[
https://issues.apache.org/jira/browse/NIFI-11086?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anders updated NIFI-11086:
--------------------------
Description:
After upgrading NiFi Registry from 1.17.0 to 1.19.1, it stopped working with
the following logged stacktrace:
{code:title=nifi-registry-app.log}
2023-01-20 09:09:50,530 WARN [main] o.apache.nifi.registry.jetty.JettyServer
Failed to start web server... shutting down.
org.apache.nifi.security.ssl.BuilderConfigurationException: Key Manager
initialization failed
at
org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:120)
at
org.apache.nifi.security.ssl.StandardSslContextBuilder.build(StandardSslContextBuilder.java:55)
at
org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildSslContext(ApplicationServerConnectorFactory.java:147)
at
org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.<init>(ApplicationServerConnectorFactory.java:74)
at
org.apache.nifi.registry.jetty.JettyServer.configureConnectors(JettyServer.java:150)
at
org.apache.nifi.registry.jetty.JettyServer.<init>(JettyServer.java:101)
at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:114)
at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:168)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final
block not properly padded. Such issues can arise if a bad key is used during
decryption.
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
at
java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
at
java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
at
java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at
java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
at
org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:118)
... 7 common frames omitted
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption.
at
java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
at
java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
at
java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
at
java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408)
at
java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387)
at
java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381)
... 13 common frames omitted
{code}
The problem is that we had an empty value for nifi.registry.security.keyPasswd
in nifi-registry.properties:
{code:title=nifi-registry.properties}
nifi.registry.security.keystore=./ssl/foo1.p12
nifi.registry.security.keystoreType=PKCS12
nifi.registry.security.keystorePasswd=foobar
nifi.registry.security.keyPasswd=
{code}
Adding nifi.registry.security.keyPasswd (samme as keystorePasswd), the
application starts:
{code:title=nifi-registry.properties}
nifi.registry.security.keystore=./ssl/foo1.p12
nifi.registry.security.keystoreType=PKCS12
nifi.registry.security.keystorePasswd=foobar
nifi.registry.security.keyPasswd=foobar
{code}
See link to Slack thread below.
NiFi itself has no problem with _nifi.registry.security.keyPasswd_ being empty,
so there is a difference in behavior between the two applications.
was:
After upgrading NiFi Registry from 1.17.0 to 1.19.1, it stopped working with
the following logged stacktrace:
{code:title=nifi-registry-app.log}
2023-01-20 09:09:50,530 WARN [main] o.apache.nifi.registry.jetty.JettyServer
Failed to start web server... shutting down.
org.apache.nifi.security.ssl.BuilderConfigurationException: Key Manager
initialization failed
at
org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:120)
at
org.apache.nifi.security.ssl.StandardSslContextBuilder.build(StandardSslContextBuilder.java:55)
at
org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildSslContext(ApplicationServerConnectorFactory.java:147)
at
org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.<init>(ApplicationServerConnectorFactory.java:74)
at
org.apache.nifi.registry.jetty.JettyServer.configureConnectors(JettyServer.java:150)
at
org.apache.nifi.registry.jetty.JettyServer.<init>(JettyServer.java:101)
at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:114)
at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:168)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final
block not properly padded. Such issues can arise if a bad key is used during
decryption.
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
at
java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
at
java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
at
java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at
java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
at
org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:118)
... 7 common frames omitted
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption.
at
java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
at
java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
at
java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
at
java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408)
at
java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387)
at
java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381)
... 13 common frames omitted
{code}
The problem is that we had an empty value for nifi.registry.security.keyPasswd
in nifi-registry.properties:
{code:title=nifi-registry.properties}
nifi.registry.security.keystore=./ssl/foo1.p12
nifi.registry.security.keystoreType=PKCS12
nifi.registry.security.keystorePasswd=foobar
nifi.registry.security.keyPasswd=
{code}
Adding nifi.registry.security.keyPasswd (samme as keystorePasswd), the
application starts:
{code:title=nifi-registry.properties}
nifi.registry.security.keystore=./ssl/foo1.p12
nifi.registry.security.keystoreType=PKCS12
nifi.registry.security.keystorePasswd=foobar
nifi.registry.security.keyPasswd=foobar
{code}
> NiFi Registry keystore passwd change
> ------------------------------------
>
> Key: NIFI-11086
> URL: https://issues.apache.org/jira/browse/NIFI-11086
> Project: Apache NiFi
> Issue Type: Bug
> Components: NiFi Registry
> Affects Versions: 1.19.1
> Reporter: Anders
> Priority: Minor
>
> After upgrading NiFi Registry from 1.17.0 to 1.19.1, it stopped working with
> the following logged stacktrace:
> {code:title=nifi-registry-app.log}
> 2023-01-20 09:09:50,530 WARN [main] o.apache.nifi.registry.jetty.JettyServer
> Failed to start web server... shutting down.
> org.apache.nifi.security.ssl.BuilderConfigurationException: Key Manager
> initialization failed
> at
> org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:120)
> at
> org.apache.nifi.security.ssl.StandardSslContextBuilder.build(StandardSslContextBuilder.java:55)
> at
> org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildSslContext(ApplicationServerConnectorFactory.java:147)
> at
> org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.<init>(ApplicationServerConnectorFactory.java:74)
> at
> org.apache.nifi.registry.jetty.JettyServer.configureConnectors(JettyServer.java:150)
> at
> org.apache.nifi.registry.jetty.JettyServer.<init>(JettyServer.java:101)
> at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:114)
> at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:168)
> Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given
> final block not properly padded. Such issues can arise if a bad key is used
> during decryption.
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
> at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
> at
> java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
> at
> java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
> at
> java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
> at
> org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:118)
> ... 7 common frames omitted
> Caused by: javax.crypto.BadPaddingException: Given final block not properly
> padded. Such issues can arise if a bad key is used during decryption.
> at
> java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
> at
> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
> at
> java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
> at
> java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408)
> at
> java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440)
> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381)
> ... 13 common frames omitted
> {code}
> The problem is that we had an empty value for
> nifi.registry.security.keyPasswd in nifi-registry.properties:
> {code:title=nifi-registry.properties}
> nifi.registry.security.keystore=./ssl/foo1.p12
> nifi.registry.security.keystoreType=PKCS12
> nifi.registry.security.keystorePasswd=foobar
> nifi.registry.security.keyPasswd=
> {code}
> Adding nifi.registry.security.keyPasswd (samme as keystorePasswd), the
> application starts:
> {code:title=nifi-registry.properties}
> nifi.registry.security.keystore=./ssl/foo1.p12
> nifi.registry.security.keystoreType=PKCS12
> nifi.registry.security.keystorePasswd=foobar
> nifi.registry.security.keyPasswd=foobar
> {code}
> See link to Slack thread below.
> NiFi itself has no problem with _nifi.registry.security.keyPasswd_ being
> empty, so there is a difference in behavior between the two applications.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
