Check the "Signature algorithm" for your certificates and ensure that they are still valid for your JVM. (eg: on recent Java 8 JVMs, DES and SHA1 are no longer supported, along with long list of other restrictions based on hash size, key size, bit length, etc)
Also, try with Java 11 (I can see from your stacktrace that you seem to be using Java 8 still) Joakim Erdfelt / joa...@webtide.com On Thu, Aug 19, 2021 at 10:07 AM Joakim Erdfelt <joa...@webtide.com> wrote: > Something is likely wrong with your keystore itself, as it happens > during PKCS12KeyStore.engineGetKey. > > Try using the command line keytool to dump the various keys (public and > private), see which one it fails on. > > You could also use a tool like Java KeyStore Explorer (a nice UI for > keystores) - https://keystore-explorer.org/ > > Joakim Erdfelt / joa...@webtide.com > > > On Thu, Aug 19, 2021 at 9:25 AM Daniel Wilkins <daniel.wilk...@genesys.com> > wrote: > >> Hi, I’ve been trying to track down a failure in using a TLS key on top of >> Jetty. I had weird behavior on the app above so I downloaded standalone >> jetty and tried it. This config seems to be minimal enough for me to see >> what’s happening: >> >> --module=https >> jetty.https.port=8443 >> jetty.secure.port=8443 >> jetty.keystore=etc/keystore >> jetty.keystore.password=[secret value] >> jetty.keystore.format=jks >> >> Everything else is the default settings in the start.ini file. I >> initially tried using a truststore as well but it doesn’t get that far when >> it fails to load the keystore. The key itself is just a password-protected >> 2048 bit rsa key. I also tried converting the key to the pkcs12 format and >> jetty started saying that the password was wrong, but that was just an >> aside; I’m more than happy to get it to work with JKS. >> >> When I try to run it on the latest jetty 9.43 I get a trail of exceptions >> which bottom out at this: >> Caused by: javax.crypto.BadPaddingException: Given final block not >> properly padded. Such issues can arise if a bad key is used during >> decryption. >> at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) >> at >> com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) >> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) >> at >> com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:405) >> at >> com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:437) >> at javax.crypto.Cipher.doFinal(Cipher.java:2168) >> at >> sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:371) >> ... 33 more >> >> The error message hints at this being caused by a bad key, but I’m able >> to view/manipulate the key in key tool as well as Keystore Explorer. This >> key is also used without any problems in other services of ours which don’t >> use Jetty. >> >> Does anyone have a clue what might be going on here? I know that the >> errors don’t appear to come from jetty itself, but I feel like it has to be >> involved somewhere considering how keytools, keystore explorer, and other >> java services seem to be able to load it. >> >> Thanks. >> _______________________________________________ >> jetty-users mailing list >> jetty-users@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> >
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
