Spring Boot 2.1 embedded Tomcat - keystore password was incorrect

Question

UPDATE -> Adding Security.addProvider(new BouncyCastleProvider()); fixes this issue

The following error is caused by the addition of ActiveMQ Broker into my configuration. If I remove the JMS configuration, this error goes away.

 java.security.UnrecoverableKeyException: failed to decrypt safe contents entry:
    javax.crypto.BadPaddingException: pad block corrupted  

Spring Boot 2.1.1.RELEASE Embedded Tomcat with SSL ActiveMQ @EnableJMS

UPDATE: I removed my JMSConfiguration.class from the application and everything started to work. @EnableJMS must do something that overrides something. I'm going to systematically comment out beans in that config class until I find the exact culprit. I would have never thought my JMS Active MQ config would clash with my Embedded Tomcat Server's SSL config.

I've narrowed it down to the following JMS related bean that is the cause. If I completely get rid of the JMS config, then I do not get the error with the password. It would seem these things are unrelated, but they are somehow.

@Bean
public BrokerService broker() throws Exception {
    final BrokerService broker = new BrokerService();

Using the configuration below, I get an error when starting Spring Boot. If I remove all of my @Configuration classes and just start Spring Boot, this configuration works fine. I've tried PKCS, JKS and I've tried file: and I've moved the file around and no joy. I know the password is correct because it will start normally, if I remove my configuration classes and I can hit the server just fine using 443/ssl...

server.contextPath=/my
server.tomcat.additional-tld-skip-patterns=*.jar
server.compression.enabled=true
server.port=443
server.ssl.key-store:classpath:local-keystore.jks
server.ssl.key-store-password:password
server.ssl.keyStoreType:JKS
server.ssl.keyAlias:tomcat

Error Encountered

    org.apache.catalina.LifecycleException: Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1001)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225)
    at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:259)
    at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:197)
    at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:311)
    at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:164)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549)
    at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:142)
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:775)
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:316)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248)
    at com.jjkane.Application.main(Application.java:65)
Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1067)
    at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1149)
    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:561)
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:998)
    ... 14 common frames omitted
Caused by: java.io.IOException: keystore password was incorrect
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2108)
    at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243)
    at java.base/java.security.KeyStore.load(KeyStore.java:1479)
    at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:179)
    at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
    ... 20 common frames omitted
 java.security.UnrecoverableKeyException: failed to decrypt safe contents entry:
        javax.crypto.BadPaddingException: pad block corrupted  

UPDATE: Same error after this modification...

server.contextPath=/my
server.tomcat.additional-tld-skip-patterns=*.jar
server.compression.enabled=true
server.port=443
server.ssl.key-store=classpath:local-keystore.p12
server.ssl.key-store-password=tomcat
server.ssl.key-password=tomcat
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

Answer 1

You might be using java version previous to JDK 8u161,in this case this exception can be tackled by adding Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to the installation of Java. Issue generally occurs when encryption/decryption done with longer key size. Bouncy castle is also a solution to this issue. For more detail about JCE file please refer oracle site https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Another solution is to upgrade your java to mentioned or higher version.

Answer 2

For others coming from Google: while this question has led us to the solution, the accepted answer might not be the one you should be looking for.

We had a pretty similar case. Looking at BrokerService's initialization code, we see that it adds Bouncycastle as a security provider at a pretty high priority:

try {
    ClassLoader loader = BrokerService.class.getClassLoader();
    Class<?> clazz = loader.loadClass("org.bouncycastle.jce.provider.BouncyCastleProvider");
    Provider bouncycastle = (Provider) clazz.newInstance();
    Security.insertProviderAt(bouncycastle, 2);
    LOG.info("Loaded the Bouncy Castle security provider.");
} catch(Throwable e) {
    // No BouncyCastle found so we use the default Java Security Provider
}

It turns out that the default JDK SunJCE provider is able to load the key from our *.p12 keystore while Bouncycastle throws the aforementioned "pad block corrupted" error when trying to do so. The solution for us was to move Bouncycastle after the SunJCE provider like so:

Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
Security.addProvider(new BouncyCastleProvider());

My guess is that the reason the OP's issue was resolved by

Adding Security.addProvider(new BouncyCastleProvider());

... is that doing so before ActiveMQ is loaded keeps Bouncycastle at the end of the provider list. The important thing is that it remains after SunJCE.

Answer 3

try with = operator instead of :.

server.ssl.key-store=classpath:local-keystore.jks    
server.ssl.key-store-password=password
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=tomcat

Refer this

Answer 4

server.ssl.key-store:classpath:local-keystore.jks

Try adding the absolute path of the keystore.

server.ssl.key-store=pathofyourfile

Answer 5

I had the same issue. I upgraded SpringBoot from 2.2.4 to 2.3.2 and the keystore password error was resolved and tomcat was able startup successfully.