Bug 1569958 - [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
Summary: [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.21
Assignee: Radovan STANCEL
QA Contact: Peter Mackay
URL:
Whiteboard:
Depends On: CVE-2018-2794
Blocks: 1570837 eap6421-payload 1570200
TreeView+ depends on / blocked
 
Reported: 2018-04-20 11:28 UTC by Ricardo Martin
Modified: 2019-11-21 05:52 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:44:06 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3419621 None None None 2018-04-20 14:25:46 UTC
Red Hat One Jira Issue Tracker JBEAP-14660 Major Closed [GSS](7.0.z) Invalid Secret Key when using a vault and JDK 1.8.0_171 2020-03-26 04:43:50 UTC
Red Hat One Jira Issue Tracker JBEAP-14661 Major Closed [GSS](7.1.z) Invalid Secret Key when using a vault and JDK 1.8.0_171 2020-03-26 04:43:50 UTC

Description Ricardo Martin 2018-04-20 11:28:10 UTC
Description of problem:

The following exception is thrown when using vault and JDK 1.8.0_171+ (EAP startup and "vault.sh" script):

java.lang.Exception: WFLYSEC0045: Exception encountered:
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
    at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
    at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
    at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.modules.Module.run(Module.java:335)
    at org.jboss.modules.Main.main(Main.java:505)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
    ... 9 more
Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
    ... 10 more
Caused by: java.io.IOException: Invalid secret key format
    at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
    ... 11 more


Version-Release number of selected component (if applicable):

6.4.x and JDK 1.8.0_171.


How reproducible:

Just create/configure a vault and use JDK 1.8.0_171+, for example doing the following vault command:

./vault.sh -keystore ${JBOSS_HOME}/vault/vault.keystore --keystore-password XXXXX -alias vault --vault-block vb --attribute password --sec-attr YYYYY --enc-dir ${JBOSS_HOME}/vault --iteration 120 --salt 1234abcd


Additional info:

The info seems to be produced by a change in openjdk. See:

https://bugzilla.redhat.com/show_bug.cgi?id=1567126

Comment 1 Ricardo Martin 2018-04-20 11:32:51 UTC
It seems that now the picketbox module has no access to "sun.jdk" module so it cannot check if the class is wrapped using a "com.sun.crypto.provider.SealedObjectForKeyProtector" as now JDK is checking. So for me it was resolved just adding this dependency line:

<module name="sun.jdk"/>

to "org/picketbox/main/module.xml" file in the correct CP.

Comment 13 rajveer singh shakya 2019-11-21 05:52:18 UTC
If jboss EAP 7.0.0 is having any issue with start or ldap configuration add dependency <module name="sun.jdk"/> to below file
/opt/jbossas/jboss-eap-7.0/modules/system/layers/base/org/picketbox/main/module.xml

After apply Patch (jboss-eap-7.0.9-patch.zip) if jboss EAP server did not come up then add dependency <module name="sun.jdk"/> in below file


/opt/jbossas/jboss-eap-7.0/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.0.9.CP/org/picketbox/main/module.xml

The above solution I have tested at my end and its working fine.

Please let me know if any other solution is also available fo jboss EAP 7.0

Thanks,
Rajveer Singh Shakya


Note You need to log in before you can comment on or make changes to this bug.