Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resteasy Rest Client: Fix truststore password issue with Vert.x #27925

Merged
merged 1 commit into from Sep 14, 2022
Merged

Resteasy Rest Client: Fix truststore password issue with Vert.x #27925

merged 1 commit into from Sep 14, 2022

Conversation

Sgitario
Copy link
Contributor

The truststore password was being sent as empty ("") in the JksOptions. This caused the following exception:

Caused by: io.vertx.core.VertxException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.352] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:480) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:469) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.validate(SSLHelper.java:507) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.NetClientImpl.<init>(NetClientImpl.java:95) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.http.impl.HttpClientImpl.<init>(HttpClientImpl.java:155) 
[09:59:27.354] [INFO] [client]  at io.vertx.core.impl.VertxImpl.createHttpClient(VertxImpl.java:338) 
[09:59:27.354] [INFO] [client]  at io.vertx.core.impl.VertxImpl.createHttpClient(VertxImpl.java:350) 
[09:59:27.354] [INFO] [client]  at org.jboss.resteasy.reactive.client.impl.ClientImpl.<init>(ClientImpl.java:170) 
[09:59:27.354] [INFO] [client]  at org.jboss.resteasy.reactive.client.impl.ClientBuilderImpl.build(ClientBuilderImpl.java:244) 
[09:59:27.354] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientBuilderImpl.build(RestClientBuilderImpl.java:332) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilder.build(RestClientCDIDelegateBuilder.java:64) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilder.createDelegate(RestClientCDIDelegateBuilder.java:42) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientReactiveCDIWrapperBase.<init>(RestClientReactiveCDIWrapperBase.java:20) 
[09:59:27.355] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper.<init>(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_ClientProxy.<init>(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.proxy(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.get(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.get(Unknown Source) 
[09:59:27.357] [INFO] [client]  ... 26 more 
[09:59:27.357] [INFO] [client] Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.357] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446) 
[09:59:27.357] [INFO] [client]  at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) 
[09:59:27.357] [INFO] [client]  at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) 
[09:59:27.357] [INFO] [client]  at io.vertx.core.net.impl.KeyStoreHelper.<init>(KeyStoreHelper.java:109) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.KeyStoreOptionsBase.getHelper(KeyStoreOptionsBase.java:187) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.KeyStoreOptionsBase.getTrustManagerFactory(KeyStoreOptionsBase.java:217) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getTrustMgrFactory(SSLHelper.java:327) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:478) 
[09:59:27.358] [INFO] [client]  ... 43 more 
[09:59:27.359] [INFO] [client] Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408) 
[09:59:27.360] [INFO] [client]  at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440) 
[09:59:27.360] [INFO] [client]  at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381) 
[09:59:27.361] [INFO] [client]  ... 50 more

@Sgitario Sgitario mentioned this pull request Sep 14, 2022
Closed
@geoand geoand added triage/backport-2.12? triage/backport-2.13 triage/waiting-for-ci Ready to merge when CI successfully finishes labels Sep 14, 2022
@quarkus-bot

This comment has been minimized.

Sign in to view
@Sgitario
Resteasy Rest Client: Fix truststore password issue with Vert.x
b653c64 
The truststore password was being sent as empty ("") in the JksOptions. This caused the following exception:

```
Caused by: io.vertx.core.VertxException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.352] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:480) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:469) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.validate(SSLHelper.java:507) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.NetClientImpl.<init>(NetClientImpl.java:95) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.http.impl.HttpClientImpl.<init>(HttpClientImpl.java:155) 
[09:59:27.354] [INFO] [client]  at io.vertx.core.impl.VertxImpl.createHttpClient(VertxImpl.java:338) 
[09:59:27.354] [INFO] [client]  at io.vertx.core.impl.VertxImpl.createHttpClient(VertxImpl.java:350) 
[09:59:27.354] [INFO] [client]  at org.jboss.resteasy.reactive.client.impl.ClientImpl.<init>(ClientImpl.java:170) 
[09:59:27.354] [INFO] [client]  at org.jboss.resteasy.reactive.client.impl.ClientBuilderImpl.build(ClientBuilderImpl.java:244) 
[09:59:27.354] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientBuilderImpl.build(RestClientBuilderImpl.java:332) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilder.build(RestClientCDIDelegateBuilder.java:64) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilder.createDelegate(RestClientCDIDelegateBuilder.java:42) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientReactiveCDIWrapperBase.<init>(RestClientReactiveCDIWrapperBase.java:20) 
[09:59:27.355] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper.<init>(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_ClientProxy.<init>(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.proxy(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.get(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.get(Unknown Source) 
[09:59:27.357] [INFO] [client]  ... 26 more 
[09:59:27.357] [INFO] [client] Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.357] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446) 
[09:59:27.357] [INFO] [client]  at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) 
[09:59:27.357] [INFO] [client]  at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) 
[09:59:27.357] [INFO] [client]  at io.vertx.core.net.impl.KeyStoreHelper.<init>(KeyStoreHelper.java:109) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.KeyStoreOptionsBase.getHelper(KeyStoreOptionsBase.java:187) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.KeyStoreOptionsBase.getTrustManagerFactory(KeyStoreOptionsBase.java:217) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getTrustMgrFactory(SSLHelper.java:327) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:478) 
[09:59:27.358] [INFO] [client]  ... 43 more 
[09:59:27.359] [INFO] [client] Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408) 
[09:59:27.360] [INFO] [client]  at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440) 
[09:59:27.360] [INFO] [client]  at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381) 
[09:59:27.361] [INFO] [client]  ... 50 more 
```
@geoand geoand merged commit 7a932c6 into quarkusio:main Sep 14, 2022
@quarkus-bot quarkus-bot bot added this to the 2.14 - main milestone Sep 14, 2022
@quarkus-bot quarkus-bot bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label Sep 14, 2022
@Sgitario Sgitario deleted the rr_ssl branch September 15, 2022 04:52
@gsmet gsmet modified the milestones: 2.14 - main, 2.13.0.Final Sep 20, 2022
@kulasekp
Copy link

kulasekp commented Mar 16, 2023
edited

Hi
I do not want to open new ticket before we confirm the issue is really there, so I will put my question here first:
Proposed fix introduced another issue: now it is not possible to configure RestClientBuilder programmatically with trustStore without password (or actually to provide any):

  • Microprofile's {{RestClientBuilder}} basically only provides trustStore(KeyStore trustStore);
  • and underlying implementation: io.quarkus.rest.client.reactive.runtime.RestClientBuilderImpl and further org.jboss.resteasy.reactive.client.impl.ClientBuilderImpl will basically fail (JavaKeyStore, "password can't be null") on Buffer trustStore = asBuffer(this.trustStore, this.trustStorePassword); as null password will be provided to build method.

So the following code won't work anymore:

        if (trustStore != null) {
           restClientBuilder.trustStore(trustStore);
        }
        TargetNotificationService service = restClientBuilder.build(TargetNotificationService.class);

As a workaround I am just casting RestClientBuilder as follows:
((RestClientBuilderImpl) restClientBuilder).trustStore(trustStore, "");
so things are working correctly.

Could you please take a look at this and let me know if there is any other way or we have an issue in Quarkus indeed?

PS
I use Quarkus 2.16.3

@geoand
Copy link
Contributor

geoand commented Mar 16, 2023

@Sgitario mind taking a look at ^ please?

Sgitario added a commit to Sgitario/quarkus that referenced this pull request Mar 16, 2023
@Sgitario
Fix truststore REST Client config when password is not set
4502d6a 
Relates quarkusio#27925 (comment)
@Sgitario Sgitario mentioned this pull request Mar 16, 2023
Merged
@Sgitario
Copy link
Contributor Author

#31891 should fix this issue. Thanks for spotting!

gsmet pushed a commit to gsmet/quarkus that referenced this pull request Mar 16, 2023
@Sgitario @gsmet
Fix truststore REST Client config when password is not set
6977c63 
Relates quarkusio#27925 (comment)

(cherry picked from commit 4502d6a)
gsmet pushed a commit to gsmet/quarkus that referenced this pull request Mar 20, 2023
@Sgitario @gsmet
Fix truststore REST Client config when password is not set
aa5b163 
Relates quarkusio#27925 (comment)

(cherry picked from commit 4502d6a)
gsmet pushed a commit to gsmet/quarkus that referenced this pull request May 9, 2023
@Sgitario @gsmet
Fix truststore REST Client config when password is not set
ba522d5 
Relates quarkusio#27925 (comment)

(cherry picked from commit 4502d6a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoand geoand geoand approved these changes

Assignees
No one assigned
Labels
area/resteasy-reactive
Projects
None yet
Milestone
2.13.0.Final
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Sgitario @kulasekp @geoand @gsmet