is it possible to support jks type keystore?

Question

is it possible to support jks type keystore?

WalkerWalker opened this issue a year ago · 6 comments

as the title says, is it possible to support jks type keystore?
from the documentation i read

Configures a PKCS12 keystore for secure IMAP/SMTP/POP3 TLS certificates (see also -Dgreenmail.tls.keystore.password)

so i assume it cannot be jks type keystore?

Answer 1 · 2023-10-23T21:27:14.000Z

I just checked the source code and tried with jks keystore. The jks type keystore seems to be ok. I hope this can be confirmed.

Yet another related question, do we assume the password to the keystore and the password to the key are the same? I got a keystore with password, but key has no password, and I got

java.security.UnrecoverableKeyException: Cannot recover key

Quickly checking the source code, I think this line uses the keystore password to decrypt the key. I'm not entirely sure, I would guess this is what KeyManagerFactory.init() does.

Answer 2 · 2023-10-24T17:31:34.000Z

@WalkerWalker ,

jks is supported as a legacy fallback over the recommended PKCS12.

Thx for raising the issue. Is it possible for you to provide the full stacktrace?

I will try to look at it this weekend - feel free to raise a PR (reproducing/fixing) the issue.

Answer 3 · 2023-10-25T07:45:31.000Z

There you go. The full log and stacktrace with keystore having password "keystore-pwd" and unencrypted key.

Executing 'java -Djava.net.preferIPv4Stack=true -Dgreenmail.setup.test.all -Dgreenmail.hostname=0.0.0.0 -Dgreenmail.auth.enabled -Dgreenmail.verbose -Dgreenmail.users=test1:PASSWORD@yourdomain.com,test2:PASSWORD@yourdomain.com -Dgreenmail.ssl.enable=true -Dgreenmail.tls.keystore.file=/deployments/keystore-generated/keystore.jks -Dgreenmail.tls.keystore.password=keystore-pwd -jar greenmail-standalone.jar' ...
2023-10-25 07:43:38,283 DEBUG            util.GreenMail| GreenMail version: 2.0.0
2023-10-25 07:43:38,285 DEBUG            util.GreenMail| OpenJDK 64-Bit Server VM Azul Systems, Inc. 1.8.0_362-b09
2023-10-25 07:43:38,285 DEBUG            util.GreenMail| file.encoding : UTF-8
2023-10-25 07:43:38,294 INFO  GreenMailStandaloneRunner| Starting GreenMail standalone v2.0.0 using [ServerSetup{port=3025, bindAddress='0.0.0.0', protocol='smtp', readTimeout=-1, connectionTimeout=-1, writeTimeout=-1, verbose=true, serverStartupTimeout=2000, mailProperties={}}, ServerSetup{port=3465, bindAddress='0.0.0.0', protocol='smtps', readTimeout=-1, connectionTimeout=-1, writeTimeout=-1, verbose=true, serverStartupTimeout=2000, mailProperties={}}, ServerSetup{port=3110, bindAddress='0.0.0.0', protocol='pop3', readTimeout=-1, connectionTimeout=-1, writeTimeout=-1, verbose=true, serverStartupTimeout=2000, mailProperties={}}, ServerSetup{port=3995, bindAddress='0.0.0.0', protocol='pop3s', readTimeout=-1, connectionTimeout=-1, writeTimeout=-1, verbose=true, serverStartupTimeout=2000, mailProperties={}}, ServerSetup{port=3143, bindAddress='0.0.0.0', protocol='imap', readTimeout=-1, connectionTimeout=-1, writeTimeout=-1, verbose=true, serverStartupTimeout=2000, mailProperties={}}, ServerSetup{port=3993, bindAddress='0.0.0.0', protocol='imaps', readTimeout=-1, connectionTimeout=-1, writeTimeout=-1, verbose=true, serverStartupTimeout=2000, mailProperties={}}]
2023-10-25 07:43:38,378 DEBUG           pop3.Pop3Server| Started pop3:0.0.0.0:3110
2023-10-25 07:43:38,378 DEBUG           smtp.SmtpServer| Started smtp:0.0.0.0:3025
2023-10-25 07:43:38,379 DEBUG           imap.ImapServer| Started imap:0.0.0.0:3143
2023-10-25 07:43:38,587 DEBUG mmySSLServerSocketFactory| Loading keystore from file /deployments/keystore-generated/keystore.jks ...
Exception in thread "pop3s:0.0.0.0:3995" Exception in thread "imaps:0.0.0.0:3993" Exception in thread "smtps:0.0.0.0:3465" java.lang.NoClassDefFoundError: Could not initialize class com.icegreen.greenmail.util.DummySSLServerSocketFactory$Holder
	at com.icegreen.greenmail.util.DummySSLServerSocketFactory.getDefault(DummySSLServerSocketFactory.java:149)
	at com.icegreen.greenmail.server.AbstractServer.openServerSocket(AbstractServer.java:77)
	at com.icegreen.greenmail.server.AbstractServer.initServerSocket(AbstractServer.java:127)
	at com.icegreen.greenmail.server.AbstractServer.run(AbstractServer.java:103)
java.lang.ExceptionInInitializerError
	at com.icegreen.greenmail.util.DummySSLServerSocketFactory.getDefault(DummySSLServerSocketFactory.java:149)
	at com.icegreen.greenmail.server.AbstractServer.openServerSocket(AbstractServer.java:77)
	at com.icegreen.greenmail.server.AbstractServer.initServerSocket(AbstractServer.java:127)
	at com.icegreen.greenmail.server.AbstractServer.run(AbstractServer.java:103)
Caused by: java.lang.IllegalStateException: Can not create and initialize SSL
	at com.icegreen.greenmail.util.DummySSLServerSocketFactory.<init>(DummySSLServerSocketFactory.java:88)
	at com.icegreen.greenmail.util.DummySSLServerSocketFactory$Holder.<init>(DummySSLServerSocketFactory.java:145)
	at com.icegreen.greenmail.util.DummySSLServerSocketFactory$Holder.<clinit>(DummySSLServerSocketFactory.java:144)
	... 4 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
	at sun.security.provider.KeyProtector.recover(KeyProtector.java:315)
	at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:143)
	at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:57)
	at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:71)
	at java.security.KeyStore.getKey(KeyStore.java:1023)
	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at com.icegreen.greenmail.util.DummySSLServerSocketFactory.<init>(DummySSLServerSocketFactory.java:81)
	... 6 more
java.lang.NoClassDefFoundError: Could not initialize class com.icegreen.greenmail.util.DummySSLServerSocketFactory$Holder
	at com.icegreen.greenmail.util.DummySSLServerSocketFactory.getDefault(DummySSLServerSocketFactory.java:149)
	at com.icegreen.greenmail.server.AbstractServer.openServerSocket(AbstractServer.java:77)
	at com.icegreen.greenmail.server.AbstractServer.initServerSocket(AbstractServer.java:127)
	at com.icegreen.greenmail.server.AbstractServer.run(AbstractServer.java:103)
2023-10-25 07:43:38,678 DEBUG            util.GreenMail| Started services, performing check if all up
Exception in thread "main" java.lang.IllegalStateException: Could not start mail server smtps:0.0.0.0:3465, try to set server startup timeout > 2000 via ServerSetup.setServerStartupTimeout(timeoutInMs) or -Dgreenmail.startup.timeout
	at com.icegreen.greenmail.util.GreenMail.start(GreenMail.java:118)
	at com.icegreen.greenmail.standalone.GreenMailStandaloneRunner.doRun(GreenMailStandaloneRunner.java:48)
	at com.icegreen.greenmail.standalone.GreenMailStandaloneRunner.main(GreenMailStandaloneRunner.java:137)

Fixing the issue is a bit challenging for me, but i can try. Before doing that, we might need to align the new configuration. Basically the following two configurations are not enough. We need the password for keystore and password for the key. How would you like to add the third one?

-Dgreenmail.tls.keystore.file
-Dgreenmail.tls.keystore.password

Answer 4 · 2023-10-30T08:11:00.000Z

What about e.g.

-Dgreenmail.tls.key.alias
-Dgreenmail.tls.key.password

Answer 5 · 2023-10-31T08:56:40.000Z

Diving into more details, I think you'd only need
-Dgreenmail.tls.key.password

By default the key password should be the store passphrase (similiar to Jetty implementation here).

Let me know if you want to provide the PR.

Answer 6 · 2023-11-02T15:32:42.000Z

Created #615 for this feature and provided implementation.

@WalkerWalker , I will roll a release 2.1.0-alpha-3 tomorrow. Let me know if there is still an issue.