There is something wrong with either your KeyStore or Password.
Do this.
In Java, create this class and execute it.
It uses only core Java classes, no Jetty involved.
Lets verify that your KeyStore can be loaded by the same version of Java as
you are running Jetty with.
package security;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Enumeration;
public class LoadKeyStore
{
public static void main(String[] args) throws KeyStoreException,
IOException, CertificateException, NoSuchAlgorithmException
{
KeyStore keyStore = KeyStore.getInstance("PKCS12");
char[] password = "changeit".toCharArray();
Path keyStorePath = Paths.get("/opt/shibboleth-idp/jetty.p12");
try (InputStream input = Files.newInputStream(keyStorePath))
{
keyStore.load(input, password);
}
System.out.println("KeyStore.size = " + keyStore.size());
Enumeration<String> aliases = keyStore.aliases();
while(aliases.hasMoreElements())
{
String alias = aliases.nextElement();
Certificate cert = keyStore.getCertificate(alias);
System.out.println("Certificate: " + cert);
}
}
}
Obviously change the password and keystorePath to suit your needs.
If it works, then you likely have a proper KeyStore and password
combination.
If it doesn't work, then you have something wrong and have to address it
with the KeyStore file itself.
Also, pay attention to file permissions.
Joakim Erdfelt / joa...@webtide.com
On Thu, Jun 29, 2023 at 12:40 PM Timo Brunn <t...@timo-brunn.de> wrote:
> Ive just checked a couple more things.
>
> If i don't supply jetty.sslContext.keyManagerPassword or if the
> KeyManagerPassword and the key password do not match i get the following
> stacktrace.
> Which seems appropriate.
>
> Once the password actually matches i get thrown the keystore password was
> incorrect stacktrace as before.
>
> java.lang.reflect.InvocationTargetException
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at org.eclipse.jetty.start.Main.invokeMain(Main.java:229)
> at org.eclipse.jetty.start.Main.start(Main.java:528)
> at org.eclipse.jetty.start.Main.main(Main.java:76)
> Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given
> final block not properly padded. Such issues can arise if a bad key is used
> during decryption.
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
> at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
> at
> java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
> at
> java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76)
> at
> java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
> at org.eclipse.jetty.server.Server.start(Server.java:470)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89)
> at org.eclipse.jetty.server.Server.doStart(Server.java:415)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> at
> org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
> ... 7 more
> Mit freundlichen Grüßen/Best Regards
> *Timo Brunn*
>
> Website: timo-brunn.de
>
> *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To
> prove its authenticity, this E-Mail has been digitally signed.*
> On 29/06/2023 01:07, Timo Brunn wrote:
>
> So i just change it to the following (quote from --list-config).
> Truststore config is removed.
>
> jetty.sslContext.keyManagerPassword = changeit
> jetty.sslContext.keyStorePassword = changeit
> jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12
> jetty.sslContext.keyStoreType = PKCS12
>
>
> But it sadly still throws the same stacktrace:
>
> Exception in thread "main" java.io.IOException: keystore password was
> incorrect
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
> at java.base/java.security.KeyStore.load(KeyStore.java:1473)
> at
> org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
> at
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
> at
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367)
> at
> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75)
> at
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> at org.eclipse.jetty.server.Server.doStart(Server.java:428)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> at
> org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
> Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe
> contents entry: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during
> decryption.
> ... 21 more
> Mit freundlichen Grüßen/Best Regards
> *Timo Brunn*
>
> Website: timo-brunn.de
>
> *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To
> prove its authenticity, this E-Mail has been digitally signed.*
> On 29/06/2023 00:55, Joakim Erdfelt wrote:
>
> Also, eliminate the trustStore configurations (temporarily).
>
> Joakim Erdfelt / joa...@webtide.com
>
>
> On Wed, Jun 28, 2023 at 5:55 PM Joakim Erdfelt <joa...@webtide.com> wrote:
>
>> Inline ...
>>
>> On Wed, Jun 28, 2023 at 4:15 PM Timo Brunn <t...@timo-brunn.de> wrote:
>>
>>> I just checked.
>>>
>>> Running --debug gave me 23 command line entries with one being a
>>> temporary "start_XXX.properties" file.
>>> I checked that file while the JVM was running and it does contain the
>>> correct password/settings.
>>>
>>> Running --list-config showed the following system properties:
>>>
>>> System Properties:
>>> ------------------
>>> java.io.tmpdir = tmp (/opt/shibboleth-idp/start.d/start.ini)
>>> java.security.egd = file:/dev/urandom
>>> (/opt/shibboleth-idp/start.d/start.ini)
>>>
>>> Disabling those obviously removed the need for jetty to fork the JVM.
>>> --list-config also showed the correct keystore configuration with no
>>> extra whitespace or similar.
>>>
>>> jetty.sslContext.keyManagerPassword = changeit
>>> jetty.sslContext.keyStorePassword = changeit
>>> jetty.sslContext.keyStorePath = jetty.p12
>>> jetty.sslContext.keyStoreType = PKCS12
>>> jetty.sslContext.trustStorePassword = changeit
>>> jetty.sslContext.trustStorePath = jetty.p12
>>> jetty.sslContext.trustStoreType = PKCS12
>>>
>>
>> Make your values for `jetty.sslContext.keyStorePath` and
>> `jetty.sslContext.trustStorePath` absolute path references and try again.
>>
>> - Joakim
>>
>> _______________________________________________
> jetty-users mailing list
> jetty-users@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
