Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#2479 closed defect (fixed)

Router family problems(adding certificate)

Reported by: andersh3 Owned by:
Priority: minor Milestone: 0.9.40
Component: api/crypto Version: 0.9.39
Keywords: router family Cc:
Parent Tickets: Sensitive: no

Description

Error 500: /configfamily - java.security.ProviderException?: java.security.InvalidKeyException?: EC parameters error

java.security.ProviderException?: java.security.InvalidKeyException?: EC parameters error

at sun.security.pkcs11.P11Key$P11ECPrivateKey.getEncodedInternal(P11Key.java:950)
at sun.security.pkcs11.P11Key.getEncoded(P11Key.java:131)
at sun.security.provider.KeyProtector?.protect(KeyProtector?.java:165)
at sun.security.provider.JavaKeyStore?.engineSetKeyEntry(JavaKeyStore?.java:271)
at sun.security.provider.JavaKeyStore?$JKS.engineSetKeyEntry(JavaKeyStore?.java:56)
at sun.security.provider.KeyStoreDelegator?.engineSetKeyEntry(KeyStoreDelegator?.java:117)
at sun.security.provider.JavaKeyStore?$DualFormatJKS.engineSetKeyEntry(JavaKeyStore?.java:70)
at java.security.KeyStore?.setKeyEntry(KeyStore?.java:1076)
at net.i2p.crypto.KeyStoreUtil?.storePrivateKey(KeyStoreUtil?.java:1168)
at net.i2p.router.web.helpers.ConfigFamilyHandler?.processForm(ConfigFamilyHandler?.java:69)
at net.i2p.router.web.FormHandler?.process(FormHandler?.java:274)
at net.i2p.router.web.FormHandler?.getAllMessages(FormHandler?.java:185)
at net.i2p.router.web.jsp.configfamily_jsp._jspService(configfamily_jsp.java:506)
at org.apache.jasper.runtime.HttpJspBase?.service(HttpJspBase?.java:70)
at javax.servlet.http.HttpServlet?.service(HttpServlet?.java:790)
at org.eclipse.jetty.servlet.ServletHolder?.handle(ServletHolder?.java:812)
at org.eclipse.jetty.servlet.ServletHandler?$CachedChain?.doFilter(ServletHandler?.java:1669)
at net.i2p.servlet.filters.XSSFilter.doFilter(XSSFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler?$CachedChain?.doFilter(ServletHandler?.java:1652)
at org.eclipse.jetty.servlet.ServletHandler?.doHandle(ServletHandler?.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler?.handle(ScopedHandler?.java:143)
at org.eclipse.jetty.security.SecurityHandler?.handle(SecurityHandler?.java:577)
at org.eclipse.jetty.server.session.SessionHandler?.doHandle(SessionHandler?.java:223)
at org.eclipse.jetty.server.handler.ContextHandler?.doHandle(ContextHandler?.java:1127)
at org.eclipse.jetty.servlet.ServletHandler?.doScope(ServletHandler?.java:515)
at org.eclipse.jetty.server.session.SessionHandler?.doScope(SessionHandler?.java:185)
at org.eclipse.jetty.server.handler.ContextHandler?.doScope(ContextHandler?.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler?.handle(ScopedHandler?.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper?.handle(HandlerWrapper?.java:97)
at net.i2p.router.web.LocaleWebAppHandler?.handle(LocaleWebAppHandler?.java:104)
at org.eclipse.jetty.server.handler.ContextHandlerCollection?.handle(ContextHandlerCollection?.java:215)
at org.eclipse.jetty.servlets.gzip.GzipHandler?.handle(GzipHandler?.java:529)
at net.i2p.router.web.HostCheckHandler?.handle(HostCheckHandler?.java:118)
at org.eclipse.jetty.server.handler.HandlerCollection?.handle(HandlerCollection?.java:110)
at org.eclipse.jetty.server.handler.HandlerWrapper?.handle(HandlerWrapper?.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel?.handle(HttpChannel?.java:311)
at org.eclipse.jetty.server.HttpConnection?.onFillable(HttpConnection?.java:258)
at org.eclipse.jetty.io.AbstractConnection?$2.run(AbstractConnection?.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool?.runJob(QueuedThreadPool?.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool?$3.run(QueuedThreadPool?.java:555)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.InvalidKeyException?: EC parameters error
at sun.security.ec.ECParameters.getAlgorithmParameters(ECParameters.java:284)
at sun.security.ec.ECPrivateKeyImpl.<init>(ECPrivateKeyImpl.java:86)
at sun.security.pkcs11.P11Key$P11ECPrivateKey.getEncodedInternal(P11Key.java:947)
… 41 more
Caused by: java.security.NoSuchProviderException?: no such provider: SunEC
at sun.security.jca.GetInstance?.getService(GetInstance?.java:83)
at sun.security.jca.GetInstance?.getInstance(GetInstance?.java:206)
at java.security.Security.getImpl(Security.java:697)
at java.security.AlgorithmParameters?.getInstance(AlgorithmParameters?.java:199)
at sun.security.ec.ECParameters.getAlgorithmParameters(ECParameters.java:279)
… 43 more


I2P Version and Running Environment

I2P version: 0.9.39-0-1~trusty+1
Java version: Oracle Corporation 1.7.0_201 (OpenJDK Runtime Environment 1.7.0_201-b00)
Wrapper version: 3.5.25
Server version: 9.2.25.v20180606
Servlet version: Jasper JSP 2.3 Engine
Platform: Linux arm 4.1.30.alpine.1
Processor: uninitialized (armcortexa15)
JBigI status: Locally optimized native BigInteger? library loaded from file
Encoding: UTF-8
Charset: UTF-8

Subtickets

Change History (3)

comment:1 Changed 4 months ago by zzz

Component: unspecifiedapi/crypto
Milestone: undecided0.9.40

Dup of #2344 which I claimed fixed but was really just worked around. I also claimed the fix would prevent the 500 error but here we are again.

As described in #2344 the root cause is lack of ECDSA support in the JVM or OS. Trusty is really old by now and the Debian 7 (wheezy) in that ticket was also the root cause.

I'll try to catch the exception but I can't fix the underlying lack of ECDSA support.

comment:2 Changed 4 months ago by zzz

Resolution: fixed
Status: newclosed

Catch the exception so you get a regular error message, in d07f9d30619e9d184f0f83dbfdb4fc7514ba322d to be 0.9.39-8. Not a real fix, you'll have to update your Java, OS, or both. I'd start with Java first - Java 7 on ARM is really slow and flaky anyway.

comment:3 Changed 4 months ago by andersh3

Installed bouncycastle and removed Sun:

#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign?
#security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
#security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvide?
security.provider.7=sun.security.jgss.SunProvider?
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
# the NSS security provider was not enabled for this build; it can be enabled
# if NSS (libnss3) is available on the machine. The nss.cfg file may need
# editing to reflect the location of the NSS installation.
security.provider.11=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

Note: See TracTickets for help on using tickets.