[jboss-jira] [JBoss JIRA] (WFCORE-3458) External CS, PKCS11 can't be configured with externalPath

Wed Dec 13 11:26:00 EST 2017

    [ https://issues.jboss.org/browse/WFCORE-3458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13505087#comment-13505087 ] 

Ilia Vassilev commented on WFCORE-3458:
---------------------------------------

In Elytron subsystem, remove the requirement: "if location is not set in CLI, default credential-store name is used as location"


> External CS, PKCS11 can't be configured with externalPath 
> ----------------------------------------------------------
>
>                 Key: WFCORE-3458
>                 URL: https://issues.jboss.org/browse/WFCORE-3458
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 4.0.0.Alpha4
>            Reporter: Ilia Vassilev
>            Assignee: Ilia Vassilev
>            Priority: Critical
>
> To specify external secret file location externalPath is intended. However in case of PKCS11 it can't be achieved.
> {code}
> 10:53:03,403 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.credential-store.fips-credential-store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start the service.
> 	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:134)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
> 	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:954)
> 	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:828)
> 	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:214)
> 	at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159)
> 	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:126)
> 	... 5 more
> Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store
> 	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
> 	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
> 	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
> 	at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
> 	at java.nio.file.Files.newByteChannel(Files.java:361)
> 	at java.nio.file.Files.newByteChannel(Files.java:407)
> 	at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
> 	at java.nio.file.Files.newInputStream(Files.java:152)
> 	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:943)
> 	... 9 more
> 10:53:03,409 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "elytron"),
>     ("credential-store" => "fips-credential-store")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service.
>     Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
>     Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store"}}
> {code}
> Problem seems to be in method
> {code:java|title=KeyStoreCredentialStore.java}
>     private void setupExternalStorage(final String keyContainingKeyStoreType, final Path keyContainingKeyStoreLocation) throws CredentialStoreException {
>         KeyStore keyContainingKeyStore = getKeyStoreInstance(keyContainingKeyStoreType);
>         keyStore = getKeyStoreInstance("JCEKS");
>         externalStorage = new ExternalStorage();
>         try {
>             final char[] storePassword = getStorePassword(protectionParameter);
>             if (keyContainingKeyStoreLocation != null) {
>                 try (InputStream is = Files.newInputStream(keyContainingKeyStoreLocation)) {
>                     keyContainingKeyStore.load(is, storePassword);
>                 }
>             } else {
>                 // keystore without file (e.g. PKCS11)
>                 synchronized (EmptyProvider.getInstance()) {
>                     keyContainingKeyStore.load(null, storePassword);
>                 }
>             }
>             externalStorage.init(cryptographicAlgorithm, encryptionKeyAlias, keyContainingKeyStore, storePassword, keyStore);
>         } catch(IOException | GeneralSecurityException e) {
>             throw log.cannotInitializeCredentialStore(e);
>         }
>     }
> {code}
> Although location is not specified in CLI command keyContainingKeyStoreLocation is not null. Because once location is not specified it becomes name of CS, in this case fips-credential-store (This default is in elytron subsystem).


--
This message was sent by Atlassian JIRA
(v7.5.0#75005)