Can you share the mod + xml's that shibboleth uses?
Is it this one?
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/2936012848/Jetty10#Supporting-SOAP-Endpoints

Perhaps we can make this error more clear/meaningful?
Like pointing out the paths of the KeyStore that failed to load as a WARN
level logging?

Joakim Erdfelt / joa...@webtide.com


On Thu, Jun 29, 2023 at 3:26 PM Timo Brunn <t...@timo-brunn.de> wrote:

> Hi,
>
> I just found the problem.
>
> While taking apart the whole servlet i found the following:
>
> One of shibboleths mod files was loading another PKCS12. (idp-backchannel
> for SOAP Support)
> And the password for that one was not set correctly.
>
> So the error message was correct the whole time.
>
> Thanks for all the help and joakim if i can get you a coffee or something
> let me know :)
> Mit freundlichen Grüßen/Best Regards
> *Timo Brunn*
>
> Website: timo-brunn.de
>
> *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To
> prove its authenticity, this E-Mail has been digitally signed.*
> On 29/06/2023 20:36, Timo Brunn wrote:
>
> Thanks for your quick responses!
>
> I just ran the code you provided and it does print the keystore contents.
> Since the code was already correct for the self-signed keystore, i didnt
> change anything.
> The file permissions are pretty open right now with rw-rw-r-- with the p12
> file owner being the jetty user.
>
> administrator@ffm-idp-01:~/test$ java LoadKeyStore.java
> KeyStore.size = 1
> Certificate: [
> [
>   Version: V3
>   Subject: CN=idp.xxx.de
>   Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
>
>   Key:  Sun RSA public key, 2048 bits
>   params: null
>   modulus:
> 31324817986779005776590223853928318440472700290023475014482142452462362977819943367530423004662174014864178000053166687295602930314789162830253123327485868501990479214212233860982715789859917240039541551771623851721250353020248898281091763082420524255851604109548822531439107213768381031822106018445358680633787482308232674730181365066191923305128575616374863416692343901559693520315586739370455056012526230965759968993479164184273538037683247975782048560648220822868237841133441722525686180407153618650506730829124425700609218649225906255867016831266031482697973105430866690279570822277051110691508694583394587600401
>   public exponent: 65537
>   Validity: [From: Thu Jun 29 17:00:21 UTC 2023,
>                To: Sun Jun 29 17:00:21 UTC 2223]
>   Issuer: CN=idp.xxx.de
>   SerialNumber: [    649db8a5]
>
> ]
>   Algorithm: [SHA256withRSA]
>   Signature:
> 0000: C6 52 71 BF 65 DA F4 F3   AD 7C F5 D1 0F 17 18 B3  .Rq.e...........
> 0010: 35 76 AE EF 8B 42 70 1B   0F 93 44 B1 DD 55 3F 9F  5v...Bp...D..U?.
> 0020: 86 D9 E5 4E 0C 0F 6E 54   10 62 9D 92 44 6E E3 AF  ...N..nT.b..Dn..
> 0030: 35 06 F3 88 89 63 FC 2A   DD BA DB 70 CB 49 B1 AC  5....c.*...p.I..
> 0040: 82 A7 F0 47 A0 E0 75 D9   F4 50 1D E1 B4 15 B9 8B  ...G..u..P......
> 0050: 89 C8 17 7F 8F 61 33 67   1A 6C 05 E8 BC F6 CC A2  .....a3g.l......
> 0060: 3D CB 3D 39 B7 39 4B B6   74 90 09 35 06 AB EC 60  =.=9.9K.t..5...`
> 0070: B6 18 6B 17 1A 6B C8 43   C3 E0 2A C1 DB 7D 43 3E  ..k..k.C..*...C>
> 0080: 5C 3E FA 27 61 EA 51 74   74 47 49 DA 22 C9 91 FB  \>.'a.QttGI."...
> 0090: 77 D4 19 73 4E B4 2A FD   78 50 3F 94 AE 3C 28 A4  w..sN.*.xP?..<(.
> 00A0: 88 E7 04 B1 CC 91 49 7E   EF 7A 2A E6 6C 96 B1 95  ......I..z*.l...
> 00B0: 83 FA E3 59 53 CA D3 73   04 DE B7 E0 02 91 99 D1  ...YS..s........
> 00C0: 65 48 2C A7 2A 69 83 0A   E6 2A 76 4D E2 38 C0 35  eH,.*i...*vM.8.5
> 00D0: AA 60 6C 55 CB 28 AE 6E   F7 3F 2C D7 7F C1 A5 7B  .`lU.(.n.?,.....
> 00E0: F0 38 97 1C C3 1F C3 16   A5 95 8F 73 23 F8 96 5B  .8.........s#..[
> 00F0: 7A 51 DA B2 6A 3E 6B C8   35 44 3A AD 40 A6 7B 08  zQ..j>k.5D:.@...
>
> ]
> Mit freundlichen Grüßen/Best Regards
> *Timo Brunn*
>
> Website: timo-brunn.de
>
> *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To
> prove its authenticity, this E-Mail has been digitally signed.*
> On 29/06/2023 19:57, Joakim Erdfelt wrote:
>
> There is something wrong with either your KeyStore or Password.
>
> Do this.
> In Java, create this class and execute it.
> It uses only core Java classes, no Jetty involved.
> Lets verify that your KeyStore can be loaded by the same version of Java
> as you are running Jetty with.
>
> package security;
>
> import java.io.IOException;
> import java.io.InputStream;
> import java.nio.file.Files;
> import java.nio.file.Path;
> import java.nio.file.Paths;
> import java.security.KeyStore;
> import java.security.KeyStoreException;
> import java.security.NoSuchAlgorithmException;
> import java.security.cert.Certificate;
> import java.security.cert.CertificateException;
> import java.util.Enumeration;
>
> public class LoadKeyStore
> {
>     public static void main(String[] args) throws KeyStoreException,
> IOException, CertificateException, NoSuchAlgorithmException
>     {
>         KeyStore keyStore = KeyStore.getInstance("PKCS12");
>         char[] password = "changeit".toCharArray();
>         Path keyStorePath = Paths.get("/opt/shibboleth-idp/jetty.p12");
>         try (InputStream input = Files.newInputStream(keyStorePath))
>         {
>             keyStore.load(input, password);
>         }
>         System.out.println("KeyStore.size = " + keyStore.size());
>         Enumeration<String> aliases = keyStore.aliases();
>         while(aliases.hasMoreElements())
>         {
>             String alias = aliases.nextElement();
>             Certificate cert = keyStore.getCertificate(alias);
>             System.out.println("Certificate: " + cert);
>         }
>     }
> }
>
> Obviously change the password and keystorePath to suit your needs.
> If it works, then you likely have a proper KeyStore and password
> combination.
> If it doesn't work, then you have something wrong and have to address it
> with the KeyStore file itself.
> Also, pay attention to file permissions.
>
> Joakim Erdfelt / joa...@webtide.com
>
>
> On Thu, Jun 29, 2023 at 12:40 PM Timo Brunn <t...@timo-brunn.de> wrote:
>
>> Ive just checked a couple more things.
>>
>> If i don't supply jetty.sslContext.keyManagerPassword or if the
>> KeyManagerPassword and the key password do not match i get the following
>> stacktrace.
>> Which seems appropriate.
>>
>> Once the password actually matches i get thrown the keystore password was
>> incorrect stacktrace as before.
>>
>> java.lang.reflect.InvocationTargetException
>>         at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>         at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>         at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>>         at org.eclipse.jetty.start.Main.invokeMain(Main.java:229)
>>         at org.eclipse.jetty.start.Main.start(Main.java:528)
>>         at org.eclipse.jetty.start.Main.main(Main.java:76)
>> Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given
>> final block not properly padded. Such issues can arise if a bad key is used
>> during decryption.
>>         at
>> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
>>         at
>> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
>>         at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
>>         at
>> java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
>>         at
>> java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76)
>>         at
>> java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
>>         at
>> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167)
>>         at
>> org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289)
>>         at
>> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342)
>>         at
>> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
>>         at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
>>         at
>> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
>>         at org.eclipse.jetty.server.Server.start(Server.java:470)
>>         at
>> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
>>         at
>> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89)
>>         at org.eclipse.jetty.server.Server.doStart(Server.java:415)
>>         at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
>>         at
>> org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
>>         ... 7 more
>> Mit freundlichen Grüßen/Best Regards
>> *Timo Brunn*
>>
>> Website: timo-brunn.de
>>
>> *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To
>> prove its authenticity, this E-Mail has been digitally signed.*
>> On 29/06/2023 01:07, Timo Brunn wrote:
>>
>> So i just change it to the following (quote from --list-config).
>> Truststore config is removed.
>>
>>  jetty.sslContext.keyManagerPassword = changeit
>>  jetty.sslContext.keyStorePassword = changeit
>>  jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12
>>  jetty.sslContext.keyStoreType = PKCS12
>>
>>
>> But it sadly still throws the same stacktrace:
>>
>> Exception in thread "main" java.io.IOException: keystore password was
>> incorrect
>>         at
>> java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
>>         at
>> java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
>>         at java.base/java.security.KeyStore.load(KeyStore.java:1473)
>>         at
>> org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)
>>         at
>> org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121)
>>         at
>> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291)
>>         at
>> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
>>         at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
>>         at
>> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
>>         at
>> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
>>         at
>> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112)
>>         at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
>>         at
>> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
>>         at
>> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
>>         at
>> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367)
>>         at
>> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75)
>>         at
>> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228)
>>         at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
>>         at org.eclipse.jetty.server.Server.doStart(Server.java:428)
>>         at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
>>         at
>> org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
>> Caused by: java.security.UnrecoverableKeyException: failed to decrypt
>> safe contents entry: javax.crypto.BadPaddingException: Given final block
>> not properly padded. Such issues can arise if a bad key is used during
>> decryption.
>>         ... 21 more
>> Mit freundlichen Grüßen/Best Regards
>> *Timo Brunn*
>>
>> Website: timo-brunn.de
>>
>> *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To
>> prove its authenticity, this E-Mail has been digitally signed.*
>> On 29/06/2023 00:55, Joakim Erdfelt wrote:
>>
>> Also, eliminate the trustStore configurations (temporarily).
>>
>> Joakim Erdfelt / joa...@webtide.com
>>
>>
>> On Wed, Jun 28, 2023 at 5:55 PM Joakim Erdfelt <joa...@webtide.com>
>> wrote:
>>
>>> Inline ...
>>>
>>> On Wed, Jun 28, 2023 at 4:15 PM Timo Brunn <t...@timo-brunn.de> wrote:
>>>
>>>> I just checked.
>>>>
>>>> Running --debug gave me 23 command line entries with one being a
>>>> temporary "start_XXX.properties" file.
>>>> I checked that file while the JVM was running and it does contain the
>>>> correct password/settings.
>>>>
>>>> Running --list-config showed the following system properties:
>>>>
>>>> System Properties:
>>>> ------------------
>>>>  java.io.tmpdir = tmp (/opt/shibboleth-idp/start.d/start.ini)
>>>>  java.security.egd = file:/dev/urandom
>>>> (/opt/shibboleth-idp/start.d/start.ini)
>>>>
>>>> Disabling those obviously removed the need for jetty to fork the JVM.
>>>> --list-config also showed the correct keystore configuration with no
>>>> extra whitespace or similar.
>>>>
>>>>  jetty.sslContext.keyManagerPassword = changeit
>>>>  jetty.sslContext.keyStorePassword = changeit
>>>>  jetty.sslContext.keyStorePath = jetty.p12
>>>>  jetty.sslContext.keyStoreType = PKCS12
>>>>  jetty.sslContext.trustStorePassword = changeit
>>>>  jetty.sslContext.trustStorePath = jetty.p12
>>>>  jetty.sslContext.trustStoreType = PKCS12
>>>>
>>>
>>> Make your values for `jetty.sslContext.keyStorePath` and
>>> `jetty.sslContext.trustStorePath` absolute path references and try again.
>>>
>>> - Joakim
>>>
>>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>
>
> _______________________________________________
> jetty-users mailing listjetty-us...@eclipse.org
> To unsubscribe from this list, visit 
> https://www.eclipse.org/mailman/listinfo/jetty-users
>
>
> _______________________________________________
> jetty-users mailing listjetty-us...@eclipse.org
> To unsubscribe from this list, visit 
> https://www.eclipse.org/mailman/listinfo/jetty-users
>
>
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to