CODEWITHSUNDEEP
ssljettyssl-certificatekeytool
expert
expert

Reputation: 30135

How can I make Jetty 9 ignore keypass while accesing keystore?

How can I make Jetty 9 ignore keypass while accesing keystore?

Here is what I did:

My jetty-ssl.xml contains this

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
  <Set name="TrustStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>

  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>
</Configure>

Now when I launch all this beauty Jetty crashes with following error

2013-07-11 21:34:01.984:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@e45a028(/opt/jetty/etc/keystore,/opt/jetty/etc/keystore): java.security.UnrecoverableKeyException: Cannot recover key
java.security.UnrecoverableKeyException: Cannot recover key
    at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
    at java.security.KeyStore.getKey(KeyStore.java:792)
    at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
    at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)

Which is apparently password mismatch because it expects/passes keypass keypwd from default keystore that comes with Jetty.

Here is my certicifates(s): http://pastebin.com/raw.php?i=p8LhT50P It's output from keytool -list -keystore /opt/jetty/etc/keystore -storepass storepwd -storetype JKS -v

Where is it set? How can I fix this error?

Thanks!

Upvotes: 2

Views: 3629

Answers (1)

Bruno
Bruno

Reputation: 122669

There are two passwords involved: the keystore password (KeyStorePassword) and the key password (KeyManagerPassword). For PKCS#12 store, they are the same.

Since you've imported the key from the PKCS#12 store into the JKS store using the keystore's password, that doesn't mean that the password of the key itself was changed, and it's probably not "keypwd" (Jetty's default). Try to replace the value of KeyManagerPassword with your PKCS#12 store's password.

(Note that in general, you don't need to convert the keystore, you could have used PKCS12 as the KeyStoreType.)

Upvotes: 7

Related Questions