Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid NPE for unspecified keystore key #977

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Avoid NPE for unspecified keystore key #977

wants to merge 1 commit into from

Conversation

findinpath
Copy link
Contributor

Fixes #976

@findinpath
Copy link
Contributor Author

findinpath commented Jan 14, 2022
edited

After testing this change with Trino, the error occuring is way more misleading.

Caused by: RuntimeException: UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	at HttpServerProvider.get(HttpServerProvider.java:173)
	at HttpServerProvider.get(HttpServerProvider.java:46)
	at ProviderInternalFactory.provision(ProviderInternalFactory.java:86)
	at BoundProviderFactory.provision(BoundProviderFactory.java:72)
	at ProviderInternalFactory$1.call(ProviderInternalFactory.java:67)

Loading a password protected keystore with a NULL password does not throw an exception:

        String keystorePassword = null;
        try (InputStream in = new FileInputStream(new File("presto-master.jks"))) {
            KeyStore keystore = KeyStore.getInstance("JKS");
            keystore.load(in, Optional.ofNullable(keystorePassword).map(String::toCharArray).orElse(null));
        }

Detailed reasoning behind this choice:

https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2044-L2051

https://github.com/openjdk/jdk17/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2065-L2087

NOTE that in case of providing an invalid password we'll receive here

Exception in thread "main" java.io.IOException: keystore password was incorrect
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)

A possibility to go around this is to have a special handling in case of NULL keystore password by going over the aliases and check whether the certificates can be retrieved

            Enumeration<String> enumeration = keystore.aliases();
            while(enumeration.hasMoreElements()) {
                String alias = enumeration.nextElement();
                Certificate certificate = keystore.getCertificate(alias);
                 if (certificate == null){
                       // we're dealing with an invalid password
                 }
            }

@electrum
Copy link
Member

Your suggested code sounds better. In the case where we need a password but one isn't provided, it seems better to fail up front with a good error message.

@findinpath
Copy link
Contributor Author

I'll refresh the PR and come up with a better version of this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NPE when the keystore password is NULL in ReloadableSslContextFactoryProvider
2 participants
@findinpath @electrum