Bug 1960024

Summary: JDK-8266279: 8u292 NoSuchAlgorithmException unrecognized algorithm name: PBEWithSHA1AndDESede
Product: Red Hat Enterprise Linux 7 Reporter: Mike Millson <mmillson>
Component: java-1.8.0-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED ERRATA QA Contact: OpenJDK QA <java-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.9CC: aakhtar, ahughes, aipatil, asaji, casantos, dmasirka, jandrlik, jreznik, jvanek, jwright, laszomor, mbabacek, musman, pesilva, sgehwolf, yoliynyk, zzambers
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-1.8.0-openjdk-1.8.0.292.b10-2.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-21 12:50:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Millson 2021-05-12 19:51:11 UTC 
Upgrading from the RH build of OpenJDK 8 u282 to u292, JBoss EAP 7.3.6 fails to start with the following error:

2021-05-12 03:03:05,766 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.key-manager: Failed to start service
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1731)
    at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
    at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:179)
    at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:128)
    at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:93)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
    ... 6 more
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
    at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:147)
    at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:175)
    ... 10 more
Caused by: java.security.KeyStoreException: Key protection  algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
    at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:677)
    at sun.security.pkcs12.PKCS12KeyStore.engineSetEntry(PKCS12KeyStore.java:1384)
    at java.security.KeyStore.setEntry(KeyStore.java:1557)
    at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:135)
    ... 11 more
Caused by: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
    at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:921)
    at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:614)
    ... 14 more
Caused by: java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede
    at sun.security.x509.AlgorithmId.get(AlgorithmId.java:448)
    at sun.security.pkcs12.PKCS12KeyStore.mapPBEAlgorithmToOID(PKCS12KeyStore.java:938)
    at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:895)

It looks to be caused by this upstream issue:
https://bugs.openjdk.java.net/browse/JDK-8266279
Comment 5 Severin Gehwolf 2021-05-17 12:14:38 UTC 
This looks to be an 8u-only issue which seems fixed by the backport of JDK-8242565. At least the reproducer from JDK-8266279 fails for me for unpatched JDK 8u, passes with JDK 11 and passes with patched JDK 8u (patch from JDK-8242565).

Unpatched JDK 8u:

$ java -showversion -cp bcprov-jdk15on-168.jar:. TestAlgorithm
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (build 1.8.0_292-b10)
OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

Exception in thread "main" java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede
	at sun.security.x509.AlgorithmId.get(AlgorithmId.java:448)
	at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:137)
	at TestAlgorithm.main(TestAlgorithm.java:8)


Patched JDK 8u:

$ java -showversion -cp bcprov-jdk15on-168.jar:. TestAlgorithm
openjdk version "1.8.0_292-internal"
OpenJDK Runtime Environment (build 1.8.0_292-internal-b05)
OpenJDK 64-Bit Server VM (build 25.292-b05, mixed mode)

JDK 11u:

$ java -showversion -cp bcprov-jdk15on-168.jar:. TestAlgorithm
openjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment 18.9 (build 11.0.11+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.11+9, mixed mode, sharing)
Comment 6 zzambers 2021-05-17 15:11:30 UTC 
There is also this github issued against BouncyCastle (which seems related):
https://github.com/bcgit/bc-java/issues/941

Some (possible) workarounds are discussed there.
Comment 18 Andrew John Hughes 2021-06-03 00:17:40 UTC 
*** Bug 1964531 has been marked as a duplicate of this bug. ***
Comment 52 errata-xmlrpc 2021-07-21 12:50:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: java-1.8.0-openjdk security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2845
Comment 54 Andrew John Hughes 2021-07-21 15:51:45 UTC 
The fix is also in the new RHEL 8.4 update to 8u302: https://access.redhat.com/errata/RHSA-2021:2776