[jboss-jira] [JBoss JIRA] (ELY-1621) BC FIPS with CLI: the trustAnchors parameter must be non-empty

Martin Choma (JIRA) issues at jboss.org
Thu Aug 2 09:48:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13613895#comment-13613895 ] 

Martin Choma commented on ELY-1621:
-----------------------------------

Just debugged server side and it behaves the same. Error havent occured just because truststore contains another certificate.

And I think BC behaves as documented. Because when I look into keystore it contains only one entry - PrivateKeyEntry, which contains certificate.  BC ignores this as documented.

{code}
[mchoma at dhcp-10-40-4-105 bcfips_cli]$ keytool \
>     -list\
>     -keystore /home/mchoma/task/bcfips_cli/keystore.bcfks\
>     -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider\
>     -providerpath /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar\
>     -storetype BCFKS\
>     -storepass password\
>     -v
Keystore type: BCFKS
Keystore provider: BCFIPS

Your keystore contains 1 entry

Alias name: appserver
Creation date: Aug 2, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=appserver, OU=QE, O=Redhat, L=Brno, ST=CR, C=CZ
Issuer: CN=appserver, OU=QE, O=Redhat, L=Brno, ST=CR, C=CZ
Serial number: 76e851f0
Valid from: Thu Aug 02 07:34:51 CEST 2018 until: Sat Aug 01 07:34:51 CEST 2020
Certificate fingerprints:
	 MD5:  67:16:51:BB:55:A9:53:F1:85:42:63:50:9D:CF:2A:7F
	 SHA1: 75:11:07:22:5A:F9:AB:F9:70:1A:8E:FD:BC:3B:A3:51:50:19:71:99
	 SHA256: 8A:B2:4D:88:F2:B6:64:2F:5D:A4:69:FF:6A:2A:64:F6:99:78:8E:80:2B:8E:7F:82:E4:C7:CC:91:9B:DD:02:1E
Signature algorithm name: SHA256WITHRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3


*******************************************
*******************************************
{code}

> BC FIPS with CLI: the trustAnchors parameter must be non-empty
> --------------------------------------------------------------
>
>                 Key: ELY-1621
>                 URL: https://issues.jboss.org/browse/ELY-1621
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.5.1.Final
>            Reporter: Martin Choma
>            Priority: Blocker
>         Attachments: cli-test-wildfly-config.xml, jboss-cli.log, keystore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 08:13:18,469 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: java.lang.ExceptionInInitializerError
>         at org.wildfly.security.auth.client.AuthenticationContext.lambda$static$0(AuthenticationContext.java:54)
>         at org.wildfly.common.context.ContextManager.getPrivileged(ContextManager.java:286)
>         at org.wildfly.security.auth.client.AuthenticationContext.captureCurrent(AuthenticationContext.java:86)
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:146)
>         at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
>         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
>         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
>         at org.jboss.modules.Module.run(Module.java:352)
>         at org.jboss.modules.Module.run(Module.java:320)
>         at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.wildfly.security.auth.client.InvalidAuthenticationConfigurationException: org.wildfly.client.config.ConfigXMLParseException: java.security.KeyStoreException: initialization failed
>         at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:40)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.<clinit>(DefaultAuthenticationContextProvider.java:36)
>         ... 14 more
> Caused by: org.wildfly.client.config.ConfigXMLParseException: java.security.KeyStoreException: initialization failed
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:525)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextRuleType$11(ElytronXmlParser.java:711)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$13(ElytronXmlParser.java:749)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:356)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:231)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:192)
>         at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:38)
>         ... 16 more
> Caused by: java.security.KeyStoreException: initialization failed
>         at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:150)
>         at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:250)
>         at org.wildfly.security.auth.client.ElytronXmlParser$TrustManagerBuilder.build(ElytronXmlParser.java:590)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:523)
>         ... 22 more
> Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
>         at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
>         at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
>         at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
>         at org.bouncycastle.jsse.provider.ProvX509TrustManagerImpl.<init>(ProvX509TrustManagerImpl.java:53)
>         at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:146)
>         ... 25 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> I have double check truststore is there. Correct password is used. Server has permission to open the truststure. And truststore contains certificate
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> So it looks to me something on client side is missing? Any hint?



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list