[jboss-jira] [JBoss JIRA] (WFCORE-3046) FileKeystore is hard to use with non-file-based keystores
Darran Lofthouse (Jira)
issues at jboss.org
Fri Feb 15 12:21:00 EST 2019
[ https://issues.jboss.org/browse/WFCORE-3046?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13696152#comment-13696152 ]
Darran Lofthouse commented on WFCORE-3046:
------------------------------------------
FYI WildFly Elytron has been available since WildFly 11 and JBoss EAP 7.1
> FileKeystore is hard to use with non-file-based keystores
> ---------------------------------------------------------
>
> Key: WFCORE-3046
> URL: https://issues.jboss.org/browse/WFCORE-3046
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Jan Pazdziora
> Assignee: Darran Lofthouse
> Priority: Major
>
> We are implementing JCA KeyStore provider to get certificates and keys via external process over the network:
> https://github.com/latchset/custodia-jca-provider
> However, code in https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java makes use of such code hard.
> It seems that FileKeystore has two modes of operation -- either alias is specified and then the KeyStore is treated as file (isKeyStore = true) which has to exist and it has to be able to list aliases, or the file is not required to exist (isKeyStore = false) but then alias cannot be specified (and if it is specified as alias attribute to <keystore> element, it is ignored).
> In case we'd like to be able to use our provider without additional configuration in java.security, we'd like to be able to specify alias to retrieve specified entry, especially since getting the list of aliases might be either slow (for large sets) or not possible. For that however, we need to go the isKeyStore = true route with path specified and file existing. Alas, when we try
> <ssl>
> <keystore provider="custodia-cli" path="/dev/null" alias="wildfly/server-ssl" keystore-password="thepassword" />
> </ssl>
> then due to the extra check in WildFly's code, startup fails with
> Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /dev/null does not contain any keys.
> at org.jboss.as.domain.management.security.FileKeystore.assertContainsKey(FileKeystore.java:169)
> at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:120)
> at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:189)
> Please consider removing the
> if (isKeyStore) {
> assertContainsKey(loadedKeystore);
> }
> code from https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java#L119 since existence of the keystore file does not guarantee that the keys will be stored in it and that the provider will be able to loop through them. The file might be just /dev/null or some config file of the provider.
> Ideally though, it should be possible to specify alias even for keystore which has no path specified.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list