Ricardo Martin Camarero created WFCORE-5064:
-----------------------------------------------
Summary: Incorrect use of KeyManagerFactory.getDefaultAlgorithm instead of
TrustManagerFactory
Key: WFCORE-5064
URL:
https://issues.redhat.com/browse/WFCORE-5064
Project: WildFly Core
Issue Type: Bug
Components: Security
Affects Versions: 13.0.0.Beta2
Reporter: Ricardo Martin Camarero
Assignee: Ricardo Martin Camarero
When configuring https using the old security-realm the trust-manager factory is selected
using [the
line|https://github.com/wildfly/wildfly-core/blob/12.0.3.Final/domain-man...]:
{code:java}
trustManagerFactory =
TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
{code}
Which is incorrect and should use the TrustManagerFactory. Therefore by default in openjdk
we are using the {{SunX509}} factory instead of the default {{PKIX}} implementation. The
default values for both factories are defined in the {{java.security}} file from the jdk:
{code:java}
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=SunX509
ssl.TrustManagerFactory.algorithm=PKIX
{code}
Using a exotic configuration can lead to an error if the KeyManagerFactory is configured
to an algorithm that is not valid for the TrustManagerFactory (NewSunX509 for example).
--
This message was sent by Atlassian Jira
(v7.13.8#713008)