security.PrivilegedActionException: null
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:462)
        at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
        at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
        at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
        at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
        at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
        at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1234)
        at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2260)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.server.Server.doStart(Server.java:385)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$1(XmlConfiguration.java:1929)
        ... 2 common frames omitted
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
        at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
        at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
        at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408)
        at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440)
        at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:406)
        at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:295)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:400)
        ... 25 common frames omitted
2020-05-26 


David Fuhs
Information Security Office
California State University, Chico
dfuhs@xxxxxxxxxxxx
530-898-4852


From: jetty-users-bounces@xxxxxxxxxxx <jetty-users-bounces@xxxxxxxxxxx> on behalf of Joakim Erdfelt <joakim@xxxxxxxxxxx>
Sent: Tuesday, May 26, 2020 10:49 AM
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Subject: Re: [jetty-users] Keystore Problems
 
How were new_host.key and combined_certs created?

Also, can you provide the complete stacktraces?

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Tue, May 26, 2020 at 12:44 PM David C Fuhs <dfuhs@xxxxxxxxxxxx> wrote:
Good morning all:

Red Hat Enterprise Linux Server release 7.8 (Maipo)
jetty-distribution-9.4.28.v20200408
java-11-openjdk-11.0.7.10-4.el7_8.x86_64
jetty.ssl.port=8443

Generated a new private key (without a password) using openssl.
Generated a certificate request.
Received new SSL certificate, plus intermediate and CA certificates.

The goal: create a new keystore (preferably PKCS12) that works with Jetty.

Following instructions at:

Combined the new SSL certificate + intermediate certificates + root certificate in one file in that order (combined_certs).

openssl pkcs12 -export -inkey new_host.key -in combined_certs -out abc.pkcs12

Import into keystore:

keytool -importkeystore -srckeystore abc.pkcs12 -srckeystore PKCS12 -destkeystore abc.jks

Followed recommendation to convert JKS to PKCS12:

keytool -importkeystore -srckeystore abc.jks -destkeystore abc.p12 -deststoretype pkcs12

The commands above all complete successfully (prompts for passphrases and passphrase itself omitted).

At this point, we have two keystores, one JKS and one PCKS12:

However, Jetty fails to start correctly with either.

Startup error when using the JKS keystore:
PrivilegedActionException: null
Caused by: java.security.UnrecoverableKeyException: Cannot recover key

Startup error when using the PKCS12 keystore:
PrivilegedActionException: null
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded.  Such issues arise if a bad key is used during decryption.

Also ran the same processes as above, but with the private key added first to the file containing the certificates, but with similar Jetty failures on startup.

What am I missing?

Exactly what steps are required to get from a valid RSA private key + SSL certificate + intermediate and CA certificates (generated by openssl) to a working PKCS12 keystore?

Thanks in advance.

David Fuhs
Information Security Office
California State University, Chico
530-898-4852

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top