[jboss-jira] [JBoss JIRA] (WFWIP-162) IllegalStateException when TrustManager with SunX509 algorithm and with OCSP

Jan Stourac (Jira) issues at jboss.org
Wed Jun 19 10:41:00 EDT 2019 

    [ https://issues.jboss.org/browse/WFWIP-162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13748990#comment-13748990 ] 

Jan Stourac commented on WFWIP-162:
-----------------------------------

Thank you, Martin, for clarification. AFAIK PKIX based TrustManagerFactory should be available on all of our supported platforms so we can probably just document this requirement in our documentation for OCSP.

Followup question though - does this affect our current customers who would like to utilize OCSP - e.g. in case they use SunX509 now, is change to PKIX as easy as just change of this value in their configurations? E.g. isn't it necessary to rebuild their key/trust-stores or to perform any other extra steps? If so, we should probably consider to mentions such things also in our doc.

Hope I don't miss anything else on this if we restrict to PKIX only.

> IllegalStateException when TrustManager with SunX509 algorithm and with OCSP
> ----------------------------------------------------------------------------
>
>                 Key: WFWIP-162
>                 URL: https://issues.jboss.org/browse/WFWIP-162
>             Project: WildFly WIP
>          Issue Type: Bug
>          Components: Security
>         Environment: WildFly built with following branches in use:
> {code}
> https://github.com/nekdozjam/wildfly-elytron/tree/ELY-1617
> https://github.com/nekdozjam/wildfly-core/tree/WFCORE-3947
> {code}
>            Reporter: Jan Stourac
>            Assignee: Martin Mazanek
>            Priority: Major
>         Attachments: ocsp-truststore.jks
>
>
> I can see an error when I try to create 'trust-manager' with OCSP enabled and SunX509 algorithm specified. When I don't specify SunX509 algorithm, operation succeeds.
> Here are noticed error messages:
> {code}
> {
>     "outcome" => "failed",
>     "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.trust-manager.tm" => "Failed to start service
>     Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager [org.wildfly.security.ssl.X509RevocationTrustManager]
>     Caused by: java.security.InvalidAlgorithmParameterException: SunX509 TrustManagerFactory does not use ManagerFactoryParameters"}},
>     "rolled-back" => true
> }
> {code}
> In server.log, there is following text:
> {code}
> 17:14:48,560 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service org.wildfly.security.trust-manager.tm: org.jboss.msc.service.StartException in service org.wildfly.security.trust-manager.tm: Failed to start service
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1730)
> 	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
> 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager [org.wildfly.security.ssl.X509RevocationTrustManager]
> 	at org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:108)
> 	at org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:56)
> 	at org.wildfly.security.ssl.X509RevocationTrustManager$Builder.build(X509RevocationTrustManager.java:293)
> 	at org.wildfly.extension.elytron.SSLDefinitions$2.lambda$createX509RevocationExtendedTrustManager$1(SSLDefinitions.java:732)
> 	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
> 	... 6 more
> Caused by: java.security.InvalidAlgorithmParameterException: SunX509 TrustManagerFactory does not use ManagerFactoryParameters
> 	at sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory.getInstance(TrustManagerFactoryImpl.java:257)
> 	at sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:90)
> 	at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:273)
> 	at org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:98)
> 	... 12 more
> 17:14:48,562 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "elytron"),
>     ("trust-manager" => "tm")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.trust-manager.tm" => "Failed to start service
>     Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager [org.wildfly.security.ssl.X509RevocationTrustManager]
>     Caused by: java.security.InvalidAlgorithmParameterException: SunX509 TrustManagerFactory does not use ManagerFactoryParameters"}}
> {code}
> I'm attaching kestore file that I used for this. Password is 'weneedthatforjava'.
> Note that when I try 'certificate-revocation-list' instead or if I omit 'algorithm' attribute at all, the operation succeeds.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list