View Issue Details

IDProjectCategoryView StatusLast Update
0018173CentOS-8javapublic2021-04-27 16:57
Reporterrobmv Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version8.3.2011 
Summary0018173: Java 1.8.0.292.b10-0.el8_3 update break Wildfly based applications using PKCS12 keystores
DescriptionJava 1.8.0.282.b08-2.el8_3 update break Wildfly based applications (running a privately maintained copy of Wildfly 17), when the TLS keystore is located on a PKCS12 file. The exception thrown is:

java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
     at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:677)
     at sun.security.pkcs12.PKCS12KeyStore.engineSetEntry(PKCS12KeyStore.java:1384)
     at java.security.KeyStore.setEntry(KeyStore.java:1557)
     at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:135)
     ... 11 more
 Caused by: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
     at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:921)
     at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:614)
     ... 14 more
 Caused by: java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede
     at sun.security.x509.AlgorithmId.get(AlgorithmId.java:448)
     at sun.security.pkcs12.PKCS12KeyStore.mapPBEAlgorithmToOID(PKCS12KeyStore.java:938)
     at sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:895)
     ... 15 more
Steps To Reproduce1- Install Wildfly 17.0.1
2- Configure a TLS PKCS12 keystore
3- Start Wildfly
4- The exception is shown
5- Revert to 1.8.0.282.b08-2.el8_3 and the problem is not triggered anymore

Tried with the LEGACY crypto policy just in case that the DEFAULT policy was made stronger, but it didn't fix for 1.8.0.282.b08-2.el8_3
Additional InformationTesting with AdoptOpenJDK version jdk8u292-b10 trigger the error to, so it shouldn't be a Red Hat provided patch.

A simple Java example like the following doesn't trigger the problem, so it is something more complex that Wildfly is doing that trigger this backward incompatible change

This bug should affect Red Hat Enterprise Linux 8 too, it is wise to report it to RH bugzilla?

----------------------------------------------------------------------
import java.io.FileInputStream;
import java.security.KeyStore;

public class Test {
    // arg[0] PKCS12 file path, arg[1] password. Not validated for simplicity.
    public static void main(String[] args) {
        try {
            KeyStore store = KeyStore.getInstance("PKCS12");
            char[] pwd = args[1].toCharArray();
            store.load(new FileInputStream(args[0]), pwd);
            KeyStore.PasswordProtection pp = new KeyStore.PasswordProtection(pwd);
            store.getEntry("alias", pp);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
----------------------------------------------------------------------
TagsNo tags attached.

Activities

robmv

robmv

2021-04-27 16:55

reporter   ~0038424

Tested using a recent version of Wildfly and the problem still happen on version 1.8.0.292.b10-0.el8_3 of the Java package and jdk8u292-b10 from AdoptOpenJDK
robmv

robmv

2021-04-27 16:57

reporter   ~0038425

I should have added that the recent version is 23.0.1.Final

Issue History

Date Modified Username Field Change
2021-04-27 16:05 robmv New Issue
2021-04-27 16:55 robmv Note Added: 0038424
2021-04-27 16:57 robmv Note Added: 0038425