[GitHub] nifi issue #776: NIFI-2446: Add option to specify key password when differen...

[alopresto]

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/776
  
    @markap14 Everything built successfully, but I ran into an issue when I 
created a keystore with a different key and keystore password and attempted to 
use it in an `SSLContextService`. I'll explain the steps to recreate below:
    
    I added an `InvokeHTTP` processor to the canvas and added a new 
`SSLContextService` to the processor. 
    
    I then created a new keystore with a private key entry that has a different 
password than the keystore using the command below:
    
    ```
    hw12203:/Users/alopresto/Workspace/certificates (master) alopresto
    🔓 581487s @ 09:38:33 $ keytool -genkeypair -alias diffpass -keyalg RSA 
-keysize 2048 -keypass thisIsABadKeyPassword -validity 365 -storetype JKS 
-keystore diffpass.keystore -storepass thisIsABadKeystorePassword -v
    What is your first and last name?
      [Unknown]:  localhost
    What is the name of your organizational unit?
      [Unknown]:  Apache NiFi
    What is the name of your organization?
      [Unknown]:  Apache
    What is the name of your City or Locality?
      [Unknown]:  Santa Monica
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US 
correct?
      [no]:  yes
    
    Generating 2,048 bit RSA key pair and self-signed certificate 
(SHA256withRSA) with a validity of 365 days
        for: CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
    [Storing diffpass.keystore]
    hw12203:/Users/alopresto/Workspace/certificates (master) alopresto
    🔓 146s @ 09:41:01 $ keytool -list -keystore diffpass.keystore -v 
-storepass thisIsABadKeystorePassword
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: diffpass
    Creation date: Aug 3, 2016
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
    Issuer: CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
    Serial number: 5d3ed7f7
    Valid from: Wed Aug 03 09:40:59 PDT 2016 until: Thu Aug 03 09:40:59 PDT 2017
    Certificate fingerprints:
         MD5:  63:EF:7B:A7:E4:24:E7:20:FA:DB:45:25:67:5E:CA:B4
         SHA1: 65:6C:71:CB:5D:B9:3E:BF:1D:19:0C:86:73:4E:F6:8D:6F:BD:82:21
         SHA256: 
AA:A2:FA:DA:85:27:B8:91:C2:CF:8D:77:DE:19:39:D6:46:D7:63:3E:6C:68:29:CA:AF:14:90:1C:3F:9E:09:9B
         Signature algorithm name: SHA256withRSA
         Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 28 02 D3 94 60 4A 1B F5   FD A6 EF 5C EB 2A 4B 03  (...`J.....\.*K.
    0010: 48 E5 F3 2A                                        H..*
    ]
    ]
    
    
    
    *******************************************
    *******************************************
    
    
    hw12203:/Users/alopresto/Workspace/certificates (master) alopresto
    🔓 339s @ 09:48:48 $ 
    ```
    
    You can see that the keystore password is *thisIsABadKeystorePassword* 
while the key password is *thisIsABadKeyPassword*. I verified this by 
attempting to change the key password. If it is correct, it will change 
successfully with no output and return status code 0. If it is incorrect, it 
will return an `UnrecoverableKeyException`. In this case, the first attempt to 
change the password works, the next attempt fails because it is not using the 
new password, and the third attempt (changing back to the original) works when 
provided with the new password. 
    
    ```
    hw12203:/Users/alopresto/Workspace/certificates (master) alopresto
    🔓 339s @ 09:48:48 $ keytool -keypasswd -new newBadKeyPassword -keystore 
diffpass.keystore -storepass thisIsABadKeystorePassword -alias diffpass 
-keypass thisIsABadKeyPassword
    hw12203:/Users/alopresto/Workspace/certificates (master) alopresto
    🔓 81s @ 09:50:10 $ keytool -keypasswd -new newBadKeyPassword -keystore 
diffpass.keystore -storepass thisIsABadKeystorePassword -alias diffpass 
-keypass thisIsABadKeyPassword
    keytool error: java.security.UnrecoverableKeyException: Cannot recover key
    hw12203:/Users/alopresto/Workspace/certificates (master) alopresto
    🔓 12s @ 09:50:23 $ keytool -keypasswd -new thisIsABadKeyPassword 
-keystore diffpass.keystore -storepass thisIsABadKeystorePassword -alias 
diffpass -keypass newBadKeyPassword
    hw12203:/Users/alopresto/Workspace/certificates (master) alopresto
    🔓 22s @ 09:50:46 $
    ```
    
    The `SSLContextService` is throwing an `UnrecoverableKeyException` when 
attempting to validate the service properties, so somewhere it is attempting to 
use the incorrect password to access the key. 
    
    ![screen shot 2016-08-03 at 9 52 04 
am](https://cloud.githubusercontent.com/assets/798465/17374299/cb2ad13c-5960-11e6-8dbe-fdf149203f6b.png)
     


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---