Elytron keystore loads PEM CA certificate, but fails to re-load

[Jeremy Jackson]

A CA Cert stored in a PEM file loads fine on server startup, or when adding initially via CLI,

[standalone@localhost:9990 /] /subsystem=elytron/key-store=httpsTS:add(path="keystore/CoplanarTwo.pem",relative-to=jboss.server.config.dir,credential-reference={clear-text="notused"})

but fails to reload using CLI :load() method.

[standalone@localhost:9990 /] /subsystem=elytron/key-store=httpsTS:load()

2023-02-07 17:22:04,118 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("load") failed - address: ([
    ("subsystem" => "elytron"),
    ("key-store" => "httpsTS")
]): java.lang.RuntimeException: WFLYELY00009: Unable to complete operation. 'toDerInputStream rejects tag type 45'
        at org.wildfly.ex...@18.0.4.Final//org.wildfly.extension.elytron.KeyStoreService.load(KeyStoreService.java:297)

This should be possible, since CA certs may need to be added to facilitate CA key/cert rollover, or simple adding additional CAs for client-certificate based authentication.

I did look briefly at the Elytron source code, and server error log, and it seems that while Elytron has a KeyStore implementation, it is using the JVM's "SUN" provider.  I was unable to find any documentation on choosing the provider to be used, what providers exist, what their features might be, etc.

[Diana Krepinska]

Hello Jeremy,

On this page https://docs.wildfly.org/26/wildscribe/subsystem/elytron/key-store/index.html you can see available operations and attributes that key-store provides. You can specify the name of the provider to use and type of the keystore. I suspect you meant to use operation import-certificate to import a PEM file into a keystore file 

[Jeremy Jackson]

HI,

Thanks for your reply.  I have reviewed the documentation you linked to previously, and seen the various aspects of key-store.  What I don't see however, is a list of all the possible provider names that can be specified, as well as the types that can be specified.  I suspect this would involve an extensive search through the source code, but I was hoping there was some documentation that would summarize them into a list.

 The documentation you referenced shows the following operation:

load Load the KeyStore, if the KeyStore is file backed this will involve re-reading the contents of the file.

it is the "re-reading" aspect that I am having difficulty with.  In the configuration I gave, the keystore file *is* a PEM file containing a CA certificate.  It is loaded and functions properly at server startup, but a subsequent load() operation on the same file fails, presumably because it now thinks it is a PKCS12 type file.

As for import-certificate, this is not exactly what I am looking for, but if it can be made to give the same end-result, say by import-certificate, followed by store() that writes the existing and newly imported certificate back to the PEM file, that is fine.  Is that what you are suggesting I do?  I that case on server restart, the same certificates would be loaded that were in use before restart, bot those loaded from the PEM file on initial startup, and the ones added by import-certificate.

[Jeremy Jackson]

I managed to find some details of the Wildfly key-store in the source code.  For anyone else who is curious like I was, key-store is based on standard Java KeyStore API. 

As such, it doesn't natively support PEM files as key stores, but rather the legacy JKS, a few others, and apparently the default is PKCS12. 

There is also the auto-detection of keystore format if "type" isn't specified, which is implemented by WIldfly.

The ability to read PEM files is custom to Wildfly Elytron, and as implemented, it doesn't support the CLI load() method to re-load the keystore, at least if the "type" was autodetected.

I will investigate further to see if specifying type=PEM will allow CLI load() to work, and also how import-certificate() works.

One other note, the PEM loading implementation, while it does support multiple CA certs in a PEM file, any that have the same Subject DN (which maps to keystore alias), will overwrite each other so only the last one in the PEM file will be loaded.