keystore password decryption failure
172 views
Skip to first unread message
Michael B Allen
May 15, 2024, 9:10:22 AM5/15/24
to WildFly
Hi,
I'm trying to setup TLS in WF31.
The following is the tls section in standalone.xml:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="rhel8as2"/>
<implementation type="pkcs12"/>
<file path="rhel8as2.p12" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
results in failure to decrypt the p12 file running bin/standalone.sh:
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941)
at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
at java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:203)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2252)
at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:370)
at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
... 20 more
I know the password is correct because I used the same exact file and password in Jetty an hour ago and it worked fine.
Ideas?
Mike
PS: Where is the documentation for these XML directives?
I'm trying to setup TLS in WF31.
The following is the tls section in standalone.xml:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="rhel8as2"/>
<implementation type="pkcs12"/>
<file path="rhel8as2.p12" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
results in failure to decrypt the p12 file running bin/standalone.sh:
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941)
at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
at java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:203)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2252)
at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:370)
at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
... 20 more
I know the password is correct because I used the same exact file and password in Jetty an hour ago and it worked fine.
Ideas?
Mike
PS: Where is the documentation for these XML directives?
Prarthona Paul
May 16, 2024, 10:17:07 AM5/16/24
to WildFly
Hello there,
BadPaddingException can arise from a few different issues. Here are some things you can try:
1. Incorrect padding: If the padding used to encrypt and decrypt some piece of information, then you can get a BadPaddingException. Please make sure that if you are using Cipher, both the encryption and decryption ones are using the same padding, i.e. PKCS5Padding.
2. Sometimes a InvalidKeyException can present itself as a BadPaddingException. This is when you are encrypting and decrypting with different keys and the Cipher objects are initialised with different keys.
BadPaddingException can arise from a few different issues. Here are some things you can try:
1. Incorrect padding: If the padding used to encrypt and decrypt some piece of information, then you can get a BadPaddingException. Please make sure that if you are using Cipher, both the encryption and decryption ones are using the same padding, i.e. PKCS5Padding.
2. Sometimes a InvalidKeyException can present itself as a BadPaddingException. This is when you are encrypting and decrypting with different keys and the Cipher objects are initialised with different keys.
3. Incorrect algorithm when instantiating the Cipher: you may use an invalid algorithm.
here is more details on BadPaddingException: https://www.baeldung.com/java-crypto-apis-exceptions#badpaddingexception-given-final-block-not-properly-padded
4. Another reason for this could be that if you are migration your keystore from JKS to PKCS12. JKS uses a keystone password and a key password, which can be different. When you migrate to PKCS12, we need to be a bit more careful. PKCS12 usually uses a keystone password for the while keystore. So, if there are mismatches between the passwords, you can face a BadPaddingException when decrypting.
You can change the key password of a JKS:
keytool -storepasswd -keystore yourKeystore.jks
You can change the key password of a JKS:
keytool -storepasswd -keystore yourKeystore.jks
You'll be prompted to enter the current keystore password. After entering the current password, press Enter.
Next, keytool will ask you to enter the new keystore password. Type the new password and press Enter.
You'll be asked to re-enter the new password for confirmation. Type it again and press Enter.
Next, keytool will ask you to enter the new keystore password. Type the new password and press Enter.
You'll be asked to re-enter the new password for confirmation. Type it again and press Enter.
I hope this helps! Please feel free to follow up with any questions you may have.
Best,
Prarthona
Prarthona
Michael B Allen
May 17, 2024, 4:37:13 PM5/17/24
to WildFly
Solved.
Apparently you must put the keystore password in both the key-store
AND key-managers credential-reference elements like so:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="rhel8as2"/>
<implementation type="pkcs12"/>
<file path="rhel8as2.p12" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS">
<credential-reference clear-text="rhel8as2"/>
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
> --
> You received this message because you are subscribed to the Google Groups "WildFly" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/e9fa08d5-ba45-4577-b857-447e9f57591bn%40googlegroups.com.
Apparently you must put the keystore password in both the key-store
AND key-managers credential-reference elements like so:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="rhel8as2"/>
<implementation type="pkcs12"/>
<file path="rhel8as2.p12" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS">
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC"
key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
Now it works.
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC"
key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
> You received this message because you are subscribed to the Google Groups "WildFly" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/e9fa08d5-ba45-4577-b857-447e9f57591bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages