1569958 – [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171

Bug 1569958 - [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171

Summary: [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.4.19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	CR1
Target Release:	EAP 6.4.21
Assignee:	Radovan STANCEL
QA Contact:	Peter Mackay
Docs Contact:
URL:
Whiteboard:
Depends On:	CVE-2018-2794
Blocks:	1570837 eap6421-payload 1570200
TreeView+	depends on / blocked

Reported:	2018-04-20 11:28 UTC by Ricardo Martin
Modified:	2021-12-10 16:00 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-19 12:44:06 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBEAP-14660	Major	Closed	[GSS](7.0.z) Invalid Secret Key when using a vault and JDK 1.8.0_171	2020-09-08 01:59:09 UTC
Red Hat Issue Tracker	JBEAP-14661	Major	Closed	[GSS](7.1.z) Invalid Secret Key when using a vault and JDK 1.8.0_171	2020-09-08 01:59:09 UTC
Red Hat Knowledge Base (Solution)	3419621	None	None	None	2018-04-20 14:25:46 UTC

Description Ricardo Martin 2018-04-20 11:28:10 UTC

Description of problem:

The following exception is thrown when using vault and JDK 1.8.0_171+ (EAP startup and "vault.sh" script):

java.lang.Exception: WFLYSEC0045: Exception encountered:
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
    at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
    at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
    at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.modules.Module.run(Module.java:335)
    at org.jboss.modules.Main.main(Main.java:505)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
    ... 9 more
Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
    ... 10 more
Caused by: java.io.IOException: Invalid secret key format
    at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
    ... 11 more


Version-Release number of selected component (if applicable):

6.4.x and JDK 1.8.0_171.


How reproducible:

Just create/configure a vault and use JDK 1.8.0_171+, for example doing the following vault command:

./vault.sh -keystore ${JBOSS_HOME}/vault/vault.keystore --keystore-password XXXXX -alias vault --vault-block vb --attribute password --sec-attr YYYYY --enc-dir ${JBOSS_HOME}/vault --iteration 120 --salt 1234abcd


Additional info:

The info seems to be produced by a change in openjdk. See:

https://bugzilla.redhat.com/show_bug.cgi?id=1567126

Comment 1 Ricardo Martin 2018-04-20 11:32:51 UTC

It seems that now the picketbox module has no access to "sun.jdk" module so it cannot check if the class is wrapped using a "com.sun.crypto.provider.SealedObjectForKeyProtector" as now JDK is checking. So for me it was resolved just adding this dependency line:

<module name="sun.jdk"/>

to "org/picketbox/main/module.xml" file in the correct CP.

Comment 13 rajveer singh shakya 2019-11-21 05:52:18 UTC

If jboss EAP 7.0.0 is having any issue with start or ldap configuration add dependency <module name="sun.jdk"/> to below file
/opt/jbossas/jboss-eap-7.0/modules/system/layers/base/org/picketbox/main/module.xml

After apply Patch (jboss-eap-7.0.9-patch.zip) if jboss EAP server did not come up then add dependency <module name="sun.jdk"/> in below file


/opt/jbossas/jboss-eap-7.0/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.0.9.CP/org/picketbox/main/module.xml

The above solution I have tested at my end and its working fine.

Please let me know if any other solution is also available fo jboss EAP 7.0

Thanks,
Rajveer Singh Shakya

Note You need to log in before you can comment on or make changes to this bug.