Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuring the SpiffeProvider in java.security is not adding the Provider #80

Open
alwaysastudent opened this issue Aug 24, 2021 · 6 comments
Open

Configuring the SpiffeProvider in java.security is not adding the Provider #80

alwaysastudent opened this issue Aug 24, 2021 · 6 comments

Comments

@alwaysastudent
Copy link

alwaysastudent commented Aug 24, 2021
edited
Loading

I am trying to plugin the SpiffeProvider using just the java.security properties file, but this is not working for some reason. Can you please help me figure this out? I have to also mention that I don't rely on the SpiffeProvider.install()

The java.security content

# The provider sequence, 11 is accurate 
security.provider.11=io.spiffe.provider.SpiffeProvider
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=Spiffe
ssl.TrustManagerFactory.algorithm=Spiffe

# list of accepted SPIFFE IDs
ssl.spiffe.accept=spiffe://example.org/myservice

Please see this commit on my fork alwaysastudent/java-spiffe-examples@805a56d where I am trying to test a spring boot application jar.

The way I am running this example is by

java-spiffe-examples/spring-boot-x509-demo]$ java -Djava.security.debug=properties -Djava.security.policy=java.policy -Djava.security.properties=java.security -jar ./backend/build/libs/backend-0.1.jar


properties: reading security properties file: /Users/alwaysastudent/.sdkman/candidates/java/8.0.272.hs-adpt/jre/lib/security/java.security
properties: reading security properties file: file:/Users/alwaysastudent/dev/temp-projects/fork/java-spiffe-examples/spring-boot-x509-demo/java.security

But I am getting the following error

java.security.KeyStoreException: Spiffe not found
        at java.security.KeyStore.getInstance(KeyStore.java:851) ~[na:1.8.0_272]
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:184) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:282) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1064) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:282) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:213) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:43) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:182) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:53) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:360) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:158) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:122) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:895) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:554) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:143) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at com.example.BackendApp.main(BackendApp.java:14) [classes!/:na]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_272]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_272]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_272]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_272]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) [backend-0.1.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:109) [backend-0.1.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) [backend-0.1.jar:na]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88) [backend-0.1.jar:na]
Caused by: java.security.NoSuchAlgorithmException: Spiffe KeyStore not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) ~[na:1.8.0_272]
        at java.security.Security.getImpl(Security.java:695) ~[na:1.8.0_272]
        at java.security.KeyStore.getInstance(KeyStore.java:848) ~[na:1.8.0_272]
        ... 39 common frames omitted

I tried with and without the java.policy file and it does not work in both cases. If I run the program from intellij it works, but when I run this as an executable jar it does not. Kindly help understand the problem.
@maxlambrecht
Copy link
Member

Hey @alwaysastudent, thanks for reporting it. Can you check whether this issue is also happening with later versions of java, i.e, Java 9+ ?

@alwaysastudent
Copy link
Author

Yes I tried on java 8 and java 11. It is the same behavior.

@maxlambrecht
Copy link
Member

I was looking into it, unfortunately I couldn't figure it out, I suspect that the embedded tomcat used by spring boot is not loading the Spiffe provider classes, thus the need for install the provider through SpiffeProvider.install() besides configuring it through the java.security file.

@alwaysastudent
Copy link
Author

I was looking into it, unfortunately I couldn't figure it out, I suspect that the embedded tomcat used by spring boot is not loading the Spiffe provider classes, thus the need for install the provider through SpiffeProvider.install() besides configuring it through the java.security file.

Do you think this has something to do with having the right java.policy ? If we drop the spiffe provider jar in the $java_home/jre/lib/ext it works. I tried fiddling with the java policy and could not figure, I wonder if it is coz of the Uber jar spring boot class loading mechanism.

@maxlambrecht
Copy link
Member

Dropping the provider jar in $java_home/jre/lib/ext works in Java 8, but that mechanism was removed in Java 9. I tried adding the jar through -classpath, without luck. I guess it has to do with the spring boot´s embedded tomcat bootstrap classloader.

@alwaysastudent
Copy link
Author

alwaysastudent commented Aug 31, 2021
edited
Loading

Ok, thank you for checking. Meanwhile, I think we should be creating an issue with the spring boot project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxlambrecht @alwaysastudent