1023084 – [GSS] (6.3.0) Bug in JBossJSSESecurityDomain.java - attempting to use wrong provider

Bug 1023084 - [GSS] (6.3.0) Bug in JBossJSSESecurityDomain.java - attempting to use wrong provider

Summary: [GSS] (6.3.0) Bug in JBossJSSESecurityDomain.java - attempting to use wrong p...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ER4
Target Release:	EAP 6.3.0
Assignee:	Anil Saldhana
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:	1067574 1067584
TreeView+	depends on / blocked

Reported:	2013-10-24 15:08 UTC by Derek Horton
Modified:	2014-08-12 02:08 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previous versions of JBoss EAP 6 included a bug which caused JBossJSSESecurityDomain.java to attempt to use the keystore/truststore provider to get instances of the trust manager. This behavior was incorrect as the "trust-manager-factory-provider" setting cannot be used in the JSSE section of a security domain. Using this setting (even if properly configured) would result in an exception during start up. This bug has been resolved in this release and the "trust-manager-factory-provider" setting can now be used to set the `trustManagerFactoryProvider`.
Clone Of:
Clones:	1067574 (view as bug list)
Environment:
Last Closed:	2014-06-28 15:53:46 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SECURITY-762	0	Major	Resolved	Bug in JBossJSSESecurityDomain.java - attempting to use wrong provider	2014-07-24 07:27:00 UTC

Description Derek Horton 2013-10-24 15:08:01 UTC

Description of problem:
There is a bug in JBossJSSESecurityDomain.java where it attempts to use the keystore/truststore provider to get instances of the trust manager.

The code reads:
         if (trustManagerFactoryProvider != null)
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm, trustStoreProvider);
         else
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm);


I think it should read:
         if (trustManagerFactoryProvider != null)
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm, trustManagerFactoryProvider);
         else
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm);


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Setup a security-domain that defines a JSSE keystore/truststore:
+                    <!--
+                    <jsse keystore-url="/home/dehort/dev/java/jboss-eap-6.1.1/standalone/configuration/server.keystore"
+                      keystore-password="123456" 
+                      key-manager-factory-algorithm="SunX509" 
+                      key-manager-factory-provider="SunJSSE"/>
+                    -->
+                    <jsse truststore-url="/home/dehort/dev/java/jboss-eap-6.1.1/standalone/configuration/server.keystore"
+                      truststore-password="123456" 
+                      trust-manager-factory-algorithm="SunX509" 
+                      trust-manager-factory-provider="SunJSSE"/>

Actual results:


Expected results:


Additional info:

Comment 1 Derek Horton 2013-10-29 16:13:25 UTC

Fixed.  Checked into:
https://svn.jboss.org/repos/picketbox/branches/eap62

Comment 5 Scott Mumford 2014-05-13 02:43:41 UTC

Included release note text from duplicate bug 1067574. Marking for inclusion in 6.3.0 Release Notes.

Comment 7 Derek Horton 2014-05-14 13:52:36 UTC

Fixed in 4.0.19.SP6 which based on 1088897 should be used in 6.3.0.

Comment 8 Hynek Mlnarik 2014-05-14 15:00:11 UTC

Verified in EAP 6.3.0.ER4

Comment 9 Nichola Moore 2014-05-15 04:57:23 UTC

As per bz 1097167, this has been set back to known issue.

I removed the doc text so here it is, ready to be reinstated:

Previous versions of JBoss EAP 6 included a bug which caused JBossJSSESecurityDomain.java to attempt to use the keystore/truststore provider to get instances of the trust manager. This behavior was incorrect as the "trust-manager-factory-provider" setting cannot be used in the JSSE section of a security domain.  Using this setting (even if properly configured) would result in an exception during start up. This bug has been resolved in this release and the "trust-manager-factory-provider" setting can now be used to set the `trustManagerFactoryProvider`.

Comment 10 Nichola Moore 2014-05-15 04:58:28 UTC

Reinstated doc text.

Comment 11 Scott Mumford 2014-07-17 04:11:24 UTC

Making public for inclusion in 6.3.0 Release Notes.

Note You need to log in before you can comment on or make changes to this bug.