[KNOX-1801] Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.0
Fix Version/s: 1.3.0
Component/s: Server
Labels:
None

Description

Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled.

Steps to reproduce

Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
Specify the custom TLS keystore details in gateway-site.xml
- gateway.tls.keystore.password.alias
- gateway.tls.keystore.path
- gateway.tls.keystore.type
- gateway.tls.key.alias
- gateway.tls.key.passphrase.alias (optional)
Turn on client-auth
- gateway.client.auth.needed : true
Create password alias for the custom keystore using Knox CLI
- bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>
(Re)Start the Gateway

The Gateway will fail to start with the following error in the gateway.log:

2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
        at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
        at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
        at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
        at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
        at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
        at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
        at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
        at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
        at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 17 more

Solution
Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.

Attachments

Issue Links

is caused by

KNOX-1756 Knox Gateway TLS Keystore and Alias Should be Configurable

Closed

links to

GitHub Pull Request #63

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 04/Mar/19 16:17

Updated:: 21/Oct/19 14:25

Resolved:: 05/Mar/19 20:17

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 50m