[jboss-jira] [JBoss JIRA] (WFCORE-5064) Incorrect use of KeyManagerFactory.getDefaultAlgorithm instead of TrustManagerFactory

Mon Jul 27 06:19:00 EDT 2020

Ricardo Martin Camarero created WFCORE-5064:
-----------------------------------------------

             Summary: Incorrect use of KeyManagerFactory.getDefaultAlgorithm instead of TrustManagerFactory
                 Key: WFCORE-5064
                 URL: https://issues.redhat.com/browse/WFCORE-5064
             Project: WildFly Core
          Issue Type: Bug
          Components: Security
    Affects Versions: 13.0.0.Beta2
            Reporter: Ricardo Martin Camarero
            Assignee: Ricardo Martin Camarero

When configuring https using the old security-realm the trust-manager factory is selected using [the line|https://github.com/wildfly/wildfly-core/blob/12.0.3.Final/domain-management/src/main/java/org/jboss/as/domain/management/security/FileTrustManagerService.java#L111]:

{code:java}
            trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
{code}

Which is incorrect and should use the TrustManagerFactory. Therefore by default in openjdk we are using the {{SunX509}} factory instead of the default {{PKIX}} implementation. The default values for both factories are defined in the {{java.security}} file from the jdk:

{code:java}
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=SunX509
ssl.TrustManagerFactory.algorithm=PKIX
{code}

Using a exotic configuration can lead to an error if the KeyManagerFactory is configured to an algorithm that is not valid for the TrustManagerFactory (NewSunX509 for example).

--
This message was sent by Atlassian Jira
(v7.13.8#713008)