Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-5416

SoftCryptoToken used for database protection always debug logs stacktrace about PKCS12 keystore password

    Details

    • Issue discovered during:
      Another issue
    • Sprint:
      EJBCA Sprint 13

      Description

      Using the sample databaseprotection.properties.sample file and enabling signing and verification gives an error for the sample keystore:

      12:04:38,036 DEBUG [org.cesecore.keys.token.SoftCryptoToken] (ServerService Thread Pool – 77) Error: : java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file.
      at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source) [bcprov-jdk15on-1.53.jar:1.53.0]
      at java.security.KeyStore.load(KeyStore.java:1445) [rt.jar:1.8.0_102]
      at org.cesecore.keys.token.SoftCryptoToken.checkSoftKeystorePassword(SoftCryptoToken.java:270) [cesecore-common-6.4.1.jar:]
      at org.cesecore.keys.token.SoftCryptoToken.init(SoftCryptoToken.java:96) [cesecore-common-6.4.1.jar:]
      at org.cesecore.keys.token.CryptoTokenFactory.createCryptoToken(CryptoTokenFactory.java:177) [cesecore-common-6.4.1.jar:]
      at org.cesecore.keys.token.CryptoTokenFactory.createCryptoToken(CryptoTokenFactory.java:149) [cesecore-common-6.4.1.jar:]
      at org.cesecore.dbprotection.ProtectedDataConfiguration.fillKeyIdsAndCryptoTokens(ProtectedDataConfiguration.java:211) [cesecore-entity-6.4.1.jar:]
      at org.cesecore.dbprotection.ProtectedDataConfiguration.instance(ProtectedDataConfiguration.java:85) [cesecore-entity-6.4.1.jar:]
      at org.cesecore.dbprotection.ProtectedDataIntegrityImpl.protectData(ProtectedDataIntegrityImpl.java:54) [cesecore-entity-6.4.1.jar:]
      at org.cesecore.dbprotection.ProtectedData.protectData(ProtectedData.java:152) [cesecore-entity-6.4.1.jar:]
      at org.cesecore.audit.impl.integrityprotected.AuditRecordData.protectData(AuditRecordData.java:308) [cesecore-entity-6.4.1.jar:]
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_102]
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_102]
      at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
      at org.hibernate.ejb.event.BeanCallback.invoke(BeanCallback.java:39) [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.ejb.event.EntityCallbackHandler.callback(EntityCallbackHandler.java:110) [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.ejb.event.EntityCallbackHandler.preCreate(EntityCallbackHandler.java:79) [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.ejb.event.EJB3PersistEventListener.saveWithGeneratedId(EJB3PersistEventListener.java:77) [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.event.internal.DefaultPersistEventListener.entityIsTransient(DefaultPersistEventListener.java:208) [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:151) [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:78) [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.internal.SessionImpl.firePersist(SessionImpl.java:772) [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.internal.SessionImpl.persist(SessionImpl.java:746) [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.internal.SessionImpl.persist(SessionImpl.java:750) [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.hibernate.ejb.AbstractEntityManagerImpl.persist(AbstractEntityManagerImpl.java:875) [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
      at org.jboss.as.jpa.container.AbstractEntityManager.persist(AbstractEntityManager.java:563) [jboss-as-jpa-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
      at org.cesecore.audit.impl.integrityprotected.IntegrityProtectedLoggerSessionBean.log(IntegrityProtectedLoggerSessionBean.java:71) [cesecore-ejb-6.4.1.jar:]
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_102]
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_102]

      It seems that during the initialization of the crypto token it is attempted to be auto-activated with the default CA cryptotoken password. If this is different than the right password for the databasprotection keystore a stacktrace is logged at DEBUG level.

      Note that database protection will work after this, it is just auto-activation that is disabled at this point but probably the database protection code later calls activate as signing works later on.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tomas Tomas Gustavsson
                Reporter:
                markus Markus Kilås
                Verified by:
                Tarmo Raudsep
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: