[jboss-jira] [JBoss JIRA] (WFCORE-4034) RuntimeException when call key-store=ks:revoke-certificate

Farah Juma (JIRA) issues at jboss.org
Tue Aug 21 15:55:00 EDT 2018 

    [ https://issues.jboss.org/browse/WFCORE-4034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13622280#comment-13622280 ] 

Farah Juma commented on WFCORE-4034:
------------------------------------

I've submitted a PR that ensures that we no longer wrap the {{AcmeException}} in a {{RuntimeException}} here.

[~claudio4j] Just FYI, I took a closer look at the steps to reproduce and noticed that there's actually an issue with the alias that's being provided for the {{obtain-certificate}} operation. In particular, the provided {{alias}} and {{key-store}} indicate that if the {{obtain-certificate}} operation succeeds, it should store the obtained signed certificate under the {{alias}} "www.cnn.com" in the {{key-store}} "keyst2". However, the same alias/key-store combination was also used for the {{certificate-authority-account}} key in the previous step. So, even though {{obtain-certificate}} fails and doesn't actually obtain a certificate or update the key-store in any way, when {{revoke-certificate}} is called using the alias "www.cnn.com", this ends up attempting to revoke the certificate that is associated with the account key since this entry does exist in the keystore. This will correctly result in an {{AcmeException}} since this certificate wasn't issued by Let's Encrypt. Using the following commands instead (notice a different alias is used for the account key and the obtain-certificate operation) will correctly result in the following error message:

{code}
/subsystem=elytron/key-store=keyst2:add(credential-reference={clear-text=senha},type=JKS,path=keyst2.jks)
/subsystem=elytron/certificate-authority-account=ca_letsenc2:add(alias=myaccount,key-store=keyst2)
/subsystem=elytron/key-store=keyst2:obtain-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2,domain-names=["www.cnn.com"],agree-to-terms-of-service,algorithm=RSA)
/subsystem=elytron/key-store=keyst2:revoke-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2)

{
    "outcome" => "failed",
    "failure-description" => "WFLYELY01029: Alias 'www.cnn.com' does not exist in KeyStore",
    "rolled-back" => true
}
{code}

> RuntimeException when call key-store=ks:revoke-certificate
> ----------------------------------------------------------
>
>                 Key: WFCORE-4034
>                 URL: https://issues.jboss.org/browse/WFCORE-4034
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Claudio Miranda
>            Assignee: Farah Juma
>
> There is a RuntimeException when call a key-store=keys:revoke-certificate on a existing alias, but having failed to obtain certificate from CA
> Steps to reproduce
> {code}
> /subsystem=elytron/key-store=keyst2:add(credential-reference={clear-text=senha},type=JKS,path=keyst2.jks)
> /subsystem=elytron/certificate-authority-account=ca_letsenc2:add(alias=www.cnn.com,key-store=keyst2)
> /subsystem=elytron/key-store=keyst2:obtain-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2,domain-names=["www.cnn.com"],agree-to-terms-of-service,algorithm=RSA)
> /subsystem=elytron/key-store=keyst2:revoke-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2)
> {code}
> obtain-certificate results in an exception, then call revoke-certificate
> {code}
> /subsystem=elytron/key-store=keyst2:obtain-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2,domain-names=["www.cnn.com"],agree-to-terms-of-service,algorithm=RSA)
> {
>     "outcome" => "failed",                                                                                                                                                                                                                   
>     "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: org.wildfly.security.x500.cert.acme.AcmeException: ELY10048: Challenge response failed validation by the ACME ser                           
> ver",                                                                                                                                                                                                                                        
>     "rolled-back" => true                                                                                                                                                                                                                    
> }
> [standalone at localhost:9990 /] /subsystem=elytron/key-store=keyst2:revoke-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2)
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: org.wildfly.security.x500.cert.acme.AcmeException: No such certificate",
>     "rolled-back" => true
> }
> {code}
> I understand it make no sense to revoke a certificate that doesn't exist in CA provider, but it was more an accident to discover it as I was playing with the operations. 
> Probably a WARN message would be more appropriate than a RuntimeException.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list