1 Reply Latest reply on May 24, 2006 1:53 PM by starksm64

    problem when SSL key password different than keystore passwo

    mazz
    mazz May 24, 2006 1:41 AM

      Has anyone tried using a keystore where the key password is different than the keystore password?

      I used keytool to create my keystore where the -storepass and -keypass are two different values. I ensure I set the proper attributes on the SSLSocketBuilder (setKeyPassword, setKeyStorePassword). I get this exception:

       java.security.UnrecoverableKeyException: Cannot recover key
 at sun.security.provider.KeyProtector.recover(KeyProtector.java:301)
 at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103)
 at java.security.KeyStore.getKey(KeyStore.java:289)
 at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.<init>(DashoA12275)
 at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA12275)
 at javax.net.ssl.KeyManagerFactory.init(DashoA12275)
 at org.jboss.remoting.security.SSLSocketBuilder.getKeyManagerFactory(SSLSocketBuilder.java:425)
 at org.jboss.remoting.security.SSLSocketBuilder.createCustomServerSocketFactory(SSLSocketBuilder.java:347)
 at org.jboss.remoting.security.SSLSocketBuilder.createSSLServerSocketFactory(SSLSocketBuilder.java:321)
 at org.jboss.remoting.security.SSLServerSocketFactoryService.start(SSLServerSocketFactoryService.java:74)


      If I regenerate the keystore using keytool with the two passwords the same and I setup the Builder with the same two passwords, it all works.

      • 19923 Views
      • Tags:
        • 1. Re: problem when SSL key password different than keystore pa
          starksm64
          starksm64 May 24, 2006 1:53 PM (in response to mazz)

          The logic for handling the key specific password is wrong. It is overwriting a non-empty keyPassword with the keyStorePassword:

          431 private KeyStore getKeyStore(URL storeURL) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
432 {
433 KeyStore keyStore = KeyStore.getInstance(keyStoreType);
434 if(storeURL == null)
435 {
436 throw new IOException("Can not create SSL Server Socket Factory due to the url to the key store not being set.");
437 }
438 InputStream is = storeURL.openStream();
439 keyStore.load(is, keyStorePassword);
440
441 // if key password not set, just try the key store password
442 if(keyPassword == null || keyPassword.length > 0)
443 {
444 keyPassword = keyStorePassword;
445 }
446
447 return keyStore;
448
449 }


          http://jira.jboss.com/jira/browse/JBREM-488


            • Actions