ekohl
commented
1 year ago I did some testing: if you change the password for either the keystore or the truststore it fails to open it:
Error 1: Puppet Truststore_certificate resource '/etc/candlepin/certs/truststore:artemis-client' failed. Logs:
/Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:artemis-client]
Adding autorequire relationship with File[/etc/pki/katello/truststore_password-file]
Adding autorequire relationship with File[/etc/foreman/client_cert.pem]
Adding autonotify relationship with File[/etc/candlepin/certs/truststore]
Starting to evaluate the resource (581 of 1413)
Evaluated in 0.46 seconds
/Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:artemis-client]/ensure
change from 'absent' to 'present' failed: Execution of '/bin/keytool -import -v -noprompt -storetype pkcs12 -keystore /etc/candlepin/certs/truststore -alias artemis-client -file /etc/foreman/client_cert.pem -storepass:file /etc/pki/katello/truststore_password-file -J-Dcom.redhat.fips=false' returned 1: keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2089)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:839)
at sun.security.tools.keytool.Main.run(Main.java:380)
at sun.security.tools.keytool.Main.main(Main.java:373)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 5 more
Error 2: Puppet Truststore_certificate resource '/etc/candlepin/certs/truststore:candlepin-ca' failed. Logs:
/Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:candlepin-ca]
Adding autorequire relationship with File[/etc/pki/katello/truststore_password-file]
Adding autorequire relationship with File[/etc/candlepin/certs/candlepin-ca.crt]
Adding autonotify relationship with File[/etc/candlepin/certs/truststore]
Starting to evaluate the resource (602 of 1413)
Evaluated in 0.36 seconds
/Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:candlepin-ca]/ensure
change from 'absent' to 'present' failed: Execution of '/bin/keytool -import -v -noprompt -storetype pkcs12 -keystore /etc/candlepin/certs/truststore -alias candlepin-ca -file /etc/candlepin/certs/candlepin-ca.crt -storepass:file /etc/pki/katello/truststore_password-file -J-Dcom.redhat.fips=false' returned 1: keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2089)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:839)
at sun.security.tools.keytool.Main.run(Main.java:380)
at sun.security.tools.keytool.Main.main(Main.java:373)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 5 moreYou can delete the file and it will be recreated, but rotating passwords is not supported. I'm not sure what's the best solution to prevent users from this footgun.
@ehelms any thoughts on changing the keystore & truststore types to catch the password error and recreate the file?
ehelms
coreone
@ekohl anything else needed on this?