java-spiffe icon indicating copy to clipboard operation
java-spiffe copied to clipboard
verified publisher icon spiffe

Configuring the SpiffeProvider in java.security is not adding the Provider

Open alwaysastudent opened this issue 4 years ago • 6 comments

I am trying to plugin the SpiffeProvider using just the java.security properties file, but this is not working for some reason. Can you please help me figure this out? I have to also mention that I don't rely on the SpiffeProvider.install()

The java.security content

# The provider sequence, 11 is accurate 
security.provider.11=io.spiffe.provider.SpiffeProvider
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=Spiffe
ssl.TrustManagerFactory.algorithm=Spiffe

# list of accepted SPIFFE IDs
ssl.spiffe.accept=spiffe://example.org/myservice

Please see this commit on my fork https://github.com/alwaysastudent/java-spiffe-examples/commit/805a56d768489733d643bbcc01ac01fd6f9b4ebf where I am trying to test a spring boot application jar.

The way I am running this example is by

java-spiffe-examples/spring-boot-x509-demo]$ java -Djava.security.debug=properties -Djava.security.policy=java.policy -Djava.security.properties=java.security -jar ./backend/build/libs/backend-0.1.jar


properties: reading security properties file: /Users/alwaysastudent/.sdkman/candidates/java/8.0.272.hs-adpt/jre/lib/security/java.security
properties: reading security properties file: file:/Users/alwaysastudent/dev/temp-projects/fork/java-spiffe-examples/spring-boot-x509-demo/java.security

But I am getting the following error

java.security.KeyStoreException: Spiffe not found
        at java.security.KeyStore.getInstance(KeyStore.java:851) ~[na:1.8.0_272]
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:184) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:282) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1064) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:282) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:213) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:43) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:182) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:53) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:360) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:158) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:122) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:895) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:554) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:143) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at com.example.BackendApp.main(BackendApp.java:14) [classes!/:na]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_272]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_272]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_272]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_272]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) [backend-0.1.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:109) [backend-0.1.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) [backend-0.1.jar:na]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88) [backend-0.1.jar:na]
Caused by: java.security.NoSuchAlgorithmException: Spiffe KeyStore not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) ~[na:1.8.0_272]
        at java.security.Security.getImpl(Security.java:695) ~[na:1.8.0_272]
        at java.security.KeyStore.getInstance(KeyStore.java:848) ~[na:1.8.0_272]
        ... 39 common frames omitted

I tried with and without the java.policy file and it does not work in both cases. If I run the program from intellij it works, but when I run this as an executable jar it does not. Kindly help understand the problem.

alwaysastudent avatar Aug 24 '21 06:08 alwaysastudent

Hey @alwaysastudent, thanks for reporting it. Can you check whether this issue is also happening with later versions of java, i.e, Java 9+ ?

maxlambrecht avatar Aug 25 '21 16:08 maxlambrecht

Yes I tried on java 8 and java 11. It is the same behavior.

alwaysastudent avatar Aug 27 '21 03:08 alwaysastudent

I was looking into it, unfortunately I couldn't figure it out, I suspect that the embedded tomcat used by spring boot is not loading the Spiffe provider classes, thus the need for install the provider through SpiffeProvider.install() besides configuring it through the java.security file.

maxlambrecht avatar Aug 30 '21 15:08 maxlambrecht

I was looking into it, unfortunately I couldn't figure it out, I suspect that the embedded tomcat used by spring boot is not loading the Spiffe provider classes, thus the need for install the provider through SpiffeProvider.install() besides configuring it through the java.security file.

Do you think this has something to do with having the right java.policy ? If we drop the spiffe provider jar in the $java_home/jre/lib/ext it works. I tried fiddling with the java policy and could not figure, I wonder if it is coz of the Uber jar spring boot class loading mechanism.

alwaysastudent avatar Aug 30 '21 17:08 alwaysastudent

Dropping the provider jar in $java_home/jre/lib/ext works in Java 8, but that mechanism was removed in Java 9. I tried adding the jar through -classpath, without luck. I guess it has to do with the spring boot´s embedded tomcat bootstrap classloader.

maxlambrecht avatar Aug 30 '21 17:08 maxlambrecht

Ok, thank you for checking. Meanwhile, I think we should be creating an issue with the spring boot project.

alwaysastudent avatar Aug 31 '21 19:08 alwaysastudent