英文:
Micronaut - SSL with BouncyCastle Keystore - BCFKS not found
问题
我正在在一个Micronaut应用程序中启用SSL,特别需要使用BouncyCastle BCFKS类型的密钥库。但是应用程序不会运行,使用了提供的配置。
错误信息如下:
18:02:19.187 [default-nioEventLoopGroup-1-1] WARN io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x68615a0a]
io.micronaut.http.ssl.SslConfigurationException: An error occurred configuring SSL
at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:111)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:98)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:92)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:85)
at io.micronaut.http.server.netty.HttpPipelineBuilder.<init>(HttpPipelineBuilder.java:117)
at io.micronaut.http.server.netty.NettyHttpServer.createPipelineBuilder(NettyHttpServer.java:723)
at io.micronaut.http.server.netty.NettyHttpServer.access$100(NettyHttpServer.java:109)
at io.micronaut.http.server.netty.NettyHttpServer$Listener.refresh(NettyHttpServer.java:762)
at io.micronaut.http.server.netty.NettyHttpServer$Listener.setServerChannel(NettyHttpServer.java:771)
at io.micronaut.http.server.netty.NettyHttpServer$1.initChannel(NettyHttpServer.java:501)
...
Caused by: java.security.KeyStoreException: BCFKS not found
at java.security.KeyStore.getInstance(KeyStore.java:878)
at io.micronaut.http.ssl.SslBuilder.load(SslBuilder.java:142)
at io.micronaut.http.ssl.SslBuilder.getKeyStore(SslBuilder.java:126)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.getKeyStore(CertificateProvidedSslBuilder.java:152)
at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:100)
...
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
at java.security.Security.getImpl(Security.java:702)
at java.security.KeyStore.getInstance(KeyStore.java:875)
...
18:02:19.193 [main] ERROR i.m.h.server.netty.NettyHttpServer - Error starting Micronaut server: null
io.netty.channel.StacklessClosedChannelException: null
at io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown Source)
18:02:19.225 [main] ERROR io.micronaut.runtime.Micronaut - Error starting Micronaut server: Unable to start Micronaut server on *:9090
io.micronaut.http.server.exceptions.ServerStartupException: Unable to start Micronaut server on *:9090
at io.micronaut.http.server.netty.NettyHttpServer.bind(NettyHttpServer.java:541)
at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:281)
at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:104)
at io.micronaut.runtime.Micronaut.lambda$start$2(Micronaut.java:81)
...
我尝试更改提供程序为各种选项,但每次都会收到相同的错误。需要知道我是否正确传递了密钥库类型和提供程序信息。我在各种论坛上看到人们使用JKS和PKCS12,但从未见过BCFKS。任何建议都将有所帮助。
Micronaut版本:3.8.7
Open-JDK:11(zulu)
使用以下依赖项:
implementation("org.bouncycastle:bc-fips:1.0.2.3")
implementation("org.bouncycastle:bcpkix-fips:1.0.7")
implementation("org.bouncycastle:bcpkix-jdk15on:1.47")
英文:
I'm enabling SSL in an micronaut application and specifically I need to use BouncyCastle BCFKS type keystore. But the application doesn't run with the config provided.
ssl:
enabled: true
key-store:
path: file:usersDataKeyStore.keystore
password: 123456
type: BCFKS
provider: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
The error I get is
18:02:19.187 [default-nioEventLoopGroup-1-1] WARN io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x68615a0a]
io.micronaut.http.ssl.SslConfigurationException: An error occurred configuring SSL
at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:111)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:98)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:92)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:85)
at io.micronaut.http.server.netty.HttpPipelineBuilder.<init>(HttpPipelineBuilder.java:117)
at io.micronaut.http.server.netty.NettyHttpServer.createPipelineBuilder(NettyHttpServer.java:723)
at io.micronaut.http.server.netty.NettyHttpServer.access$100(NettyHttpServer.java:109)
at io.micronaut.http.server.netty.NettyHttpServer$Listener.refresh(NettyHttpServer.java:762)
at io.micronaut.http.server.netty.NettyHttpServer$Listener.setServerChannel(NettyHttpServer.java:771)
at io.micronaut.http.server.netty.NettyHttpServer$1.initChannel(NettyHttpServer.java:501)
at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114)
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:223)
at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:381)
at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:370)
at io.netty.bootstrap.ServerBootstrap$1.initChannel(ServerBootstrap.java:148)
at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114)
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46)
at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463)
at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115)
at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650)
at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514)
at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429)
at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486)
at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.KeyStoreException: BCFKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
at io.micronaut.http.ssl.SslBuilder.load(SslBuilder.java:142)
at io.micronaut.http.ssl.SslBuilder.getKeyStore(SslBuilder.java:126)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.getKeyStore(CertificateProvidedSslBuilder.java:152)
at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:100)
... 36 common frames omitted
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:702)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
... 40 common frames omitted
18:02:19.193 [main] ERROR i.m.h.server.netty.NettyHttpServer - Error starting Micronaut server: null
io.netty.channel.StacklessClosedChannelException: null
at io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown Source)
18:02:19.225 [main] ERROR io.micronaut.runtime.Micronaut - Error starting Micronaut server: Unable to start Micronaut server on *:9090
io.micronaut.http.server.exceptions.ServerStartupException: Unable to start Micronaut server on *:9090
at io.micronaut.http.server.netty.NettyHttpServer.bind(NettyHttpServer.java:541)
at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:281)
at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:104)
at io.micronaut.runtime.Micronaut.lambda$start$2(Micronaut.java:81)
at java.base/java.util.Optional.ifPresent(Optional.java:183)
at io.micronaut.runtime.Micronaut.start(Micronaut.java:79)
at io.micronaut.runtime.Micronaut.run(Micronaut.java:323)
at io.micronaut.runtime.Micronaut.run(Micronaut.java:309)
Caused by: io.netty.channel.StacklessClosedChannelException: null
at io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown Source)
I tried to change the provider into various options, but I'm getting the same error all the time.
Need to know if I'm correctly passing on the information like Keystore type and provider.
I have seen in various forums that people have been using JKS and PKCS12, but never BCFKS. Any suggestions would be helpful.
Micronaut version : 3.8.7
Open-JDK : 11 (zulu)
Using the below dependencies
implementation("org.bouncycastle:bc-fips:1.0.2.3")
implementation("org.bouncycastle:bcpkix-fips:1.0.7")
implementation("org.bouncycastle:bcpkix-jdk15on:1.47")
答案1
得分: 1
根据我在micronaut-core源代码中所看到的内容,似乎从未提到SslConfiguration中的“provider”设置。特别是,SslBuilder.getKeyStore没有提及它。(我也不清楚“provider”设置是否应该是类名,还是提供程序的名称,例如在这种情况下是“BCFIPS”)。
如果我们假设您尚未在java.security提供程序列表中注册了BouncyCastleFipsProvider,那么这就解释了为什么KeyStore.getInstance找不到“BCFKS”的实现。
在java.security中注册BouncyCastleFipsProvider应该可以解决您的问题,但我还建议就被忽略的属性向micronaut提出问题。
英文:
From what I can see in the micronaut-core source code, nothing ever refers to the "provider" setting in the SslConfiguration. In particular, SslBuilder.getKeyStore does not refer to it. (I am also not clear on whether the "provider" setting should even be a class name, or instead the name of the provider i.e. "BCFIPS" in this case).
If we assume that you have not registered BouncyCastleFipsProvider in the java.security list of providers, this then explains why KeyStore.getInstance can not find an implementation for "BCFKS".
Registering BouncyCastleFipsProvider in java.security should get things working for you, but I would also suggest raising an issue with micronaut regarding the ignored property.
答案2
得分: 0
另一种解决方案:如果我们不想将我们的提供者添加到java.security中,因为它是JDK的配置文件,我们可以在Micronaut.run(...)之前的主函数中添加以下代码行。
这就是诀窍!
Security.addProvider(new BouncyCastleFipsProvider());
英文:
Another solution : If we do not want to add our provider in java.security, since its JDK's config file, we can add the below line of code in the main function before Micronaut.run(...).
That does the trick!
Security.addProvider(new BouncyCastleFipsProvider());
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论