The files im talking about are located on their git. On this page its linked in the blue box at the top: https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/2936012848/Jetty10
jetty-base for jetty 10: https://git.shibboleth.net/view/?p=java-idp-jetty-base.git;a=tree;f=src/main/resources/jetty-base;hb=refs/heads/10 modules/idp-backchannel.mod: https://git.shibboleth.net/view/?p=java-idp-jetty-base.git;a=blob;f=src/main/resources/jetty-base/modules/idp-backchannel.mod;h=248d39fbff322f186519692a7a7cbea6cceff695;hb=refs/heads/10 etc/idp-backchannel.xml: https://git.shibboleth.net/view/?p=java-idp-jetty-base.git;a=blob;f=src/main/resources/jetty-base/etc/idp-backchannel.xml;h=e242ced7cedca9c85b6bd3cb3ef54ba58b61b5bf;hb=refs/heads/10 start.d/idp-backchannel.ini: https://git.shibboleth.net/view/?p=java-idp-jetty-base.git;a=blob;f=src/main/resources/jetty-base/start.d/idp-backchannel.ini;h=fcf7218413de5f5255be4e7929c74ddfe8a099f6;hb=refs/heads/10idp-backchannel.xml line 12 and idp-backchannel.ini both show the default keystore password Shibboleth uses for its SOAP Backend. The idp-backchannel.p12 file gets automatically created during setup (install.sh. its using apache ant to install itself) which also asks you to input a secure password.
Mit freundlichen Grüßen/Best Regards *Timo Brunn* Website: timo-brunn.de <https://timo-brunn.de> /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To prove its authenticity, this E-Mail has been digitally signed./ On 29/06/2023 22:40, Joakim Erdfelt wrote:
Can you share the mod + xml's that shibboleth uses? Is it this one? https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/2936012848/Jetty10#Supporting-SOAP-Endpoints Perhaps we can make this error more clear/meaningful?Like pointing out the paths of the KeyStore that failed to load as a WARN level logging?Joakim Erdfelt / joa...@webtide.com On Thu, Jun 29, 2023 at 3:26 PM Timo Brunn <t...@timo-brunn.de> wrote: Hi, I just found the problem. While taking apart the whole servlet i found the following: One of shibboleths mod files was loading another PKCS12. (idp-backchannel for SOAP Support) And the password for that one was not set correctly. So the error message was correct the whole time. Thanks for all the help and joakim if i can get you a coffee or something let me know :) Mit freundlichen Grüßen/Best Regards *Timo Brunn* Website: timo-brunn.de <https://timo-brunn.de> /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To prove its authenticity, this E-Mail has been digitally signed./ On 29/06/2023 20:36, Timo Brunn wrote:Thanks for your quick responses! I just ran the code you provided and it does print the keystore contents. Since the code was already correct for the self-signed keystore, i didnt change anything. The file permissions are pretty open right now with rw-rw-r-- with the p12 file owner being the jetty user. administrator@ffm-idp-01:~/test$ java LoadKeyStore.java KeyStore.size = 1 Certificate: [ [ Version: V3 Subject: CN=idp.xxx.de <http://idp.xxx.de> Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits params: null modulus: 31324817986779005776590223853928318440472700290023475014482142452462362977819943367530423004662174014864178000053166687295602930314789162830253123327485868501990479214212233860982715789859917240039541551771623851721250353020248898281091763082420524255851604109548822531439107213768381031822106018445358680633787482308232674730181365066191923305128575616374863416692343901559693520315586739370455056012526230965759968993479164184273538037683247975782048560648220822868237841133441722525686180407153618650506730829124425700609218649225906255867016831266031482697973105430866690279570822277051110691508694583394587600401 public exponent: 65537 Validity: [From: Thu Jun 29 17:00:21 UTC 2023, To: Sun Jun 29 17:00:21 UTC 2223] Issuer: CN=idp.xxx.de <http://idp.xxx.de> SerialNumber: [ 649db8a5] ] Algorithm: [SHA256withRSA] Signature: 0000: C6 52 71 BF 65 DA F4 F3 AD 7C F5 D1 0F 17 18 B3 .Rq.e........... 0010: 35 76 AE EF 8B 42 70 1B 0F 93 44 B1 DD 55 3F 9F 5v...Bp...D..U?. 0020: 86 D9 E5 4E 0C 0F 6E 54 10 62 9D 92 44 6E E3 AF ...N..nT.b..Dn.. 0030: 35 06 F3 88 89 63 FC 2A DD BA DB 70 CB 49 B1 AC 5....c.*...p.I.. 0040: 82 A7 F0 47 A0 E0 75 D9 F4 50 1D E1 B4 15 B9 8B ...G..u..P...... 0050: 89 C8 17 7F 8F 61 33 67 1A 6C 05 E8 BC F6 CC A2 .....a3g.l...... 0060: 3D CB 3D 39 B7 39 4B B6 74 90 09 35 06 AB EC 60 =.=9.9K.t..5...` 0070: B6 18 6B 17 1A 6B C8 43 C3 E0 2A C1 DB 7D 43 3E ..k..k.C..*...C> 0080: 5C 3E FA 27 61 EA 51 74 74 47 49 DA 22 C9 91 FB \>.'a.QttGI."... 0090: 77 D4 19 73 4E B4 2A FD 78 50 3F 94 AE 3C 28 A4 w..sN.*.xP?..<(. 00A0: 88 E7 04 B1 CC 91 49 7E EF 7A 2A E6 6C 96 B1 95 ......I..z*.l... 00B0: 83 FA E3 59 53 CA D3 73 04 DE B7 E0 02 91 99 D1 ...YS..s........ 00C0: 65 48 2C A7 2A 69 83 0A E6 2A 76 4D E2 38 C0 35 eH,.*i...*vM.8.5 00D0: AA 60 6C 55 CB 28 AE 6E F7 3F 2C D7 7F C1 A5 7B .`lU.(.n.?,..... 00E0: F0 38 97 1C C3 1F C3 16 A5 95 8F 73 23 F8 96 5B .8.........s#..[ 00F0: 7A 51 DA B2 6A 3E 6B C8 35 44 3A AD 40 A6 7B 08 zQ..j>k.5D:.@... ] Mit freundlichen Grüßen/Best Regards *Timo Brunn* Website: timo-brunn.de <https://timo-brunn.de> /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To prove its authenticity, this E-Mail has been digitally signed./ On 29/06/2023 19:57, Joakim Erdfelt wrote:There is something wrong with either your KeyStore or Password. Do this. In Java, create this class and execute it. It uses only core Java classes, no Jetty involved. Lets verify that your KeyStore can be loaded by the same version of Java as you are running Jetty with. package security; import java.io.IOException; import java.io.InputStream; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.util.Enumeration; public class LoadKeyStore { public static void main(String[] args) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException { KeyStore keyStore = KeyStore.getInstance("PKCS12"); char[] password = "changeit".toCharArray(); Path keyStorePath = Paths.get("/opt/shibboleth-idp/jetty.p12"); try (InputStream input = Files.newInputStream(keyStorePath)) { keyStore.load(input, password); } System.out.println("KeyStore.size = " + keyStore.size()); Enumeration<String> aliases = keyStore.aliases(); while(aliases.hasMoreElements()) { String alias = aliases.nextElement(); Certificate cert = keyStore.getCertificate(alias); System.out.println("Certificate: " + cert); } } } Obviously change the password and keystorePath to suit your needs. If it works, then you likely have a proper KeyStore and password combination. If it doesn't work, then you have something wrong and have to address it with the KeyStore file itself. Also, pay attention to file permissions. Joakim Erdfelt / joa...@webtide.com On Thu, Jun 29, 2023 at 12:40 PM Timo Brunn <t...@timo-brunn.de> wrote: Ive just checked a couple more things. If i don't supply jetty.sslContext.keyManagerPassword or if the KeyManagerPassword and the key password do not match i get the following stacktrace. Which seems appropriate. Once the password actually matches i get thrown the keystore password was incorrect stacktrace as before. java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.eclipse.jetty.start.Main.invokeMain(Main.java:229) at org.eclipse.jetty.start.Main.start(Main.java:528) at org.eclipse.jetty.start.Main.main(Main.java:76) Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446) at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145) at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:76) at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271) at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1167) at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2289) at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:342) at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) at org.eclipse.jetty.server.Server.start(Server.java:470) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89) at org.eclipse.jetty.server.Server.doStart(Server.java:415) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875) ... 7 more Mit freundlichen Grüßen/Best Regards *Timo Brunn* Website: timo-brunn.de <https://timo-brunn.de> /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To prove its authenticity, this E-Mail has been digitally signed./ On 29/06/2023 01:07, Timo Brunn wrote:So i just change it to the following (quote from --list-config). Truststore config is removed. jetty.sslContext.keyManagerPassword = changeit jetty.sslContext.keyStorePassword = changeit jetty.sslContext.keyStorePath = /opt/shibboleth-idp/jetty.p12 jetty.sslContext.keyStoreType = PKCS12 But it sadly still throws the same stacktrace: Exception in thread "main" java.io.IOException: keystore password was incorrect at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) at java.base/java.security.KeyStore.load(KeyStore.java:1473) at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49) at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1121) at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:291) at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:213) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:112) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:367) at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:75) at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:228) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) at org.eclipse.jetty.server.Server.doStart(Server.java:428) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875) Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 21 more Mit freundlichen Grüßen/Best Regards *Timo Brunn* Website: timo-brunn.de <https://timo-brunn.de> /Um ihre Echtheit zu bestätigen, wurde diese E-Mail digital signiert. To prove its authenticity, this E-Mail has been digitally signed./ On 29/06/2023 00:55, Joakim Erdfelt wrote:Also, eliminate the trustStore configurations (temporarily). Joakim Erdfelt / joa...@webtide.com On Wed, Jun 28, 2023 at 5:55 PM Joakim Erdfelt <joa...@webtide.com> wrote: Inline ... On Wed, Jun 28, 2023 at 4:15 PM Timo Brunn <t...@timo-brunn.de> wrote: I just checked. Running --debug gave me 23 command line entries with one being a temporary "start_XXX.properties" file. I checked that file while the JVM was running and it does contain the correct password/settings. Running --list-config showed the following system properties: System Properties: ------------------ java.io.tmpdir = tmp (/opt/shibboleth-idp/start.d/start.ini) java.security.egd = file:/dev/urandom (/opt/shibboleth-idp/start.d/start.ini) Disabling those obviously removed the need for jetty to fork the JVM. --list-config also showed the correct keystore configuration with no extra whitespace or similar. jetty.sslContext.keyManagerPassword = changeit jetty.sslContext.keyStorePassword = changeit jetty.sslContext.keyStorePath = jetty.p12 jetty.sslContext.keyStoreType = PKCS12 jetty.sslContext.trustStorePassword = changeit jetty.sslContext.trustStorePath = jetty.p12 jetty.sslContext.trustStoreType = PKCS12 Make your values for `jetty.sslContext.keyStorePath` and `jetty.sslContext.trustStorePath` absolute path references and try again. - Joakim_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users _______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/jetty-users_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/jetty-users_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/jetty-users
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
