[jboss-jira] [JBoss JIRA] (WFCORE-3070) Found multiple secret keys sharing same CKA_LABEL

Peter Skopek (JIRA) issues at jboss.org
Tue Aug 8 08:13:00 EDT 2017 

     [ https://issues.jboss.org/browse/WFCORE-3070?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Peter Skopek reopened WFCORE-3070:
----------------------------------


Reopening as error still occures in ER3 [1]

Looking into fix, synchronization is addressed in ProviderKeyManagerService.java and ProviderTrustManagerService.java, which fix legacy configuration (SSLMasterSlaveTwoWayTestCase). I can confirm I don't see failing SSLMasterSlaveTwoWayTestCase in ER3.

But same error occures also in Elytron configuration (SSLMasterSlaveTwoWayElytronTestCase). IMHO, similar synchronization should be added into org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:137), which occures in reported error stacktrace.

[1] https://jenkins.hosts.mwqe.eng.bos.redhat.com/hudson/view/EAP7/view/EAP7-Security/view/EAP-7.x-FIPS-mode/job/eap-7x-security-fips-matrix/164/jdk=java18_default,label=solaris10%20&&%20x86_64%20&&%20eap-sustaining/testReport/com.redhat.eap.qe.fips.domain.elytron/SSLMasterSlaveTwoWayElytronTestCase/com_redhat_eap_qe_fips_domain_elytron_SSLMasterSlaveTwoWayElytronTestCase/


> Found multiple secret keys sharing same CKA_LABEL
> -------------------------------------------------
>
>                 Key: WFCORE-3070
>                 URL: https://issues.jboss.org/browse/WFCORE-3070
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Peter Skopek
>            Assignee: Peter Skopek
>            Priority: Blocker
>              Labels: eap7.1-rfe-failure
>             Fix For: 3.0.0.Beta29
>
>
> When multiple PKCS11 keystores are configured in domain [1][2]. And PKCS11 store contains secret key. Then this exception is thrown on startup intermittently (but very often, cca 50%). 
> {code:server.log}
> [Host Controller] 10:15:05,526 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.key-store.oneWayKS: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.oneWayKS: WFLYELY00004: Unable to start the service.
> [Host Controller] 	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:146)
> [Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
> [Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
> [Host Controller] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [Host Controller] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [Host Controller] 	at java.lang.Thread.run(Thread.java:745)
> [Host Controller] Caused by: java.io.IOException: load failed
> [Host Controller] 	at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:763)
> [Host Controller] 	at java.security.KeyStore.load(KeyStore.java:1445)
> [Host Controller] 	at org.wildfly.security.keystore.AtomicLoadKeyStoreSpi.engineLoad(AtomicLoadKeyStoreSpi.java:55)
> [Host Controller] 	at java.security.KeyStore.load(KeyStore.java:1445)
> [Host Controller] 	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:137)
> [Host Controller] 	... 5 more
> [Host Controller] Caused by: java.security.KeyStoreException: invalid KeyStore state: found multiple secret keys sharing same CKA_LABEL [my-key]
> [Host Controller] 	at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2408)
> [Host Controller] 	at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:755)
> [Host Controller] 	... 9 more
> {code}
> Storing secret key into PKCS11 store is necessary for FIPS Credential store implementation.
> {code:java|title=sun.security.pkcs11.P11KeyStore.java}
>            for (long handle : handles) {
>                 attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) };
>                 token.p11.C_GetAttributeValue(session.id(), handle, attrs);
>                 if (attrs[0].pValue != null) {
>                     // there is a CKA_LABEL
>                     String cka_label = new String(attrs[0].getCharArray());
>                     if (sKeyMap.get(cka_label) == null) {
>                         sKeyMap.put(cka_label, new AliasInfo(cka_label));
>                     } else {
>                         throw new KeyStoreException("invalid KeyStore state: " +
>                                 "found multiple secret keys sharing same " +
>                                 "CKA_LABEL [" +
>                                 cka_label +
>                                 "]");
>                     }
>                 }
>             }
> {code}
> It seems to me problem will be PKCS11 store (system wide) is loaded concurrently multiple times and therefore sometimes JDK check triggers false positive alarm [3].
> [1] https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-security/blob/7.x/fips/src/test/resources/host-configs/elytron/host-master-ssl-2way.xml
> [2] https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-security/blob/7.x/fips/src/test/resources/host-configs/elytron/host-slave-ssl-2way.xml
> [3] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/pkcs11/P11KeyStore.java#2408



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list