[
https://issues.apache.org/jira/browse/QPID-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lorenz Quack resolved QPID-7264.
--------------------------------
Resolution: Fixed
changes look good to me
> Model attributes that are derived and secure (such as
> AutoGeneratedSelfSignedKeyStore) do not get stored encrypted causing Broker
> to fail on restart
> ----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: QPID-7264
> URL: https://issues.apache.org/jira/browse/QPID-7264
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: qpid-java-6.0, qpid-java-6.0.1, qpid-java-6.0.2
> Reporter: Keith Wall
> Assignee: Lorenz Quack
> Priority: Minor
>
> Model Attributes that are derived/secure do not get encrypted by the
> configuration encryptor. If you add an {{AutoGeneratedSelfSignedCert}}
> then turn on encryption, the Broker continues to work until it is restarted,
> at which point it fails as it tries to read the secure value as if it were
> AES ciphered data.
> The only feature that currently has such an attribute is
> AutoGeneratedSelfSignedCert. This problem means that
> AutoGeneratedSelfSignedCert cannot be used at if configuration encrpytion is
> also in use.
> The work around is to create the self signed keystore externally
> (keytool/openssl etc), and import into Qpid as a Java or Non-Java Keystore.
> {noformat}
> 12:12:27.170 [main] INFO qpid.message.keystore.create - [Broker] KST-1001 :
> Create "myks"
> 12:12:27.595 [main] ERROR org.apache.qpid.server.Broker - Exception during
> startup
> java.lang.IllegalArgumentException: Unable to encrypt secret
> at
> org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.decrypt(AESKeyFileEncrypter.java:106)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject.decryptSecrets(AbstractConfiguredObject.java:2788)
> ~[classes/:na]
> at
> org.apache.qpid.server.store.GenericRecoverer.resolveObjects(GenericRecoverer.java:187)
> ~[classes/:na]
> at
> org.apache.qpid.server.store.GenericRecoverer.performRecover(GenericRecoverer.java:91)
> ~[classes/:na]
> at
> org.apache.qpid.server.store.GenericRecoverer.access$000(GenericRecoverer.java:41)
> ~[classes/:na]
> at
> org.apache.qpid.server.store.GenericRecoverer$1.execute(GenericRecoverer.java:59)
> ~[classes/:na]
> at
> org.apache.qpid.server.store.GenericRecoverer$1.execute(GenericRecoverer.java:55)
> ~[classes/:na]
> at
> org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270)
> ~[classes/:na]
> at
> org.apache.qpid.server.configuration.updater.TaskExecutorImpl.submitWrappedTask(TaskExecutorImpl.java:154)
> ~[classes/:na]
> at
> org.apache.qpid.server.configuration.updater.TaskExecutorImpl.run(TaskExecutorImpl.java:182)
> ~[classes/:na]
> at
> org.apache.qpid.server.store.GenericRecoverer.recover(GenericRecoverer.java:54)
> ~[classes/:na]
> at
> org.apache.qpid.server.store.BrokerStoreUpgraderAndRecoverer.perform(BrokerStoreUpgraderAndRecoverer.java:846)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractSystemConfig.activate(AbstractSystemConfig.java:232)
> ~[classes/:na]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[na:1.8.0_66]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[na:1.8.0_66]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[na:1.8.0_66]
> at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_66]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1309)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1288)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:909)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:903)
> ~[classes/:na]
> at com.google.common.util.concurrent.Futures$6.run(Futures.java:1319)
> ~[guava-18.0.jar:na]
> at
> com.google.common.util.concurrent.MoreExecutors$DirectExecutor.execute(MoreExecutors.java:457)
> ~[guava-18.0.jar:na]
> at
> com.google.common.util.concurrent.ExecutionList.executeListener(ExecutionList.java:156)
> ~[guava-18.0.jar:na]
> at
> com.google.common.util.concurrent.ExecutionList.add(ExecutionList.java:101)
> ~[guava-18.0.jar:na]
> at
> com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:170)
> ~[guava-18.0.jar:na]
> at
> com.google.common.util.concurrent.Futures.addCallback(Futures.java:1322)
> ~[guava-18.0.jar:na]
> at
> com.google.common.util.concurrent.Futures.addCallback(Futures.java:1258)
> ~[guava-18.0.jar:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject.doAttainState(AbstractConfiguredObject.java:902)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject.access$300(AbstractConfiguredObject.java:81)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:514)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject$1.execute(AbstractConfiguredObject.java:501)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:562)
> ~[classes/:na]
> at
> org.apache.qpid.server.model.AbstractConfiguredObject$2.execute(AbstractConfiguredObject.java:555)
> ~[classes/:na]
> at
> org.apache.qpid.server.configuration.updater.TaskExecutorImpl$TaskLoggingWrapper.execute(TaskExecutorImpl.java:270)
> ~[classes/:na]
> at
> org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper$1.run(TaskExecutorImpl.java:342)
> ~[classes/:na]
> at java.security.AccessController.doPrivileged(Native Method)
> ~[na:1.8.0_66]
> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_66]
> at
> org.apache.qpid.server.configuration.updater.TaskExecutorImpl$CallableWrapper.call(TaskExecutorImpl.java:335)
> ~[classes/:na]
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> ~[na:1.8.0_66]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> ~[na:1.8.0_66]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> ~[na:1.8.0_66]
> at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_66]
> Caused by: java.io.IOException: javax.crypto.IllegalBlockSizeException: Input
> length must be multiple of 16 when decrypting with padded cipher
> at
> javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:121)
> ~[na:1.8.0_60]
> at javax.crypto.CipherInputStream.read(CipherInputStream.java:239)
> ~[na:1.8.0_60]
> at
> org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.readFromCipherStream(AESKeyFileEncrypter.java:132)
> ~[classes/:na]
> at
> org.apache.qpid.server.security.encryption.AESKeyFileEncrypter.decrypt(AESKeyFileEncrypter.java:99)
> ~[classes/:na]
> ... 42 common frames omitted
> Caused by: javax.crypto.IllegalBlockSizeException: Input length must be
> multiple of 16 when decrypting with padded cipher
> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:913)
> ~[sunjce_provider.jar:1.8.0_60]
> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824)
> ~[sunjce_provider.jar:1.8.0_60]
> at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436)
> ~[sunjce_provider.jar:1.8.0_60]
> at javax.crypto.Cipher.doFinal(Cipher.java:2048) ~[na:1.8.0_60]
> at
> javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:118)
> ~[na:1.8.0_60]
> ... 45 common frames omitted
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
