Bug 1569958 - [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
Summary: [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.19
Hardware: Unspecified
OS: Unspecified
Target Milestone: CR1
: EAP 6.4.21
Assignee: Radovan STANCEL
QA Contact: Peter Mackay
Depends On: CVE-2018-2794
Blocks: 1570837 eap6421-payload 1570200
TreeView+ depends on / blocked
Reported: 2018-04-20 11:28 UTC by Ricardo Martin
Modified: 2019-08-19 12:44 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-19 12:44:06 UTC
Type: Bug

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3419621 None None None 2018-04-20 14:25:46 UTC
JBoss Issue Tracker JBEAP-14660 Major Closed [GSS](7.0.z) Invalid Secret Key when using a vault and JDK 1.8.0_171 2019-07-15 08:07:26 UTC
JBoss Issue Tracker JBEAP-14661 Major Closed [GSS](7.1.z) Invalid Secret Key when using a vault and JDK 1.8.0_171 2019-07-15 08:07:26 UTC

Description Ricardo Martin 2018-04-20 11:28:10 UTC
Description of problem:

The following exception is thrown when using vault and JDK 1.8.0_171+ (EAP startup and "vault.sh" script):

java.lang.Exception: WFLYSEC0045: Exception encountered:
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
    at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
    at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
    at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.modules.Module.run(Module.java:335)
    at org.jboss.modules.Main.main(Main.java:505)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
    ... 9 more
Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
    ... 10 more
Caused by: java.io.IOException: Invalid secret key format
    at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
    ... 11 more

Version-Release number of selected component (if applicable):

6.4.x and JDK 1.8.0_171.

How reproducible:

Just create/configure a vault and use JDK 1.8.0_171+, for example doing the following vault command:

./vault.sh -keystore ${JBOSS_HOME}/vault/vault.keystore --keystore-password XXXXX -alias vault --vault-block vb --attribute password --sec-attr YYYYY --enc-dir ${JBOSS_HOME}/vault --iteration 120 --salt 1234abcd

Additional info:

The info seems to be produced by a change in openjdk. See:


Comment 1 Ricardo Martin 2018-04-20 11:32:51 UTC
It seems that now the picketbox module has no access to "sun.jdk" module so it cannot check if the class is wrapped using a "com.sun.crypto.provider.SealedObjectForKeyProtector" as now JDK is checking. So for me it was resolved just adding this dependency line:

<module name="sun.jdk"/>

to "org/picketbox/main/module.xml" file in the correct CP.

Note You need to log in before you can comment on or make changes to this bug.