Configuring the SpiffeProvider in java.security is not adding the Provider
alwaysastudent opened this issue · 6 comments
I am trying to plugin the SpiffeProvider
using just the java.security
properties file, but this is not working for some reason. Can you please help me figure this out? I have to also mention that I don't rely on the SpiffeProvider.install()
The java.security content
# The provider sequence, 11 is accurate
security.provider.11=io.spiffe.provider.SpiffeProvider
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=Spiffe
ssl.TrustManagerFactory.algorithm=Spiffe
# list of accepted SPIFFE IDs
ssl.spiffe.accept=spiffe://example.org/myservice
Please see this commit on my fork alwaysastudent/java-spiffe-examples@805a56d where I am trying to test a spring boot application jar.
The way I am running this example is by
java-spiffe-examples/spring-boot-x509-demo]$ java -Djava.security.debug=properties -Djava.security.policy=java.policy -Djava.security.properties=java.security -jar ./backend/build/libs/backend-0.1.jar
properties: reading security properties file: /Users/alwaysastudent/.sdkman/candidates/java/8.0.272.hs-adpt/jre/lib/security/java.security
properties: reading security properties file: file:/Users/alwaysastudent/dev/temp-projects/fork/java-spiffe-examples/spring-boot-x509-demo/java.security
But I am getting the following error
java.security.KeyStoreException: Spiffe not found
at java.security.KeyStore.getInstance(KeyStore.java:851) ~[na:1.8.0_272]
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:184) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:282) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1064) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:282) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:213) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:43) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:182) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:53) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:360) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:158) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:122) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:895) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:554) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:143) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at com.example.BackendApp.main(BackendApp.java:14) [classes!/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_272]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_272]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_272]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_272]
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) [backend-0.1.jar:na]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:109) [backend-0.1.jar:na]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) [backend-0.1.jar:na]
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88) [backend-0.1.jar:na]
Caused by: java.security.NoSuchAlgorithmException: Spiffe KeyStore not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) ~[na:1.8.0_272]
at java.security.Security.getImpl(Security.java:695) ~[na:1.8.0_272]
at java.security.KeyStore.getInstance(KeyStore.java:848) ~[na:1.8.0_272]
... 39 common frames omitted
I tried with and without the java.policy
file and it does not work in both cases. If I run the program from intellij it works, but when I run this as an executable jar it does not. Kindly help understand the problem.
Hey @alwaysastudent, thanks for reporting it. Can you check whether this issue is also happening with later versions of java, i.e, Java 9+ ?
Yes I tried on java 8 and java 11. It is the same behavior.
I was looking into it, unfortunately I couldn't figure it out, I suspect that the embedded tomcat used by spring boot is not loading the Spiffe provider classes, thus the need for install the provider through SpiffeProvider.install()
besides configuring it through the java.security
file.
I was looking into it, unfortunately I couldn't figure it out, I suspect that the embedded tomcat used by spring boot is not loading the Spiffe provider classes, thus the need for install the provider through
SpiffeProvider.install()
besides configuring it through thejava.security
file.
Do you think this has something to do with having the right java.policy
? If we drop the spiffe provider jar in the $java_home/jre/lib/ext
it works. I tried fiddling with the java policy and could not figure, I wonder if it is coz of the Uber jar spring boot class loading mechanism.
Dropping the provider jar in $java_home/jre/lib/ext
works in Java 8, but that mechanism was removed in Java 9. I tried adding the jar through -classpath
, without luck. I guess it has to do with the spring boot´s embedded tomcat bootstrap classloader.
Ok, thank you for checking. Meanwhile, I think we should be creating an issue with the spring boot project.