Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resteasy Rest Client: Fix truststore password issue with Vert.x #27925

Merged
merged 1 commit into from
Sep 14, 2022

Conversation

Sgitario
Copy link
Contributor

The truststore password was being sent as empty ("") in the JksOptions. This caused the following exception:

Caused by: io.vertx.core.VertxException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.352] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:480) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:469) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.validate(SSLHelper.java:507) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.NetClientImpl.<init>(NetClientImpl.java:95) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.http.impl.HttpClientImpl.<init>(HttpClientImpl.java:155) 
[09:59:27.354] [INFO] [client]  at io.vertx.core.impl.VertxImpl.createHttpClient(VertxImpl.java:338) 
[09:59:27.354] [INFO] [client]  at io.vertx.core.impl.VertxImpl.createHttpClient(VertxImpl.java:350) 
[09:59:27.354] [INFO] [client]  at org.jboss.resteasy.reactive.client.impl.ClientImpl.<init>(ClientImpl.java:170) 
[09:59:27.354] [INFO] [client]  at org.jboss.resteasy.reactive.client.impl.ClientBuilderImpl.build(ClientBuilderImpl.java:244) 
[09:59:27.354] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientBuilderImpl.build(RestClientBuilderImpl.java:332) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilder.build(RestClientCDIDelegateBuilder.java:64) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilder.createDelegate(RestClientCDIDelegateBuilder.java:42) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientReactiveCDIWrapperBase.<init>(RestClientReactiveCDIWrapperBase.java:20) 
[09:59:27.355] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper.<init>(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_ClientProxy.<init>(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.proxy(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.get(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.get(Unknown Source) 
[09:59:27.357] [INFO] [client]  ... 26 more 
[09:59:27.357] [INFO] [client] Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.357] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446) 
[09:59:27.357] [INFO] [client]  at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) 
[09:59:27.357] [INFO] [client]  at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) 
[09:59:27.357] [INFO] [client]  at io.vertx.core.net.impl.KeyStoreHelper.<init>(KeyStoreHelper.java:109) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.KeyStoreOptionsBase.getHelper(KeyStoreOptionsBase.java:187) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.KeyStoreOptionsBase.getTrustManagerFactory(KeyStoreOptionsBase.java:217) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getTrustMgrFactory(SSLHelper.java:327) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:478) 
[09:59:27.358] [INFO] [client]  ... 43 more 
[09:59:27.359] [INFO] [client] Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408) 
[09:59:27.360] [INFO] [client]  at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440) 
[09:59:27.360] [INFO] [client]  at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381) 
[09:59:27.361] [INFO] [client]  ... 50 more 

@geoand geoand added triage/backport-2.12? triage/backport-2.13 triage/waiting-for-ci Ready to merge when CI successfully finishes labels Sep 14, 2022
@quarkus-bot

This comment has been minimized.

The truststore password was being sent as empty ("") in the JksOptions. This caused the following exception:

```
Caused by: io.vertx.core.VertxException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.352] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:480) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:469) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.validate(SSLHelper.java:507) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.net.impl.NetClientImpl.<init>(NetClientImpl.java:95) 
[09:59:27.353] [INFO] [client]  at io.vertx.core.http.impl.HttpClientImpl.<init>(HttpClientImpl.java:155) 
[09:59:27.354] [INFO] [client]  at io.vertx.core.impl.VertxImpl.createHttpClient(VertxImpl.java:338) 
[09:59:27.354] [INFO] [client]  at io.vertx.core.impl.VertxImpl.createHttpClient(VertxImpl.java:350) 
[09:59:27.354] [INFO] [client]  at org.jboss.resteasy.reactive.client.impl.ClientImpl.<init>(ClientImpl.java:170) 
[09:59:27.354] [INFO] [client]  at org.jboss.resteasy.reactive.client.impl.ClientBuilderImpl.build(ClientBuilderImpl.java:244) 
[09:59:27.354] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientBuilderImpl.build(RestClientBuilderImpl.java:332) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilder.build(RestClientCDIDelegateBuilder.java:64) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilder.createDelegate(RestClientCDIDelegateBuilder.java:42) 
[09:59:27.355] [INFO] [client]  at io.quarkus.rest.client.reactive.runtime.RestClientReactiveCDIWrapperBase.<init>(RestClientReactiveCDIWrapperBase.java:20) 
[09:59:27.355] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper.<init>(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_ClientProxy.<init>(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.proxy(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.get(Unknown Source) 
[09:59:27.356] [INFO] [client]  at io.jester.examples.quarkus.greetings.Client$$CDIWrapper_Bean.get(Unknown Source) 
[09:59:27.357] [INFO] [client]  ... 26 more 
[09:59:27.357] [INFO] [client] Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.357] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446) 
[09:59:27.357] [INFO] [client]  at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) 
[09:59:27.357] [INFO] [client]  at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) 
[09:59:27.357] [INFO] [client]  at io.vertx.core.net.impl.KeyStoreHelper.<init>(KeyStoreHelper.java:109) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.KeyStoreOptionsBase.getHelper(KeyStoreOptionsBase.java:187) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.KeyStoreOptionsBase.getTrustManagerFactory(KeyStoreOptionsBase.java:217) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getTrustMgrFactory(SSLHelper.java:327) 
[09:59:27.358] [INFO] [client]  at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:478) 
[09:59:27.358] [INFO] [client]  ... 43 more 
[09:59:27.359] [INFO] [client] Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) 
[09:59:27.359] [INFO] [client]  at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408) 
[09:59:27.360] [INFO] [client]  at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440) 
[09:59:27.360] [INFO] [client]  at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283) 
[09:59:27.360] [INFO] [client]  at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381) 
[09:59:27.361] [INFO] [client]  ... 50 more 
```
@geoand geoand merged commit 7a932c6 into quarkusio:main Sep 14, 2022
@quarkus-bot quarkus-bot bot added this to the 2.14 - main milestone Sep 14, 2022
@quarkus-bot quarkus-bot bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label Sep 14, 2022
@Sgitario Sgitario deleted the rr_ssl branch September 15, 2022 04:52
@gsmet gsmet modified the milestones: 2.14 - main, 2.13.0.Final Sep 20, 2022
@kulasekp
Copy link

kulasekp commented Mar 16, 2023

Hi
I do not want to open new ticket before we confirm the issue is really there, so I will put my question here first:
Proposed fix introduced another issue: now it is not possible to configure RestClientBuilder programmatically with trustStore without password (or actually to provide any):

  • Microprofile's {{RestClientBuilder}} basically only provides trustStore(KeyStore trustStore);
  • and underlying implementation: io.quarkus.rest.client.reactive.runtime.RestClientBuilderImpl and further org.jboss.resteasy.reactive.client.impl.ClientBuilderImpl will basically fail (JavaKeyStore, "password can't be null") on Buffer trustStore = asBuffer(this.trustStore, this.trustStorePassword); as null password will be provided to build method.

So the following code won't work anymore:

        if (trustStore != null) {
           restClientBuilder.trustStore(trustStore);
        }
        TargetNotificationService service = restClientBuilder.build(TargetNotificationService.class);

As a workaround I am just casting RestClientBuilder as follows:
((RestClientBuilderImpl) restClientBuilder).trustStore(trustStore, "");
so things are working correctly.

Could you please take a look at this and let me know if there is any other way or we have an issue in Quarkus indeed?

PS
I use Quarkus 2.16.3

@geoand
Copy link
Contributor

geoand commented Mar 16, 2023

@Sgitario mind taking a look at ^ please?

@Sgitario
Copy link
Contributor Author

#31891 should fix this issue. Thanks for spotting!

gsmet pushed a commit to gsmet/quarkus that referenced this pull request Mar 16, 2023
gsmet pushed a commit to gsmet/quarkus that referenced this pull request Mar 20, 2023
gsmet pushed a commit to gsmet/quarkus that referenced this pull request May 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants