Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Liberty code to call Java API KeyManager.chooseEngineClientAlias() per each key type #30203

Open
una-tapa opened this issue Nov 15, 2024 · 0 comments · May be fixed by #30278
Open

Update Liberty code to call Java API KeyManager.chooseEngineClientAlias() per each key type #30203

una-tapa opened this issue Nov 15, 2024 · 0 comments · May be fixed by #30278
Assignees
@una-tapa
Labels
release bug This bug is present in a released version of Open Liberty

Comments

@una-tapa
Copy link
Member

una-tapa commented Nov 15, 2024
edited
Loading

Describe the bug
In WSX509KeyManager class, Liberty is only trying the first keyType : keyType[0]

Steps to Reproduce
The user updated Java from 17.0.9 to 17.0.11. It is suspected that in the user's environment, the keyType array in 17.0.9 coincidentally started with a keyType matching the certificate, whereas this is not the case in 17.0.11.

Expected behavior
Liberty locates and sends a SSL client certificate correctly to the SSL server during SSLHandshake

Diagnostic information:

  • OpenLiberty version: This issue is not related to the OpenLiberty version
  • Affected feature(s) transportSecurity-1.0, ssl-1.0
  • Java Version: Java 17 (Currently investigating)
  • server.xml configuration This issue is not related to a certain configuration

For GOOD log, WSX509KeyManager.chooseEngineClientAlias() finds a matching alias for RSA.

[10/16/24, 12:24:38:899 CEST] 0000007f WSX509KeyMana >  chooseEngineClientAlias Entry
                                 RSA
                                 C=US, ST=California, L=San Francisco, O=ExampleCorp, OU=Engineering, CN=www.example.com, [email protected]
                                 SSLEngine[engine]
[10/16/24, 12:24:38:899 CEST] 0000007f WSX509KeyMana >  chooseClientAlias Entry  
                                 RSA
                                 C=US, ST=California, L=San Francisco, O=ExampleCorp, OU=Engineering, CN=www.example.com, [email protected]
[10/16/24, 12:24:38:899 CEST] 0000007f JSSEHelper    >  getOutboundConnectionInfo Entry 
[10/16/24, 12:24:38:899 CEST] 0000007f ThreadContext 3   getOutboundConnectionInfo
[10/16/24, 12:24:38:899 CEST] 0000007f JSSEHelper    <  getOutboundConnectionInfo Exit  
                                 null
[10/16/24, 12:24:38:899 CEST] 0000007f SystemErr     R   javax.net.ssl|DEBUG|F7|HttpClient-1-Worker-0|2024-10-16 12:24:38.899 CEST|SunX509KeyManagerImpl.java:397|matching alias: exampleAlias

For ERROR log, WSX509KeyManager.chooseEngineClientAlias() finds no matching alias for [EC, EdDSA, RSASSA-PSS, RSA, DSA] when passed all at once.

[10/16/24, 12:18:17:909 CEST] 0000007f WSX509KeyMana >  chooseEngineClientAlias Entry
                                 EC
                                 EdDSA
                                 RSASSA-PSS
                                 RSA
                                 DSA
                                 C=US, ST=California, L=San Francisco, O=ExampleCorp, OU=Engineering, CN=www.example.com, [email protected]
                                 SSLEngine[engine]

[10/16/24, 12:18:17:909 CEST] 0000007f WSX509KeyMana >  chooseClientAlias Entry  
                                 EC
                                 C=US, ST=California, L=San Francisco, O=ExampleCorp, OU=Engineering, CN=www.example.com, [email protected]
                                 SSLEngine[engine]

[10/16/24, 12:18:17:909 CEST] 0000007f JSSEHelper    >  getOutboundConnectionInfo Entry 
[10/16/24, 12:18:17:909 CEST] 0000007f ThreadContext 3   getOutboundConnectionInfo
[10/16/24, 12:18:17:909 CEST] 0000007f JSSEHelper    <  getOutboundConnectionInfo Exit  
                                 null
[10/16/24, 12:18:17:910 CEST] 0000007f WSX509KeyMana <  chooseClientAlias (from JSSE) Exit  
                                 null
[10/16/24, 12:18:17:910 CEST] 0000007f WSX509KeyMana <  chooseEngineClientAlias Exit 
[10/16/24, 12:18:17:910 CEST] 0000007f SystemErr     R   javax.net.ssl|ALL|F7|HttpClient-1-Worker-0|2024-10-16 12:18:17.910 CEST|X509Authentication.java:278|No X.509 cert selected for [EC, EdDSA, RSASSA-PSS, RSA, DSA]

Additional context
@una-tapa una-tapa added the release bug This bug is present in a released version of Open Liberty label Nov 15, 2024
@una-tapa una-tapa self-assigned this Nov 15, 2024
@una-tapa una-tapa linked a pull request Nov 21, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@una-tapa una-tapa

Labels
release bug This bug is present in a released version of Open Liberty
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update chooseEngineClientAlias() to iterating through keyTypes. una-tapa/open-liberty
1 participant
@una-tapa