[OPENIDM-14287] cli.sh keytool export and import causes IDM startup failure with 'Invalid AES key length' error - ForgeRock JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 7.0.0, 6.0.0.5, 6.5.0.2
Fix Version/s: 7.0.0, 6.0.0.6, 6.5.0.4
Component/s: Module - Command line
Labels:
- CLARK
- release-notes

Target Version/s:

7.0.0, 6.0.0.6, 6.5.0.4
Verified Version/s:

7.0.0, 6.0.0.6, 6.5.0.4
Story Points:
1
Sprint:
2020.01 - IDM
Support Ticket IDs:

Description

Problem

Using the IDM cli.sh with the keytool option to export a secret key from one IDM instance and then importing this into a second IDM instance causes the second IDM to fail to start with the following error:

Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes

The cli.sh keytool documentation: https://backstage.forgerock.com/docs/idm/6.5/integrators-guide/#cli-keytool

To reproduce

1). Unzip IDM 7.0 (or 6.x)

2). Start IDM

3). Export the default openidm-sym-default SecretKeyEntry using cli.sh:

./cli.sh keytool --export openidm-sym-default

[OK] Secret key entry with algorithm AES
 AES:b7b37f6fdb15f28f94e78ca43c2ce0aa

4). Unzip a second instance of IDM (but do not start it)

5). Import the exported SecretKeyEntry from instance 1 using cli.sh (use a different alias):

./cli.sh keytool --import openidm-sym-default-new

6). List the contents of the keystone on instance 2:

keytool -list -keystore security/keystore.jceks -storepass changeit -storetype JCEKS -v

…note that this includes the new key:

Alias name: openidm-sym-default-new
Creation date: 17-Jan-2020
Entry type: SecretKeyEntry

7). Update conf/secrets.json with new key alias in the case of 7.0/6.5 (or in the case of 6.0 boot.properties and managed.json) and check all conf files to ensure no passwords have been encrypted (this shouldn't be the case as IDM instance 2 has not been started yet).

8). Start IDM instance 2 for the first time and the error is seen:

 org.forgerock.openidm.config.enhanced.InternalErrorException: Failure during encryption of configuration org.forgerock.openidm.felix.webconsole-null for property /password : java.security.InvalidKeyException: Invalid AES key length: 17 bytes
 at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:202)
 at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:152)
 at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:338)
 at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:323)
 at org.forgerock.openidm.config.installer.JSONConfigInstaller.install(JSONConfigInstaller.java:130)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:937)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:871)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:485)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:361)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.start(DirectoryWatcher.java:243)
 at org.apache.felix.fileinstall.internal.FileInstall.updated(FileInstall.java:253)
 at org.apache.felix.fileinstall.internal.FileInstall$ConfigAdminSupport$Tracker.updated(FileInstall.java:377)
 at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.updated(ManagedServiceFactoryTracker.java:159)
 at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.provideConfiguration(ManagedServiceFactoryTracker.java:93)
 at org.apache.felix.cm.impl.ConfigurationManager$UpdateConfiguration.run(ConfigurationManager.java:1400)
 at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:138)
 at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
 at java.lang.Thread.run(Thread.java:745)
Caused by: org.forgerock.json.crypto.JsonCryptoException: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
 at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:168)
 at org.forgerock.openidm.crypto.PurposeBasedJsonEncryptor.encrypt(PurposeBasedJsonEncryptor.java:27)
 at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.encrypt(CryptoServiceImpl.java:177)
 at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:196)
 ... 17 more
Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
 at com.sun.crypto.provider.AESCrypt.init(AESCrypt.java:87)
 at com.sun.crypto.provider.CipherBlockChaining.init(CipherBlockChaining.java:91)
 at com.sun.crypto.provider.CipherCore.init(CipherCore.java:582)
 at com.sun.crypto.provider.CipherCore.init(CipherCore.java:458)
 at com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:307)
 at javax.crypto.Cipher.implInit(Cipher.java:802)
 at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
 at javax.crypto.Cipher.init(Cipher.java:1249)
 at javax.crypto.Cipher.init(Cipher.java:1186)
 at org.forgerock.openidm.crypto.AbstractJsonEncryptor.symmetric(AbstractJsonEncryptor.java:101)
 at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:166)
 ... 20 more
[129] Jan 17, 2020 10:09:41.804 AM org.forgerock.openidm.config.installer.JSONConfigInstaller setConfig
WARNING: Loading configuration file /home/forgerock/openidm7_2/conf/authentication.json failed 
org.forgerock.openidm.config.enhanced.InternalErrorException: Failure during encryption of configuration org.forgerock.openidm.authentication-null for property /serverAuthContext/authModules/0/properties/password : java.security.InvalidKeyException: Invalid AES key length: 17 bytes
 at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:202)
 at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:152)
 at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:338)
 at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:323)
 at org.forgerock.openidm.config.installer.JSONConfigInstaller.install(JSONConfigInstaller.java:130)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:937)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:871)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:485)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:361)
 at org.apache.felix.fileinstall.internal.DirectoryWatcher.start(DirectoryWatcher.java:243)
 at org.apache.felix.fileinstall.internal.FileInstall.updated(FileInstall.java:253)
 at org.apache.felix.fileinstall.internal.FileInstall$ConfigAdminSupport$Tracker.updated(FileInstall.java:377)
 at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.updated(ManagedServiceFactoryTracker.java:159)
 at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.provideConfiguration(ManagedServiceFactoryTracker.java:93)
 at org.apache.felix.cm.impl.ConfigurationManager$UpdateConfiguration.run(ConfigurationManager.java:1400)
 at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:138)
 at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
 at java.lang.Thread.run(Thread.java:745)
Caused by: org.forgerock.json.crypto.JsonCryptoException: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
 at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:168)
 at org.forgerock.openidm.crypto.PurposeBasedJsonEncryptor.encrypt(PurposeBasedJsonEncryptor.java:27)
 at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.encrypt(CryptoServiceImpl.java:177)
 at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:196)
 ... 17 more
Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
 at com.sun.crypto.provider.AESCrypt.init(AESCrypt.java:87)
 at com.sun.crypto.provider.CipherBlockChaining.init(CipherBlockChaining.java:91)
 at com.sun.crypto.provider.CipherCore.init(CipherCore.java:582)
 at com.sun.crypto.provider.CipherCore.init(CipherCore.java:458)
 at com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:307)
 at javax.crypto.Cipher.implInit(Cipher.java:802)
 at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
 at javax.crypto.Cipher.init(Cipher.java:1249)
 at javax.crypto.Cipher.init(Cipher.java:1186)
 at org.forgerock.openidm.crypto.AbstractJsonEncryptor.symmetric(AbstractJsonEncryptor.java:101)
 at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:166)
 ... 20 more

Note the error:

Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes

Attachments

Activity

People

Assignee:

Chris Drake

Reporter:

Andy Itter

QA Assignee:

Ladislav Folta

Votes:

0 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

17/Jan/20 11:42 AM

Updated:

23/Jul/20 12:41 PM

Resolved:

23/Jul/20 12:41 PM