[ https://issues.apache.org/jira/browse/QPID-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lorenz Quack resolved QPID-7264. -------------------------------- Resolution: Fixed changes look good to me > Model attributes that are derived and secure (such as > AutoGeneratedSelfSignedKeyStore) do not get stored encrypted causing Broker > to fail on restart > ---------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: QPID-7264 > URL: https://issues.apache.org/jira/browse/QPID-7264 > Project: Qpid > Issue Type: Bug > Components: Java Broker > Affects Versions: qpid-java-6.0, qpid-java-6.0.1, qpid-java-6.0.2 > Reporter: Keith Wall > Assignee: Lorenz Quack > Priority: Minor > > Model Attributes that are derived/secure do not get encrypted by the > configuration encryptor. If you add an {{AutoGeneratedSelfSignedCert}} > then turn on encryption, the Broker continues to work until it is restarted, > at which point it fails as it tries to read the secure value as if it were > AES ciphered data. > The only feature that currently has such an attribute is > AutoGeneratedSelfSignedCert. This problem means that > AutoGeneratedSelfSignedCert cannot be used at if configuration encrpytion is > also in use. > The work around is to create the self signed keystore externally > (keytool/openssl etc), and import into Qpid as a Java or Non-Java Keystore. > {noformat} > 12:12:27.170 [main] INFO qpid.message.keystore.create - [Broker] KST-1001 : > Create "myks" > 12:12:27.595 [main] ERROR org.apache.qpid.server.Broker - Exception during > startup > java.lang.IllegalArgumentException: Unable to encrypt secret > at > org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.decrypt(AESKeyFileEncrypter.java:106) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject.decryptSecrets(AbstractConfiguredObject.java:2788) > ~[classes/:na] > at > org.apache.qpid.server.store.GenericRecoverer.resolveObjects(GenericRecoverer.java:187) > ~[classes/:na] > at > org.apache.qpid.server.store.GenericRecoverer.performRecover(GenericRecoverer.java:91) > ~[classes/:na] > at > org.apache.qpid.server.store.GenericRecoverer.access$000(GenericRecoverer.java:41) > ~[classes/:na] > at > org.apache.qpid.server.store.GenericRecoverer$1.execute(GenericRecoverer.java:59) > ~[classes/:na] > at > org.apache.qpid.server.store.GenericRecoverer$1.execute(GenericRecoverer.java:55) > ~[classes/:na] > at > org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270) > ~[classes/:na] > at > org.apache.qpid.server.configuration.updater.TaskExecutorImpl.submitWrappedTask(TaskExecutorImpl.java:154) > ~[classes/:na] > at > org.apache.qpid.server.configuration.updater.TaskExecutorImpl.run(TaskExecutorImpl.java:182) > ~[classes/:na] > at > org.apache.qpid.server.store.GenericRecoverer.recover(GenericRecoverer.java:54) > ~[classes/:na] > at > org.apache.qpid.server.store.BrokerStoreUpgraderAndRecoverer.perform(BrokerStoreUpgraderAndRecoverer.java:846) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractSystemConfig.activate(AbstractSystemConfig.java:232) > ~[classes/:na] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[na:1.8.0_66] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[na:1.8.0_66] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[na:1.8.0_66] > at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_66] > at > org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1309) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1288) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:909) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:903) > ~[classes/:na] > at com.google.common.util.concurrent.Futures$6.run(Futures.java:1319) > ~[guava-18.0.jar:na] > at > com.google.common.util.concurrent.MoreExecutors$DirectExecutor.execute(MoreExecutors.java:457) > ~[guava-18.0.jar:na] > at > com.google.common.util.concurrent.ExecutionList.executeListener(ExecutionList.java:156) > ~[guava-18.0.jar:na] > at > com.google.common.util.concurrent.ExecutionList.add(ExecutionList.java:101) > ~[guava-18.0.jar:na] > at > com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:170) > ~[guava-18.0.jar:na] > at > com.google.common.util.concurrent.Futures.addCallback(Futures.java:1322) > ~[guava-18.0.jar:na] > at > com.google.common.util.concurrent.Futures.addCallback(Futures.java:1258) > ~[guava-18.0.jar:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject.doAttainState(AbstractConfiguredObject.java:902) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject.access$300(AbstractConfiguredObject.java:81) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:514) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:501) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:562) > ~[classes/:na] > at > org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:555) > ~[classes/:na] > at > org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270) > ~[classes/:na] > at > org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper$1.run(TaskExecutorImpl.java:342) > ~[classes/:na] > at java.security.AccessController.doPrivileged(Native Method) > ~[na:1.8.0_66] > at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_66] > at > org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper.call(TaskExecutorImpl.java:335) > ~[classes/:na] > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > ~[na:1.8.0_66] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > ~[na:1.8.0_66] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > ~[na:1.8.0_66] > at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_66] > Caused by: java.io.IOException: javax.crypto.IllegalBlockSizeException: Input > length must be multiple of 16 when decrypting with padded cipher > at > javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:121) > ~[na:1.8.0_60] > at javax.crypto.CipherInputStream.read(CipherInputStream.java:239) > ~[na:1.8.0_60] > at > org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.readFromCipherStream(AESKeyFileEncrypter.java:132) > ~[classes/:na] > at > org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.decrypt(AESKeyFileEncrypter.java:99) > ~[classes/:na] > ... 42 common frames omitted > Caused by: javax.crypto.IllegalBlockSizeException: Input length must be > multiple of 16 when decrypting with padded cipher > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:913) > ~[sunjce_provider.jar:1.8.0_60] > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824) > ~[sunjce_provider.jar:1.8.0_60] > at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436) > ~[sunjce_provider.jar:1.8.0_60] > at javax.crypto.Cipher.doFinal(Cipher.java:2048) ~[na:1.8.0_60] > at > javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:118) > ~[na:1.8.0_60] > ... 45 common frames omitted > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org