Can you share the mod + xml's that shibboleth uses? Is it this one? https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/2936012848/Jetty10#Supporting-SOAP-Endpoints
Perhaps we can make this error more clear/meaningful? Like pointing out the paths of the KeyStore that failed to load as a WARN level logging? Joakim Erdfelt / joa...@webtide.com On Thu, Jun 29, 2023 at 3:26 PM Timo Brunn <t...@timo-brunn.de> wrote: > Hi, > > I just found the problem. > > While taking apart the whole servlet i found the following: > > One of shibboleths mod files was loading another PKCS12. (idp-backchannel > for SOAP Support) > And the password for that one was not set correctly. > > So the error message was correct the whole time. > > Thanks for all the help and joakim if i can get you a coffee or something > let me know :) > Mit freundlichen Grüßen/Best Regards > *Timo Brunn* > > Website: timo-brunn.de > > *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To > prove its authenticity, this E-Mail has been digitally signed.* > On 29/06/2023 20:36, Timo Brunn wrote: > > Thanks for your quick responses! > > I just ran the code you provided and it does print the keystore contents. > Since the code was already correct for the self-signed keystore, i didnt > change anything. > The file permissions are pretty open right now with rw-rw-r-- with the p12 > file owner being the jetty user. > > administrator@ffm-idp-01:~/test$ java LoadKeyStore.java > KeyStore.size = 1 > Certificate: [ > [ > Version: V3 > Subject: CN=idp.xxx.de > Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 > > Key: Sun RSA public key, 2048 bits > params: null > modulus: > 31324817986779005776590223853928318440472700290023475014482142452462362977819943367530423004662174014864178000053166687295602930314789162830253123327485868501990479214212233860982715789859917240039541551771623851721250353020248898281091763082420524255851604109548822531439107213768381031822106018445358680633787482308232674730181365066191923305128575616374863416692343901559693520315586739370455056012526230965759968993479164184273538037683247975782048560648220822868237841133441722525686180407153618650506730829124425700609218649225906255867016831266031482697973105430866690279570822277051110691508694583394587600401 > public exponent: 65537 > Validity: [From: Thu Jun 29 17:00:21 UTC 2023, > To: Sun Jun 29 17:00:21 UTC 2223] > Issuer: CN=idp.xxx.de > SerialNumber: [ 649db8a5] > > ] > Algorithm: [SHA256withRSA] > Signature: > 0000: C6 52 71 BF 65 DA F4 F3 AD 7C F5 D1 0F 17 18 B3 .Rq.e........... > 0010: 35 76 AE EF 8B 42 70 1B 0F 93 44 B1 DD 55 3F 9F 5v...Bp...D..U?. > 0020: 86 D9 E5 4E 0C 0F 6E 54 10 62 9D 92 44 6E E3 AF ...N..nT.b..Dn.. > 0030: 35 06 F3 88 89 63 FC 2A DD BA DB 70 CB 49 B1 AC 5....c.*...p.I.. > 0040: 82 A7 F0 47 A0 E0 75 D9 F4 50 1D E1 B4 15 B9 8B ...G..u..P...... > 0050: 89 C8 17 7F 8F 61 33 67 1A 6C 05 E8 BC F6 CC A2 .....a3g.l...... > 0060: 3D CB 3D 39 B7 39 4B B6 74 90 09 35 06 AB EC 60 =.=9.9K.t..5...` > 0070: B6 18 6B 17 1A 6B C8 43 C3 E0 2A C1 DB 7D 43 3E ..k..k.C..*...C> > 0080: 5C 3E FA 27 61 EA 51 74 74 47 49 DA 22 C9 91 FB \>.'a.QttGI."... > 0090: 77 D4 19 73 4E B4 2A FD 78 50 3F 94 AE 3C 28 A4 w..sN.*.xP?..<(. > 00A0: 88 E7 04 B1 CC 91 49 7E EF 7A 2A E6 6C 96 B1 95 ......I..z*.l... > 00B0: 83 FA E3 59 53 CA D3 73 04 DE B7 E0 02 91 99 D1 ...YS..s........ > 00C0: 65 48 2C A7 2A 69 83 0A E6 2A 76 4D E2 38 C0 35 eH,.*i...*vM.8.5 > 00D0: AA 60 6C 55 CB 28 AE 6E F7 3F 2C D7 7F C1 A5 7B .`lU.(.n.?,..... > 00E0: F0 38 97 1C C3 1F C3 16 A5 95 8F 73 23 F8 96 5B .8.........s#..[ > 00F0: 7A 51 DA B2 6A 3E 6B C8 35 44 3A AD 40 A6 7B 08 zQ..j>k.5D:.@... > > ] > Mit freundlichen Grüßen/Best Regards > *Timo Brunn* > > Website: timo-brunn.de > > *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To > prove its authenticity, this E-Mail has been digitally signed.* > On 29/06/2023 19:57, Joakim Erdfelt wrote: > > There is something wrong with either your KeyStore or Password. > > Do this. > In Java, create this class and execute it. > It uses only core Java classes, no Jetty involved. > Lets verify that your KeyStore can be loaded by the same version of Java > as you are running Jetty with. > > package security; > > import java.io.IOException; > import java.io.InputStream; > import java.nio.file.Files; > import java.nio.file.Path; > import java.nio.file.Paths; > import java.security.KeyStore; > import java.security.KeyStoreException; > import java.security.NoSuchAlgorithmException; > import java.security.cert.Certificate; > import java.security.cert.CertificateException; > import java.util.Enumeration; > > public class LoadKeyStore > { > public static void main(String[] args) throws KeyStoreException, > IOException, CertificateException, NoSuchAlgorithmException > { > KeyStore keyStore = KeyStore.getInstance("PKCS12"); > char[] password = "changeit".toCharArray(); > Path keyStorePath = Paths.get("/opt/shibboleth-idp/jetty.p12"); > try (InputStream input = Files.newInputStream(keyStorePath)) > { > keyStore.load(input, password); > } > System.out.println("KeyStore.size = " + keyStore.size()); > Enumeration<String> aliases = keyStore.aliases(); > while(aliases.hasMoreElements()) > { > String alias = aliases.nextElement(); > Certificate cert = keyStore.getCertificate(alias); > System.out.println("Certificate: " + cert); > } > } > } > > Obviously change the password and keystorePath to suit your needs. > If it works, then you likely have a proper KeyStore and password > combination. > If it doesn't work, then you have something wrong and have to address it > with the KeyStore file itself. > Also, pay attention to file permissions. > > Joakim Erdfelt / joa...@webtide.com > > > On Thu, Jun 29, 2023 at 12:40 PM Timo Brunn <t...@timo-brunn.de> wrote: > >> Ive just checked a couple more things. >> >> If i don't supply jetty.sslContext.keyManagerPassword or if the >> KeyManagerPassword and the key password do not match i get the following >> stacktrace. >> Which seems appropriate. >> >> Once the password actually matches i get thrown the keystore password was >> incorrect stacktrace as before. >> >> java.lang.reflect.InvocationTargetException >> at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >> at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.base/java.lang.reflect.Method.invoke(Method.java:566) >> at org.eclipse.jetty.start.Main.invokeMain(Main.java:229) >> at org.eclipse.jetty.start.Main.start(Main.java:528) >> at org.eclipse.jetty.start.Main.main(Main.java:76) >> Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given >> final block not properly padded. Such issues can arise if a bad key is used >> during decryption. >> at >> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446) >> at >> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) >> at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) >> at >> java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145) >> at >> java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76) >> at >> java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271) >> at >> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167) >> at >> org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289) >> at >> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342) >> at >> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) >> at >> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) >> at org.eclipse.jetty.server.Server.start(Server.java:470) >> at >> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) >> at >> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89) >> at org.eclipse.jetty.server.Server.doStart(Server.java:415) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) >> at >> org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875) >> ... 7 more >> Mit freundlichen Grüßen/Best Regards >> *Timo Brunn* >> >> Website: timo-brunn.de >> >> *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To >> prove its authenticity, this E-Mail has been digitally signed.* >> On 29/06/2023 01:07, Timo Brunn wrote: >> >> So i just change it to the following (quote from --list-config). >> Truststore config is removed. >> >> jetty.sslContext.keyManagerPassword = changeit >> jetty.sslContext.keyStorePassword = changeit >> jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12 >> jetty.sslContext.keyStoreType = PKCS12 >> >> >> But it sadly still throws the same stacktrace: >> >> Exception in thread "main" java.io.IOException: keystore password was >> incorrect >> at >> java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) >> at >> java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) >> at java.base/java.security.KeyStore.load(KeyStore.java:1473) >> at >> org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49) >> at >> org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121) >> at >> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291) >> at >> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) >> at >> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) >> at >> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) >> at >> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) >> at >> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) >> at >> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) >> at >> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367) >> at >> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75) >> at >> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) >> at org.eclipse.jetty.server.Server.doStart(Server.java:428) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) >> at >> org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875) >> Caused by: java.security.UnrecoverableKeyException: failed to decrypt >> safe contents entry: javax.crypto.BadPaddingException: Given final block >> not properly padded. Such issues can arise if a bad key is used during >> decryption. >> ... 21 more >> Mit freundlichen Grüßen/Best Regards >> *Timo Brunn* >> >> Website: timo-brunn.de >> >> *Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To >> prove its authenticity, this E-Mail has been digitally signed.* >> On 29/06/2023 00:55, Joakim Erdfelt wrote: >> >> Also, eliminate the trustStore configurations (temporarily). >> >> Joakim Erdfelt / joa...@webtide.com >> >> >> On Wed, Jun 28, 2023 at 5:55 PM Joakim Erdfelt <joa...@webtide.com> >> wrote: >> >>> Inline ... >>> >>> On Wed, Jun 28, 2023 at 4:15 PM Timo Brunn <t...@timo-brunn.de> wrote: >>> >>>> I just checked. >>>> >>>> Running --debug gave me 23 command line entries with one being a >>>> temporary "start_XXX.properties" file. >>>> I checked that file while the JVM was running and it does contain the >>>> correct password/settings. >>>> >>>> Running --list-config showed the following system properties: >>>> >>>> System Properties: >>>> ------------------ >>>> java.io.tmpdir = tmp (/opt/shibboleth-idp/start.d/start.ini) >>>> java.security.egd = file:/dev/urandom >>>> (/opt/shibboleth-idp/start.d/start.ini) >>>> >>>> Disabling those obviously removed the need for jetty to fork the JVM. >>>> --list-config also showed the correct keystore configuration with no >>>> extra whitespace or similar. >>>> >>>> jetty.sslContext.keyManagerPassword = changeit >>>> jetty.sslContext.keyStorePassword = changeit >>>> jetty.sslContext.keyStorePath = jetty.p12 >>>> jetty.sslContext.keyStoreType = PKCS12 >>>> jetty.sslContext.trustStorePassword = changeit >>>> jetty.sslContext.trustStorePath = jetty.p12 >>>> jetty.sslContext.trustStoreType = PKCS12 >>>> >>> >>> Make your values for `jetty.sslContext.keyStorePath` and >>> `jetty.sslContext.trustStorePath` absolute path references and try again. >>> >>> - Joakim >>> >>> _______________________________________________ >> jetty-users mailing list >> jetty-users@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> > > _______________________________________________ > jetty-users mailing listjetty-us...@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > > > _______________________________________________ > jetty-users mailing listjetty-us...@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > >
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users