The files im talking about are located on their git.
On this page its linked in the blue box at the top:
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/2936012848/Jetty10

jetty-base for jetty 10:
https://git.shibboleth.net/view/?p=java-idp-jetty-base.git;a=tree;f=src/main/resources/jetty-base;hb=refs/heads/10

modules/idp-backchannel.mod:
https://git.shibboleth.net/view/?p=java-idp-jetty-base.git;a=blob;f=src/main/resources/jetty-base/modules/idp-backchannel.mod;h=248d39fbff322f186519692a7a7cbea6cceff695;hb=refs/heads/10

etc/idp-backchannel.xml:
https://git.shibboleth.net/view/?p=java-idp-jetty-base.git;a=blob;f=src/main/resources/jetty-base/etc/idp-backchannel.xml;h=e242ced7cedca9c85b6bd3cb3ef54ba58b61b5bf;hb=refs/heads/10

start.d/idp-backchannel.ini:
https://git.shibboleth.net/view/?p=java-idp-jetty-base.git;a=blob;f=src/main/resources/jetty-base/start.d/idp-backchannel.ini;h=fcf7218413de5f5255be4e7929c74ddfe8a099f6;hb=refs/heads/10

idp-backchannel.xml line 12 and idp-backchannel.ini both show the default keystore password Shibboleth uses for its SOAP Backend. The idp-backchannel.p12 file gets automatically created during setup (install.sh. its using apache ant to install itself) which also asks you to input a secure password.

Mit freundlichen Grüßen/Best Regards
*Timo Brunn*

Website: timo-brunn.de <https://timo-brunn.de>
/Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed./
On 29/06/2023 22:40, Joakim Erdfelt wrote:
Can you share the mod + xml's that shibboleth uses?
Is it this one?
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/2936012848/Jetty10#Supporting-SOAP-Endpoints

Perhaps we can make this error more clear/meaningful?
Like pointing out the paths of the KeyStore that failed to load as a WARN level logging?

Joakim Erdfelt / joa...@webtide.com


On Thu, Jun 29, 2023 at 3:26 PM Timo Brunn <t...@timo-brunn.de> wrote:

    Hi,

    I just found the problem.

    While taking apart the whole servlet i found the following:

    One of shibboleths mod files was loading another PKCS12.
    (idp-backchannel for SOAP Support)
    And the password for that one was not set correctly.

    So the error message was correct the whole time.

    Thanks for all the help and joakim if i can get you a coffee or
    something let me know :)

    Mit freundlichen Grüßen/Best Regards
    *Timo Brunn*

    Website: timo-brunn.de <https://timo-brunn.de>
    /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
    To prove its authenticity, this E-Mail has been digitally signed./
    On 29/06/2023 20:36, Timo Brunn wrote:

    Thanks for your quick responses!

    I just ran the code you provided and it does print the keystore
    contents.
    Since the code was already correct for the self-signed keystore,
    i didnt change anything.
    The file permissions are pretty open right now with rw-rw-r--
    with the p12 file owner being the jetty user.

    administrator@ffm-idp-01:~/test$ java LoadKeyStore.java
    KeyStore.size = 1
    Certificate: [
    [
      Version: V3
      Subject: CN=idp.xxx.de <http://idp.xxx.de>
      Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

      Key:  Sun RSA public key, 2048 bits
      params: null
      modulus:
    
31324817986779005776590223853928318440472700290023475014482142452462362977819943367530423004662174014864178000053166687295602930314789162830253123327485868501990479214212233860982715789859917240039541551771623851721250353020248898281091763082420524255851604109548822531439107213768381031822106018445358680633787482308232674730181365066191923305128575616374863416692343901559693520315586739370455056012526230965759968993479164184273538037683247975782048560648220822868237841133441722525686180407153618650506730829124425700609218649225906255867016831266031482697973105430866690279570822277051110691508694583394587600401
      public exponent: 65537
      Validity: [From: Thu Jun 29 17:00:21 UTC 2023,
                   To: Sun Jun 29 17:00:21 UTC 2223]
      Issuer: CN=idp.xxx.de <http://idp.xxx.de>
      SerialNumber: [    649db8a5]

    ]
      Algorithm: [SHA256withRSA]
      Signature:
    0000: C6 52 71 BF 65 DA F4 F3   AD 7C F5 D1 0F 17 18 B3
    .Rq.e...........
    0010: 35 76 AE EF 8B 42 70 1B   0F 93 44 B1 DD 55 3F 9F
    5v...Bp...D..U?.
    0020: 86 D9 E5 4E 0C 0F 6E 54   10 62 9D 92 44 6E E3 AF
    ...N..nT.b..Dn..
    0030: 35 06 F3 88 89 63 FC 2A   DD BA DB 70 CB 49 B1 AC
    5....c.*...p.I..
    0040: 82 A7 F0 47 A0 E0 75 D9   F4 50 1D E1 B4 15 B9 8B
    ...G..u..P......
    0050: 89 C8 17 7F 8F 61 33 67   1A 6C 05 E8 BC F6 CC A2
    .....a3g.l......
    0060: 3D CB 3D 39 B7 39 4B B6   74 90 09 35 06 AB EC 60
    =.=9.9K.t..5...`
    0070: B6 18 6B 17 1A 6B C8 43   C3 E0 2A C1 DB 7D 43 3E
    ..k..k.C..*...C>
    0080: 5C 3E FA 27 61 EA 51 74   74 47 49 DA 22 C9 91 FB
    \>.'a.QttGI."...
    0090: 77 D4 19 73 4E B4 2A FD   78 50 3F 94 AE 3C 28 A4
    w..sN.*.xP?..<(.
    00A0: 88 E7 04 B1 CC 91 49 7E   EF 7A 2A E6 6C 96 B1 95
    ......I..z*.l...
    00B0: 83 FA E3 59 53 CA D3 73   04 DE B7 E0 02 91 99 D1
    ...YS..s........
    00C0: 65 48 2C A7 2A 69 83 0A   E6 2A 76 4D E2 38 C0 35
    eH,.*i...*vM.8.5
    00D0: AA 60 6C 55 CB 28 AE 6E   F7 3F 2C D7 7F C1 A5 7B
    .`lU.(.n.?,.....
    00E0: F0 38 97 1C C3 1F C3 16   A5 95 8F 73 23 F8 96 5B
    .8.........s#..[
    00F0: 7A 51 DA B2 6A 3E 6B C8   35 44 3A AD 40 A6 7B 08
    zQ..j>k.5D:.@...

    ]

    Mit freundlichen Grüßen/Best Regards
    *Timo Brunn*

    Website: timo-brunn.de <https://timo-brunn.de>
    /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert.
    To prove its authenticity, this E-Mail has been digitally signed./
    On 29/06/2023 19:57, Joakim Erdfelt wrote:
    There is something wrong with either your KeyStore or Password.

    Do this.
    In Java, create this class and execute it.
    It uses only core Java classes, no Jetty involved.
    Lets verify that your KeyStore can be loaded by the same version
    of Java as you are running Jetty with.

    package security;

    import java.io.IOException;
    import java.io.InputStream;
    import java.nio.file.Files;
    import java.nio.file.Path;
    import java.nio.file.Paths;
    import java.security.KeyStore;
    import java.security.KeyStoreException;
    import java.security.NoSuchAlgorithmException;
    import java.security.cert.Certificate;
    import java.security.cert.CertificateException;
    import java.util.Enumeration;

    public class LoadKeyStore
    {
        public static void main(String[] args) throws
    KeyStoreException, IOException, CertificateException,
    NoSuchAlgorithmException
        {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            char[] password = "changeit".toCharArray();
            Path keyStorePath =
    Paths.get("/opt/shibboleth-idp/jetty.p12");
            try (InputStream input = Files.newInputStream(keyStorePath))
            {
                keyStore.load(input, password);
            }
            System.out.println("KeyStore.size = " + keyStore.size());
            Enumeration<String> aliases = keyStore.aliases();
            while(aliases.hasMoreElements())
            {
                String alias = aliases.nextElement();
                Certificate cert = keyStore.getCertificate(alias);
                System.out.println("Certificate: " + cert);
            }
        }
    }

    Obviously change the password and keystorePath to suit your needs.
    If it works, then you likely have a proper KeyStore and password
    combination.
    If it doesn't work, then you have something wrong and have to
    address it with the KeyStore file itself.
    Also, pay attention to file permissions.

    Joakim Erdfelt / joa...@webtide.com


    On Thu, Jun 29, 2023 at 12:40 PM Timo Brunn <t...@timo-brunn.de>
    wrote:

        Ive just checked a couple more things.

        If i don't supply jetty.sslContext.keyManagerPassword or if
        the KeyManagerPassword and the key password do not match i
        get the following stacktrace.
        Which seems appropriate.

        Once the password actually matches i get thrown the keystore
        password was incorrect stacktrace as before.

        java.lang.reflect.InvocationTargetException
                at
        java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
        Method)
                at
        
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at
        
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at
        java.base/java.lang.reflect.Method.invoke(Method.java:566)
                at
        org.eclipse.jetty.start.Main.invokeMain(Main.java:229)
                at org.eclipse.jetty.start.Main.start(Main.java:528)
                at org.eclipse.jetty.start.Main.main(Main.java:76)
        Caused by: java.security.UnrecoverableKeyException: Get Key
        failed: Given final block not properly padded. Such issues
        can arise if a bad key is used during decryption.
                at
        
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446)
                at
        
java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
                at
        java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
                at
        
java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
                at
        
java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76)
                at
        
java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
                at
        
org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167)
                at
        
org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289)
                at
        
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342)
                at
        
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
                at
        
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
                at
        
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
                at
        org.eclipse.jetty.server.Server.start(Server.java:470)
                at
        
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
                at
        
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89)
                at
        org.eclipse.jetty.server.Server.doStart(Server.java:415)
                at
        
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
                at
        org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
                ... 7 more

        Mit freundlichen Grüßen/Best Regards
        *Timo Brunn*

        Website: timo-brunn.de <https://timo-brunn.de>
        /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital
        signiert.
        To prove its authenticity, this E-Mail has been digitally
        signed./
        On 29/06/2023 01:07, Timo Brunn wrote:

        So i just change it to the following (quote from
        --list-config). Truststore config is removed.

         jetty.sslContext.keyManagerPassword = changeit
         jetty.sslContext.keyStorePassword = changeit
         jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12
         jetty.sslContext.keyStoreType = PKCS12


        But it sadly still throws the same stacktrace:

        Exception in thread "main" java.io.IOException: keystore
        password was incorrect
                at
        
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
                at
        
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
                at
        java.base/java.security.KeyStore.load(KeyStore.java:1473)
                at
        
org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)
                at
        
org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121)
                at
        
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291)
                at
        
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213)
                at
        
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
                at
        
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
                at
        
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
                at
        
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112)
                at
        
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
                at
        
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171)
                at
        
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
                at
        
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367)
                at
        
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75)
                at
        
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228)
                at
        
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
                at
        org.eclipse.jetty.server.Server.doStart(Server.java:428)
                at
        
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
                at
        org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875)
        Caused by: java.security.UnrecoverableKeyException: failed
        to decrypt safe contents entry:
        javax.crypto.BadPaddingException: Given final block not
        properly padded. Such issues can arise if a bad key is used
        during decryption.
                ... 21 more

        Mit freundlichen Grüßen/Best Regards
        *Timo Brunn*

        Website: timo-brunn.de <https://timo-brunn.de>
        /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital
        signiert.
        To prove its authenticity, this E-Mail has been digitally
        signed./
        On 29/06/2023 00:55, Joakim Erdfelt wrote:
        Also, eliminate the trustStore configurations (temporarily).

        Joakim Erdfelt / joa...@webtide.com


        On Wed, Jun 28, 2023 at 5:55 PM Joakim Erdfelt
        <joa...@webtide.com> wrote:

            Inline ...

            On Wed, Jun 28, 2023 at 4:15 PM Timo Brunn
            <t...@timo-brunn.de> wrote:

                I just checked.

                Running --debug gave me 23 command line entries
                with one being a temporary "start_XXX.properties"
                file.
                I checked that file while the JVM was running and
                it does contain the correct password/settings.

                Running --list-config showed the following system
                properties:

                System Properties:
                ------------------
                 java.io.tmpdir = tmp
                (/opt/shibboleth-idp/start.d/start.ini)
                 java.security.egd = file:/dev/urandom
                (/opt/shibboleth-idp/start.d/start.ini)

                Disabling those obviously removed the need for
                jetty to fork the JVM.
                --list-config also showed the correct keystore
                configuration with no extra whitespace or similar.

                 jetty.sslContext.keyManagerPassword = changeit
                 jetty.sslContext.keyStorePassword = changeit
                 jetty.sslContext.keyStorePath = jetty.p12
                 jetty.sslContext.keyStoreType = PKCS12
                 jetty.sslContext.trustStorePassword = changeit
                 jetty.sslContext.trustStorePath = jetty.p12
                 jetty.sslContext.trustStoreType = PKCS12


            Make your values for `jetty.sslContext.keyStorePath`
            and `jetty.sslContext.trustStorePath` absolute path
            references and try again.

            - Joakim

        _______________________________________________
        jetty-users mailing list
        jetty-users@eclipse.org
        To unsubscribe from this list, visit
        https://www.eclipse.org/mailman/listinfo/jetty-users


    _______________________________________________
    jetty-users mailing list
    jetty-users@eclipse.org
    To unsubscribe from this list, 
visithttps://www.eclipse.org/mailman/listinfo/jetty-users

    _______________________________________________
    jetty-users mailing list
    jetty-users@eclipse.org
    To unsubscribe from this list, 
visithttps://www.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, 
visithttps://www.eclipse.org/mailman/listinfo/jetty-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to