Micronaut – 使用BouncyCastle密钥库的SSL – 未找到BCFKS

huangapple go评论126阅读模式
英文:

Micronaut - SSL with BouncyCastle Keystore - BCFKS not found

问题

我正在在一个Micronaut应用程序中启用SSL,特别需要使用BouncyCastle BCFKS类型的密钥库。但是应用程序不会运行,使用了提供的配置。

错误信息如下:

18:02:19.187 [default-nioEventLoopGroup-1-1] WARN  io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x68615a0a]
io.micronaut.http.ssl.SslConfigurationException: An error occurred configuring SSL
    at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:111)
    at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:98)
    at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:92)
    at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:85)
    at io.micronaut.http.server.netty.HttpPipelineBuilder.<init>(HttpPipelineBuilder.java:117)
    at io.micronaut.http.server.netty.NettyHttpServer.createPipelineBuilder(NettyHttpServer.java:723)
    at io.micronaut.http.server.netty.NettyHttpServer.access$100(NettyHttpServer.java:109)
    at io.micronaut.http.server.netty.NettyHttpServer$Listener.refresh(NettyHttpServer.java:762)
    at io.micronaut.http.server.netty.NettyHttpServer$Listener.setServerChannel(NettyHttpServer.java:771)
    at io.micronaut.http.server.netty.NettyHttpServer$1.initChannel(NettyHttpServer.java:501)
    ...
Caused by: java.security.KeyStoreException: BCFKS not found
    at java.security.KeyStore.getInstance(KeyStore.java:878)
    at io.micronaut.http.ssl.SslBuilder.load(SslBuilder.java:142)
    at io.micronaut.http.ssl.SslBuilder.getKeyStore(SslBuilder.java:126)
    at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.getKeyStore(CertificateProvidedSslBuilder.java:152)
    at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:100)
    ...
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
    at java.security.Security.getImpl(Security.java:702)
    at java.security.KeyStore.getInstance(KeyStore.java:875)
    ...
18:02:19.193 [main] ERROR i.m.h.server.netty.NettyHttpServer - Error starting Micronaut server: null
io.netty.channel.StacklessClosedChannelException: null
at io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown Source)
18:02:19.225 [main] ERROR io.micronaut.runtime.Micronaut - Error starting Micronaut server: Unable to start Micronaut server on *:9090
io.micronaut.http.server.exceptions.ServerStartupException: Unable to start Micronaut server on *:9090
    at io.micronaut.http.server.netty.NettyHttpServer.bind(NettyHttpServer.java:541)
    at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:281)
    at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:104)
    at io.micronaut.runtime.Micronaut.lambda$start$2(Micronaut.java:81)
    ...

我尝试更改提供程序为各种选项,但每次都会收到相同的错误。需要知道我是否正确传递了密钥库类型和提供程序信息。我在各种论坛上看到人们使用JKS和PKCS12,但从未见过BCFKS。任何建议都将有所帮助。

Micronaut版本:3.8.7
Open-JDK:11(zulu)
使用以下依赖项:

implementation("org.bouncycastle:bc-fips:1.0.2.3")
implementation("org.bouncycastle:bcpkix-fips:1.0.7")
implementation("org.bouncycastle:bcpkix-jdk15on:1.47")
英文:

I'm enabling SSL in an micronaut application and specifically I need to use BouncyCastle BCFKS type keystore. But the application doesn't run with the config provided.

ssl:
  enabled: true
  key-store:
      path: file:usersDataKeyStore.keystore
      password: 123456
      type: BCFKS
      provider: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

The error I get is

18:02:19.187 [default-nioEventLoopGroup-1-1] WARN  io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x68615a0a]
io.micronaut.http.ssl.SslConfigurationException: An error occurred configuring SSL
	at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:111)
	at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:98)
	at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:92)
	at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:85)
	at io.micronaut.http.server.netty.HttpPipelineBuilder.&lt;init&gt;(HttpPipelineBuilder.java:117)
	at io.micronaut.http.server.netty.NettyHttpServer.createPipelineBuilder(NettyHttpServer.java:723)
	at io.micronaut.http.server.netty.NettyHttpServer.access$100(NettyHttpServer.java:109)
	at io.micronaut.http.server.netty.NettyHttpServer$Listener.refresh(NettyHttpServer.java:762)
	at io.micronaut.http.server.netty.NettyHttpServer$Listener.setServerChannel(NettyHttpServer.java:771)
	at io.micronaut.http.server.netty.NettyHttpServer$1.initChannel(NettyHttpServer.java:501)
	at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
	at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
	at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114)
	at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
	at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:223)
	at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:381)
	at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:370)
	at io.netty.bootstrap.ServerBootstrap$1.initChannel(ServerBootstrap.java:148)
	at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
	at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
	at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114)
	at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
	at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46)
	at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463)
	at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115)
	at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650)
	at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514)
	at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429)
	at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486)
	at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.KeyStoreException: BCFKS not found
	at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
	at io.micronaut.http.ssl.SslBuilder.load(SslBuilder.java:142)
	at io.micronaut.http.ssl.SslBuilder.getKeyStore(SslBuilder.java:126)
	at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.getKeyStore(CertificateProvidedSslBuilder.java:152)
	at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:100)
	... 36 common frames omitted
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
	at java.base/java.security.Security.getImpl(Security.java:702)
	at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
	... 40 common frames omitted
18:02:19.193 [main] ERROR i.m.h.server.netty.NettyHttpServer - Error starting Micronaut server: null
io.netty.channel.StacklessClosedChannelException: null
	at io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown Source)
18:02:19.225 [main] ERROR io.micronaut.runtime.Micronaut - Error starting Micronaut server: Unable to start Micronaut server on *:9090
io.micronaut.http.server.exceptions.ServerStartupException: Unable to start Micronaut server on *:9090
	at io.micronaut.http.server.netty.NettyHttpServer.bind(NettyHttpServer.java:541)
	at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:281)
	at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:104)
	at io.micronaut.runtime.Micronaut.lambda$start$2(Micronaut.java:81)
	at java.base/java.util.Optional.ifPresent(Optional.java:183)
	at io.micronaut.runtime.Micronaut.start(Micronaut.java:79)
	at io.micronaut.runtime.Micronaut.run(Micronaut.java:323)
	at io.micronaut.runtime.Micronaut.run(Micronaut.java:309)
Caused by: io.netty.channel.StacklessClosedChannelException: null
	at io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown Source)

I tried to change the provider into various options, but I'm getting the same error all the time.
Need to know if I'm correctly passing on the information like Keystore type and provider.
I have seen in various forums that people have been using JKS and PKCS12, but never BCFKS. Any suggestions would be helpful.

Micronaut version : 3.8.7
Open-JDK : 11 (zulu)
Using the below dependencies
implementation(&quot;org.bouncycastle:bc-fips:1.0.2.3&quot;)
implementation(&quot;org.bouncycastle:bcpkix-fips:1.0.7&quot;)
implementation(&quot;org.bouncycastle:bcpkix-jdk15on:1.47&quot;)

答案1

得分: 1

根据我在micronaut-core源代码中所看到的内容,似乎从未提到SslConfiguration中的“provider”设置。特别是,SslBuilder.getKeyStore没有提及它。(我也不清楚“provider”设置是否应该是类名,还是提供程序的名称,例如在这种情况下是“BCFIPS”)。

如果我们假设您尚未在java.security提供程序列表中注册了BouncyCastleFipsProvider,那么这就解释了为什么KeyStore.getInstance找不到“BCFKS”的实现。

在java.security中注册BouncyCastleFipsProvider应该可以解决您的问题,但我还建议就被忽略的属性向micronaut提出问题。

英文:

From what I can see in the micronaut-core source code, nothing ever refers to the "provider" setting in the SslConfiguration. In particular, SslBuilder.getKeyStore does not refer to it. (I am also not clear on whether the "provider" setting should even be a class name, or instead the name of the provider i.e. "BCFIPS" in this case).

If we assume that you have not registered BouncyCastleFipsProvider in the java.security list of providers, this then explains why KeyStore.getInstance can not find an implementation for "BCFKS".

Registering BouncyCastleFipsProvider in java.security should get things working for you, but I would also suggest raising an issue with micronaut regarding the ignored property.

答案2

得分: 0

另一种解决方案:如果我们不想将我们的提供者添加到java.security中,因为它是JDK的配置文件,我们可以在Micronaut.run(...)之前的主函数中添加以下代码行。
这就是诀窍!

Security.addProvider(new BouncyCastleFipsProvider());

英文:

Another solution : If we do not want to add our provider in java.security, since its JDK's config file, we can add the below line of code in the main function before Micronaut.run(...).
That does the trick!

Security.addProvider(new BouncyCastleFipsProvider());

huangapple
  • 本文由 发表于 2023年7月12日 22:06:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/76671473.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定