[jboss-jira] [JBoss JIRA] (WFWIP-162) IllegalStateException when TrustManager with SunX509 algorithm and with OCSP

Martin Mazanek (Jira) issues at jboss.org
Wed May 29 09:39:00 EDT 2019 

    [ https://issues.jboss.org/browse/WFWIP-162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13740044#comment-13740044 ] 

Martin Mazanek commented on WFWIP-162:
--------------------------------------

Actually, this behavior is correct. Revocation requires PKIX compatible TrustManagerFactory, and SunX509 isn't. It is mostly backward compatibility algorithm and PKIX should be used instead. But I will add better description for the exception, as this is obviously very confusing. 

> IllegalStateException when TrustManager with SunX509 algorithm and with OCSP
> ----------------------------------------------------------------------------
>
>                 Key: WFWIP-162
>                 URL: https://issues.jboss.org/browse/WFWIP-162
>             Project: WildFly WIP
>          Issue Type: Bug
>          Components: Security
>         Environment: WildFly built with following branches in use:
> {code}
> https://github.com/nekdozjam/wildfly-elytron/tree/ELY-1617
> https://github.com/nekdozjam/wildfly-core/tree/WFCORE-3947
> {code}
>            Reporter: Jan Stourac
>            Assignee: Martin Mazanek
>            Priority: Major
>         Attachments: ocsp-truststore.jks
>
>
> I can see an error when I try to create 'trust-manager' with OCSP enabled and SunX509 algorithm specified. When I don't specify SunX509 algorithm, operation succeeds.
> Here are noticed error messages:
> {code}
> {
>     "outcome" => "failed",
>     "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.trust-manager.tm" => "Failed to start service
>     Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager [org.wildfly.security.ssl.X509RevocationTrustManager]
>     Caused by: java.security.InvalidAlgorithmParameterException: SunX509 TrustManagerFactory does not use ManagerFactoryParameters"}},
>     "rolled-back" => true
> }
> {code}
> In server.log, there is following text:
> {code}
> 17:14:48,560 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service org.wildfly.security.trust-manager.tm: org.jboss.msc.service.StartException in service org.wildfly.security.trust-manager.tm: Failed to start service
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1730)
> 	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
> 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager [org.wildfly.security.ssl.X509RevocationTrustManager]
> 	at org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:108)
> 	at org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:56)
> 	at org.wildfly.security.ssl.X509RevocationTrustManager$Builder.build(X509RevocationTrustManager.java:293)
> 	at org.wildfly.extension.elytron.SSLDefinitions$2.lambda$createX509RevocationExtendedTrustManager$1(SSLDefinitions.java:732)
> 	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
> 	... 6 more
> Caused by: java.security.InvalidAlgorithmParameterException: SunX509 TrustManagerFactory does not use ManagerFactoryParameters
> 	at sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory.getInstance(TrustManagerFactoryImpl.java:257)
> 	at sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:90)
> 	at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:273)
> 	at org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:98)
> 	... 12 more
> 17:14:48,562 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "elytron"),
>     ("trust-manager" => "tm")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.trust-manager.tm" => "Failed to start service
>     Caused by: java.lang.IllegalStateException: ELY04026: Could not create trust manager [org.wildfly.security.ssl.X509RevocationTrustManager]
>     Caused by: java.security.InvalidAlgorithmParameterException: SunX509 TrustManagerFactory does not use ManagerFactoryParameters"}}
> {code}
> I'm attaching kestore file that I used for this. Password is 'weneedthatforjava'.
> Note that when I try 'certificate-revocation-list' instead or if I omit 'algorithm' attribute at all, the operation succeeds.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list