1 Reply Latest reply on May 24, 2006 1:53 PM by Scott Stark

    problem when SSL key password different than keystore passwo

    mazz Master

      Has anyone tried using a keystore where the key password is different than the keystore password?

      I used keytool to create my keystore where the -storepass and -keypass are two different values. I ensure I set the proper attributes on the SSLSocketBuilder (setKeyPassword, setKeyStorePassword). I get this exception:

       java.security.UnrecoverableKeyException: Cannot recover key
       at sun.security.provider.KeyProtector.recover(KeyProtector.java:301)
       at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103)
       at java.security.KeyStore.getKey(KeyStore.java:289)
       at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.<init>(DashoA12275)
       at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA12275)
       at javax.net.ssl.KeyManagerFactory.init(DashoA12275)
       at org.jboss.remoting.security.SSLSocketBuilder.getKeyManagerFactory(SSLSocketBuilder.java:425)
       at org.jboss.remoting.security.SSLSocketBuilder.createCustomServerSocketFactory(SSLSocketBuilder.java:347)
       at org.jboss.remoting.security.SSLSocketBuilder.createSSLServerSocketFactory(SSLSocketBuilder.java:321)
       at org.jboss.remoting.security.SSLServerSocketFactoryService.start(SSLServerSocketFactoryService.java:74)
      


      If I regenerate the keystore using keytool with the two passwords the same and I setup the Builder with the same two passwords, it all works.

        • 1. Re: problem when SSL key password different than keystore pa
          Scott Stark Master

          The logic for handling the key specific password is wrong. It is overwriting a non-empty keyPassword with the keyStorePassword:

          431 private KeyStore getKeyStore(URL storeURL) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
          432 {
          433 KeyStore keyStore = KeyStore.getInstance(keyStoreType);
          434 if(storeURL == null)
          435 {
          436 throw new IOException("Can not create SSL Server Socket Factory due to the url to the key store not being set.");
          437 }
          438 InputStream is = storeURL.openStream();
          439 keyStore.load(is, keyStorePassword);
          440
          441 // if key password not set, just try the key store password
          442 if(keyPassword == null || keyPassword.length > 0)
          443 {
          444 keyPassword = keyStorePassword;
          445 }
          446
          447 return keyStore;
          448
          449 }
          


          http://jira.jboss.com/jira/browse/JBREM-488