Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1569958 - [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
[GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.4.19
Unspecified Unspecified
unspecified Severity unspecified
: CR1
: EAP 6.4.21
Assigned To: Radovan STANCEL
Peter Mackay
:
Depends On: CVE-2018-2794
Blocks: eap6421-payload 1570837 1570200
  Show dependency treegraph
 
Reported: 2018-04-20 07:28 EDT by Ricardo Martin
Modified: 2018-09-06 04:40 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBEAP-14660 Major Closed [GSS](7.0.z) Invalid Secret Key when using a vault and JDK 1.8.0_171 2018-10-26 13:03 EDT
JBoss Issue Tracker JBEAP-14661 Major Closed [GSS](7.1.z) Invalid Secret Key when using a vault and JDK 1.8.0_171 2018-10-26 13:03 EDT
Red Hat Knowledge Base (Solution) 3419621 None None None 2018-04-20 10:25 EDT

  None (edit)
Description Ricardo Martin 2018-04-20 07:28:10 EDT 
Description of problem:

The following exception is thrown when using vault and JDK 1.8.0_171+ (EAP startup and "vault.sh" script):

java.lang.Exception: WFLYSEC0045: Exception encountered:
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
    at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
    at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
    at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.modules.Module.run(Module.java:335)
    at org.jboss.modules.Main.main(Main.java:505)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
    ... 9 more
Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
    ... 10 more
Caused by: java.io.IOException: Invalid secret key format
    at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
    ... 11 more


Version-Release number of selected component (if applicable):

6.4.x and JDK 1.8.0_171.


How reproducible:

Just create/configure a vault and use JDK 1.8.0_171+, for example doing the following vault command:

./vault.sh -keystore ${JBOSS_HOME}/vault/vault.keystore --keystore-password XXXXX -alias vault --vault-block vb --attribute password --sec-attr YYYYY --enc-dir ${JBOSS_HOME}/vault --iteration 120 --salt 1234abcd


Additional info:

The info seems to be produced by a change in openjdk. See:

https://bugzilla.redhat.com/show_bug.cgi?id=1567126
Comment 1 Ricardo Martin 2018-04-20 07:32:51 EDT 
It seems that now the picketbox module has no access to "sun.jdk" module so it cannot check if the class is wrapped using a "com.sun.crypto.provider.SealedObjectForKeyProtector" as now JDK is checking. So for me it was resolved just adding this dependency line:

<module name="sun.jdk"/>

to "org/picketbox/main/module.xml" file in the correct CP.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.