[JBoss JIRA] (WFWIP-162) IllegalStateException when TrustManager with SunX509 algorithm and with OCSP
9:41 a.m.
[
https://issues.jboss.org/browse/WFWIP-162?page=com.atlassian.jira.plugin....
]
Jan Stourac commented on WFWIP-162:
-----------------------------------
Thank you, Martin, for clarification. AFAIK PKIX based TrustManagerFactory should be
available on all of our supported platforms so we can probably just document this
requirement in our documentation for OCSP.
Followup question though - does this affect our current customers who would like to
utilize OCSP - e.g. in case they use SunX509 now, is change to PKIX as easy as just change
of this value in their configurations? E.g. isn't it necessary to rebuild their
key/trust-stores or to perform any other extra steps? If so, we should probably consider
to mentions such things also in our doc.
Hope I don't miss anything else on this if we restrict to PKIX only.
IllegalStateException when TrustManager with SunX509 algorithm and
with OCSP
----------------------------------------------------------------------------
Key: WFWIP-162
URL: https://issues.jboss.org/browse/WFWIP-162
Project: WildFly WIP
Issue Type: Bug
Components: Security
Environment: WildFly built with following branches in use:
{code}
https://github.com/nekdozjam/wildfly-elytron/tree/ELY-1617
https://github.com/nekdozjam/wildfly-core/tree/WFCORE-3947
{code}
Reporter: Jan Stourac
Assignee: Martin Mazanek
Priority: Major
Attachments: ocsp-truststore.jks
I can see an error when I try to create 'trust-manager' with OCSP enabled and
SunX509 algorithm specified. When I don't specify SunX509 algorithm, operation
succeeds.
Here are noticed error messages:
{code}
{
"outcome" => "failed",
"failure-description" => {"WFLYCTL0080: Failed services" =>
{"org.wildfly.security.trust-manager.tm" => "Failed to start service
Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager
[org.wildfly.security.ssl.X509RevocationTrustManager]
Caused by: java.security.InvalidAlgorithmParameterException: SunX509
TrustManagerFactory does not use ManagerFactoryParameters"}},
"rolled-back" => true
}
{code}
In server.log, there is following text:
{code}
17:14:48,560 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001:
Failed to start service org.wildfly.security.trust-manager.tm:
org.jboss.msc.service.StartException in service org.wildfly.security.trust-manager.tm:
Failed to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1730)
at
org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager
[org.wildfly.security.ssl.X509RevocationTrustManager]
at
org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:108)
at
org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:56)
at
org.wildfly.security.ssl.X509RevocationTrustManager$Builder.build(X509RevocationTrustManager.java:293)
at
org.wildfly.extension.elytron.SSLDefinitions$2.lambda$createX509RevocationExtendedTrustManager$1(SSLDefinitions.java:732)
at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
... 6 more
Caused by: java.security.InvalidAlgorithmParameterException: SunX509 TrustManagerFactory
does not use ManagerFactoryParameters
at
sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory.getInstance(TrustManagerFactoryImpl.java:257)
at sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:90)
at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:273)
at
org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:98)
... 12 more
17:14:48,562 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address:
([
("subsystem" => "elytron"),
("trust-manager" => "tm")
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"org.wildfly.security.trust-manager.tm" => "Failed to start service
Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager
[org.wildfly.security.ssl.X509RevocationTrustManager]
Caused by: java.security.InvalidAlgorithmParameterException: SunX509
TrustManagerFactory does not use ManagerFactoryParameters"}}
{code}
I'm attaching kestore file that I used for this. Password is
'weneedthatforjava'.
Note that when I try 'certificate-revocation-list' instead or if I omit
'algorithm' attribute at all, the operation succeeds.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
2519
days inactive
2519
days old
0 comments
1 participants
participants (1)
-
Jan Stourac (Jira)