[jboss-jira] [JBoss JIRA] (ELY-1982) TLS with BCJSSE Provider does not work

Diana Vilkolakova (Jira) issues at jboss.org
Fri Jun 5 10:08:02 EDT 2020 

     [ https://issues.redhat.com/browse/ELY-1982?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Diana Vilkolakova updated ELY-1982:
-----------------------------------
    Steps to Reproduce: 
* drop two bc fips jars into java.home/jre/lib/ext 
** bc-fips-1.0.2.jar 
** bctls-fips-1.0.10.jar
* configure providers in java.security:
{code}
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
{code}
* create BCFKS keystore in standalone/configuration:
keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore "keystore.bcfks" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.1.jar -storetype BCFKS -storepass password -dname "CN=testserver,OU=TESTOU,O=TESTO,L=TESTL,ST=TESTCZ,C=TESTCZ" -validity 730 -v
 * configure server-ssl-context:
{code}
/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir,type="BCFKS",credential-reference={clear-text=password})
/subsystem=elytron/key-manager=bcfks_keymanager:add(key-store=bcfks_keystore,credential-reference={clear-text=password},algorithm=X509)
/subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=bcfks_keymanager,need-client-auth=false)
{code}

  was:
* drop two bc fips jars into java.home/jre/lib/ext 
** bc-fips-1.0.2.jar 
** bctls-fips-1.0.10.jar
* configure providers in java.security:
{code}
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
{code}
* create BCFKS keystore in standalone/configuration:
keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore "keystore.bcfks" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.1.jar -storetype BCFKS -storepass password -dname "CN=testserver,OU=TESTOU,O=TESTO,L=TESTL,ST=TESTCZ,C=TESTCZ" -validity 730 -v
 * configure server-ssl-context:
{code}
/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir,type="BCFKS",credential-reference={clear-text=password})
/subsystem=elytron/key-manager=bcfks_keymanager:add(key-store=bcfks_keystore,credential-reference={clear-text=password},algorithm=SunX509)
/subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=bcfks_keymanager,need-client-auth=false)
{code}



> TLS with BCJSSE Provider does not work
> --------------------------------------
>
>                 Key: ELY-1982
>                 URL: https://issues.redhat.com/browse/ELY-1982
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Diana Vilkolakova
>            Priority: Major
>
> Configuration of `server-ssl-context` does not seem to work with BCJSSE Provider. The steps above work for EAP 7.2, however they throw the following error in EAP 7.3:
> ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "elytron"),
>     ("server-ssl-context" => "server-ssl-context")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.server-ssl-context" => "Failed to start service
>     Caused by: java.lang.IllegalStateException: SSLContext has not been initialized."}}
> Stacktrace:
> ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.security.ssl-context.server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.server-ssl-context: Failed to start service
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1731)
> 	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
> 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.IllegalStateException: SSLContext has not been initialized.
> 	at org.bouncycastle.jsse.provider.ProvSSLContextSpi.getContextData(Unknown Source)
> 	at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineGetServerSessionContext(Unknown Source)
> 	at javax.net.ssl.SSLContext.getServerSessionContext(SSLContext.java:386)
> 	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340)
> 	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> 	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:1173)
> 	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
> 	... 6 more



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list