puppetlabs / puppetlabs-java_ks Goto Github PK

Describe the Bug

When obtaining the array of fingerprints from a pkcs12 keystore, the list includes multiple certificates' fingerprints - each of the CAs in the chain is also in the fingerprint array returned. When this is compared to the "latest" in the insync function, the current is a large list of fingerprints which will never match the fingerprint being matched as latest.

This behavior of printing the corresponding CA certs seems to be for at least pkcs12 formatted keystores on java 17. We have multiple java 17 instances where there is an existing JKS keystore where the listing of the CA certs doesn't happen. This also only happens on a "leaf" cert.

Expected Behavior

Certificate is repeatedly deleted then re-imported as the comparison is the reverse of what it should be. Here is what happens when we print the fingerprint values being compared by the insync method:

Info: current has value:'["14:5A:5E:B0:18:E1:00:C3:C0:25:DD:32:91:3D:04:BE:E2:21:B0:A2:B3:23:92:CB:CF:AF:10:8D:7A:01:80:68", "25:CD:2D:9A:12:96:F9:3E:05:A6:0A:A3:62:B9:31:59:6A:83:43:8F:91:A6:47:25:C1:1A:3E:84:A4:C5:CD:D5", "2E:E8:86:28:AD:4D:71:87:19:34:CB:2C:EE:C4:F6:70:19:C7:78:B7", "8E:A0:FF:5D:3B:24:12:F7:D1:C5:E8:23:63:E0:E2:96:83:8E:7F:F6", "B8:B2:CE:01:17:65:78:9F:8E:8B:BC:CF:7C:22:35:BF:9D:37:D2:2F:7B:92:3E:8E:57:FA:24:EC:2B:A1:F3:4C", "BA:05:B0:A6:89:B8:2D:D6:7B:6E:6B:60:2B:1E:4A:9E:75:28:0F:4B"]'
Info: latest has  value:'["14:5A:5E:B0:18:E1:00:C3:C0:25:DD:32:91:3D:04:BE:E2:21:B0:A2:B3:23:92:CB:CF:AF:10:8D:7A:01:80:68", "BA:05:B0:A6:89:B8:2D:D6:7B:6E:6B:60:2B:1E:4A:9E:75:28:0F:4B"]'

Steps to Reproduce

Steps to reproduce the behavior:

1. create a pkcs12 type keystore with this tool on JDK v17
2. add ca and intermediate certs relevant to the leaf cert to be added later
3. try adding the cert and observe that it will be repeatedly added during every puppet run.

Environment

• Version puppet 6.28
• Platform RHEL8
• Java v17 (java version "17.0.3.1" 2022-04-22 LTS)

Describe the Bug

When using the puppet-openssl and puppetlabs-java_ks modules the passwords for the private key and the Java keystore files cannot be different. If they are different, it results in an error message invalid curve name error

Expected Behavior

The curve name is valid and the code works when both passwords are the same. The error message is elusive to what the issue is.

Steps to Reproduce

Install the puppet-openssl and puppetlabs-java_ks modules.

  x509_cert { certificate:
   ...
    password  => $private_key_pw,
   ...
  }

  java_ks { keystore_location:
   ...
    password  => $keystore_pw,
   ...
  }

When running puppet the error occurs on the line for the java_ks resource

Error: Could not set 'latest' on ensure: invalid curve name 
Wrapped exception:
invalid curve name

Environment

• Version 4.3.0

I have a production problem with java_ks, when "target" parameter is constants:

target       => '/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts'

but when Java 1.7 was updated I need changed puppet manifest to:

target       => '/usr/lib/jvm/java-7-oracle-25/jre/lib/security/cacerts'

It is not solution and I need autodiscovering JAVA HOME and concating with "/jre/lib/security/cacerts" internal in "java_ks" extension.

Problem with $JAVA_HOME - it is not right way to discovering "java".

Extract JAVA path example:

$ update-alternatives --get-selections | grep "java\s" | awk '{FS=" ";print $3}' | sed 's/jre\/bin\/java//g'
/usr/lib/jvm/java-7-oracle/

$ update-alternatives --get-selections | grep "java\s" | awk '{FS=" ";print $3}' | sed 's/jre\/bin\/java//g'
/usr/lib/jvm/java-7-oracle-25/bin/java

What do you think about auto discovering java path in this puppet extension in Ubuntu ?

Observe random errors in java_ks provider in PE2021.7.2 (puppet 7) environment, Amsazon Linux 2 agent, RHEL8 server

change from 'present' to 'latest' failed: Execution of 'keytool -v -printcert -file /tmp/certificate20230313-11787-1fogisx' returned 1: keytool error: java.io.FileNotFoundException: /tmp/certificate20230313-11787-1fogisx (No such file or directory)
java.io.FileNotFoundException: /tmp/certificate20230313-11787-1fogisx (No such file or directory)

The temp file is created by provider itself, so there seems to be some race condition

java_ks { "sat.example.com:${cacerts}":
    ensure              => 'latest',
    certificate_content => file("${module_name}/sat.example.com.pem"),
    password            => 'changeit',
    storetype           => 'jks',
  }

It doesn't happen each puppet run, I didn't find any pattern

Describe the Bug

Consider

java_ks { "$cert_alias:$truststore_path":
ensure => latest,
certificate => $cert_path_unique,
trustcacerts => true,
password => $truststore_passwd
}

If $cert_path_unique is a pem file which contains an intermediate and a leaf certificate then puppet outputs the following every run
Java_ks[jREDACTED]/ensure: ensure changed 'present' to 'latest'

Expected Behavior

Puppet should be idempotent

Environment

• Version [e.g. 5.0.0]
• Platform [e.g. puppet 8 rhel 8]

Use Case

Needing to add SAN extension, validity name, and distinguished name when generating the keystore

Describe the Solution You Would Like

Add SAN support

Describe Alternatives You've Considered

Managing keystores manually

During the test setup jdk8 is being installed, however the wrong command is being used when this happen, update rather than upgrade. This is causing an error to be thrown.

TS files require a password of at least 6 characters. If you provide a password of under 6 chars, your puppet run succeeds, but the keytool command fails silently and no .ts file is created.

java_ks { 'truststore':
    ensure       => latest,
    certificate  => '/path/to/cert/cert.pem',
    target       => '/foo.ts',
    password     => 'test',
    trustcacerts => true,
  }    

The above code should be sufficient to reproduce this issue, assuming you can provide a .pem file.

Just tried out the module, with the password coming from an ENC (Foreman)

when changing the password in he ENC, puppet does not regenerate the keystore, but tries to update it with the new password which naturally fails and leaves the system in an inconsistent state

debug: Executing 'keytool -importcert -noprompt -alias puppetca -file /var/lib/puppet/ssl/certs/ca.pem -keystore /etc/pki/testvm02.localdomain.ks -trustcacerts'
err: /Stage[main]/Java_ks::Host/Java_ks[puppetca:keystore]/ensure: change from absent to latest failed: Execution of 'keytool -importcert -noprompt -alias puppetca -file /var/lib/puppet/ssl/certs/ca.pem -keystore /etc/pki/testvm02.localdomain.ks -trustcacerts' returned 1: Enter keystore password: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Describe the Bug

Whenever a new store is created, a command is executed to create a new store. If you specify, JKS as storetype, you still get PKCS12 as type.

Expected Behavior

The store type is JKS.

Steps to Reproduce

1, Create the following configuration:

java_ks { 'some_alias':
        ensure              => latest,
        target              => '/some_path',
        password            => 'some_password',
        certificate_content => '...'
        storetype           => 'jks'
      }

2. Run puppet and make sure the store does not exist yet.

Environment

• Java_ks version 4.3.1
• Puppet version 6.27.0
• Linux RHEL 7

Additional Context

I found the issue in the code. See keytool.rb function def create. Based on the storetype different code is executed. The else case is done when storetype is jks, but no storetype is set in this command. Adding it would solve the issue.

In the create method of the keytool provider, the password_file resource property is ignored.

I'm not sure what's the reasoning behind forcing the password parameter to be present (and to be of a certain length). I'm trying to use this to provision a trustedca pem for sending email from java, i.e. adding it to the system-wide /etc/pki/java/cacerts, which doesn't have (or need a password).

As it is, the password restriction prevents me from using it for that. Is there something I'm missing? Isn't a password-less store common (e.g. if all it contains are public keys).

If users have their certificates in an NSS Database, the java_ks module should be able to directly import from that database without manual intervention.

Describe the Bug

ensure => absent requires parameter certificate or certificate_content set

Expected Behavior

The certificate or certificate_content parameter should not be required when removing entries from Keystores

Steps to Reproduce

Steps to reproduce the behavior:

1. Create java_ks resource with parameter
   ensure => absent
   but do not set the certificate or certificate_content parameter

Puppet will fail with:

Error: Failed to apply catalog: Validation of Java_ks[name_goes_here] failed: You must pass one of 'certificate' or 'certificate_content'

Environment

• Version v4.3.0

Use Case

By default the java_ks module create the target file with owner root group root (on linux systems), while this can be "fixed" with a post ACL change it would be cleaner if the module supported user and group parameters and created the target file as that user/group.

Describe the Solution You Would Like

java_ks accept user and groups parameters and creates/updates the target keystore as that user/group

Many users will have CA certificates that are managed in a directory structure. It would be ideal to be able to read each CA certificate in the directory and import them without having to list each file individually or combine them artificially.

Use Case

If keytool does not exist, sensitive Password is not “redacted” in Error-Message:

Error: /Stage[main]/Myprofilemodule/Java_ks[myRootCA]/ensure: change from 'absent' to 'latest' failed:  
Execution of 'keytool -importcert -noprompt -alias myrootca -file /etc/pki/tls/certs/myCA_root.pem -keystore /path/to/mykeystore -srcstorepass MyPassword -deststorepass MyPassword' returned 1:  
Error: Could not execute posix command: No such file or directory - keytool

Describe the Solution You Would Like

• check, if keytool exists, before trying to execute it
• prevent Password-Leak in other Error-Situations

Just updated to the latest version and get following error when trying to use
an environment specific path in the puppet URI

(/Stage[main]/Jumio::Role::Platform/Java_ks::Keystore[platform]/Java_ks[myks:keystore]/ensure) change from absent to latest failed: Could not set 'latest on ensure: undefined method `environment' for #Puppet::Resource::Catalog:0x7f2ca4f0fa78 at /etc/puppet/environments/test/modules/java_ks/manifests/keystore.pp:51

the implementation is the following

java_ks { "${title}:keystore":
ensure => $ensure,
certificate => "puppet:///ssl/${environment}/${certificate}",
private_key => "puppet:///ssl/${environment}/${private_key}",
target => "${path}/${title}.jks",
password => $password,
trustcacerts => $trustcacerts,
}