Bug 1023084 - [GSS] (6.3.0) Bug in JBossJSSESecurityDomain.java - attempting to use wrong provider
[GSS] (6.3.0) Bug in JBossJSSESecurityDomain.java - attempting to use wrong p...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.1.1
Unspecified Unspecified
unspecified Severity unspecified
: ER4
: EAP 6.3.0
Assigned To: Anil Saldhana
Josef Cacek
Russell Dickenson
:
Depends On:
Blocks: 1067574 1067584
  Show dependency treegraph
 
Reported: 2013-10-24 11:08 EDT by Derek Horton
Modified: 2014-08-11 22:08 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP 6 included a bug which caused JBossJSSESecurityDomain.java to attempt to use the keystore/truststore provider to get instances of the trust manager. This behavior was incorrect as the "trust-manager-factory-provider" setting cannot be used in the JSSE section of a security domain. Using this setting (even if properly configured) would result in an exception during start up. This bug has been resolved in this release and the "trust-manager-factory-provider" setting can now be used to set the `trustManagerFactoryProvider`.
Story Points: ---
Clone Of:
: 1067574 (view as bug list)
Environment:
Last Closed: 2014-06-28 11:53:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker SECURITY-762 Major Resolved Bug in JBossJSSESecurityDomain.java - attempting to use wrong provider 2014-07-24 03:27:00 EDT

  None (edit)
Description Derek Horton 2013-10-24 11:08:01 EDT
Description of problem:
There is a bug in JBossJSSESecurityDomain.java where it attempts to use the keystore/truststore provider to get instances of the trust manager.

The code reads:
         if (trustManagerFactoryProvider != null)
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm, trustStoreProvider);
         else
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm);


I think it should read:
         if (trustManagerFactoryProvider != null)
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm, trustManagerFactoryProvider);
         else
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm);


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Setup a security-domain that defines a JSSE keystore/truststore:
+                    <!--
+                    <jsse keystore-url="/home/dehort/dev/java/jboss-eap-6.1.1/standalone/configuration/server.keystore"
+                      keystore-password="123456" 
+                      key-manager-factory-algorithm="SunX509" 
+                      key-manager-factory-provider="SunJSSE"/>
+                    -->
+                    <jsse truststore-url="/home/dehort/dev/java/jboss-eap-6.1.1/standalone/configuration/server.keystore"
+                      truststore-password="123456" 
+                      trust-manager-factory-algorithm="SunX509" 
+                      trust-manager-factory-provider="SunJSSE"/>

Actual results:


Expected results:


Additional info:
Comment 1 Derek Horton 2013-10-29 12:13:25 EDT
Fixed.  Checked into:
https://svn.jboss.org/repos/picketbox/branches/eap62
Comment 5 Scott Mumford 2014-05-12 22:43:41 EDT
Included release note text from duplicate bug 1067574. Marking for inclusion in 6.3.0 Release Notes.
Comment 7 Derek Horton 2014-05-14 09:52:36 EDT
Fixed in 4.0.19.SP6 which based on 1088897 should be used in 6.3.0.
Comment 8 Hynek Mlnarik 2014-05-14 11:00:11 EDT
Verified in EAP 6.3.0.ER4
Comment 9 Nichola Moore 2014-05-15 00:57:23 EDT
As per bz 1097167, this has been set back to known issue.

I removed the doc text so here it is, ready to be reinstated:

Previous versions of JBoss EAP 6 included a bug which caused JBossJSSESecurityDomain.java to attempt to use the keystore/truststore provider to get instances of the trust manager. This behavior was incorrect as the "trust-manager-factory-provider" setting cannot be used in the JSSE section of a security domain.  Using this setting (even if properly configured) would result in an exception during start up. This bug has been resolved in this release and the "trust-manager-factory-provider" setting can now be used to set the `trustManagerFactoryProvider`.
Comment 10 Nichola Moore 2014-05-15 00:58:28 EDT
Reinstated doc text.
Comment 11 Scott Mumford 2014-07-17 00:11:24 EDT
Making public for inclusion in 6.3.0 Release Notes.

Note You need to log in before you can comment on or make changes to this bug.