[JBoss JIRA] (WFLY-10138) TLS using PKCS11 and JDK9+ does not work by default
- First Post
- Replies
- Stats
-
Go to
- ----- 2025 -----
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
[
https://issues.jboss.org/browse/WFLY-10138?page=com.atlassian.jira.plugin...
]
Martin Choma commented on WFLY-10138:
-------------------------------------
Interesting. I see the issue also on jdk8, but just on solaris sparc. Rhel and windows
are OK
{code}
ERROR [org.xnio.listener] (XNIO-1 I/O-1) XNIO001007: A channel event listener threw an
exception: java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException:
Key format must be RAW
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1527)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at
org.wildfly.security.ssl.AbstractDelegatingSSLEngine.wrap(AbstractDelegatingSSLEngine.java:48)
at org.xnio.ssl.JsseSslConduitEngine.engineWrap(JsseSslConduitEngine.java:353)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:310)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:204)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)
at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)
at
org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)
at
org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
Caused by: java.security.ProviderException:
java.security.InvalidAlgorithmParameterException: Key format must be RAW
at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1273)
at sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:1183)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1122)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:543)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:314)
... 10 more
Caused by: java.security.InvalidAlgorithmParameterException: Key format must be RAW
at
com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterSecretGenerator.java:67)
at javax.crypto.KeyGenerator.init(KeyGenerator.java:454)
at javax.crypto.KeyGenerator.init(KeyGenerator.java:430)
at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1261)
... 20 more
{code}
TLS using PKCS11 and JDK9+ does not work by default
---------------------------------------------------
Key: WFLY-10138
URL: https://issues.jboss.org/browse/WFLY-10138
Project: WildFly
Issue Type: Bug
Components: Documentation, Security
Affects Versions: 12.0.0.Final
Environment: java version "9.0.4"
Java(TM) SE Runtime Environment (build 9.0.4+11)
Java HotSpot(TM) 64-Bit Server VM (build 9.0.4+11, mixed mode)
Reporter: Martin Choma
Priority: Critical
Attachments: TLS_with_ExtendedMasterSecret, TLS_wo_ExtendedMAsterSecret
Since JDK 9.0.4 default behaviour changed and extended master secret extension is turned
on by default [1].
This fails on java using sun.security.pkcs11.SunPKCS11 provider. (FIPS compliant java)
{code}
17:32:48,377 INFO [stdout] (default task-1) SESSION KEYGEN:
17:32:48,378 INFO [stdout] (default task-1) PreMaster Secret:
17:32:48,378 INFO [stdout] (default task-1) (key bytes not available)
17:32:48,378 INFO [stdout] (default task-1) RSA master secret generation error:
17:32:48,378 INFO [stdout] (default task-1)
java.security.InvalidAlgorithmParameterException: Key format must be RAW
17:32:48,378 INFO [stdout] (default task-1) at
java.base/com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterSecretGenerator.java:69)
17:32:48,378 INFO [stdout] (default task-1) at
java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:477)
17:32:48,378 INFO [stdout] (default task-1) at
java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:453)
17:32:48,378 INFO [stdout] (default task-1) at
java.base/sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1334)
17:32:48,378 INFO [stdout] (default task-1) at
java.base/sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:1235)
17:32:48,378 INFO [stdout] (default task-1) at
java.base/sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:318)
17:32:48,378 INFO [stdout] (default task-1) at
java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1092)
17:32:48,379 INFO [stdout] (default task-1) at
java.base/sun.security.ssl.Handshaker$1.run(Handshaker.java:1031)
17:32:48,379 INFO [stdout] (default task-1) at
java.base/sun.security.ssl.Handshaker$1.run(Handshaker.java:1028)
17:32:48,379 INFO [stdout] (default task-1) at
java.base/java.security.AccessController.doPrivileged(Native Method)
17:32:48,379 INFO [stdout] (default task-1) at
java.base/sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1534)
17:32:48,379 INFO [stdout] (default task-1) at
io.undertow.core@2.0.0.SP1-redhat-1//io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1047)
17:32:48,379 INFO [stdout] (default task-1) at
org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
17:32:48,379 INFO [stdout] (default task-1) at
org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
17:32:48,379 INFO [stdout] (default task-1) at
org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
17:32:48,379 INFO [stdout] (default task-1) at
org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
17:32:48,379 INFO [stdout] (default task-1) at
java.base/java.lang.Thread.run(Thread.java:844)
17:32:48,379 INFO [stdout] (default I/O-7) default I/O-7, fatal error: 80: problem
unwrapping net record
17:32:48,379 INFO [stdout] (default I/O-7) java.lang.RuntimeException:
java.security.InvalidAlgorithmParameterException: Key format must be RAW
{code}
This default extension behaviour can be switched off by system property
{{-Djdk.tls.useExtendedMasterSecret=false}} on client or on server side.
[1] https://bugs.java.com/view_bug.do?bug_id=JDK-8148421
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
2559
days inactive
2559
days old
0 comments
1 participants
tags (0)
participants (1)
-
Martin Choma (JIRA)