Deploying SSL Certificate - Get Key failed: Given final block not properly padded

worraps · March 3, 2022, 9:21pm

I have followed the steps here:

https://www.savapage.org/docs/manual/app-tools-ssl-key.html#app-tools-ssl-key-install-keystore

JKS is generated and valid according to keytool.

Keystore explorer can validate it also:

however restart fails with

2022-03-03 20:43:38,129  INFO SpInfo:63 - 
+------------------------------------------------------------------------+
| SavaPage 1.4.0-rc (Build 20220127)
| Copyright (c) 2011-2022 by Datraverse B.V.
| GNU Affero General Public License (AGPL)
| OpenJDK 64-Bit Server VM (1.8.0_312)
| Apache Derby 10.14.2.0 - (1828579)
| Running as user [savapage]
+------------------------------------------------------------------------+ [main]
2022-03-03 20:43:38,760  INFO SpInfo:89 - 
+------------------------------------------------------------------------+
| Visiting Guest.
+------------------------------------------------------------------------+ [main]
2022-03-03 20:43:39,378  INFO SpInfo:119 - database.connection.pool.max > hibernate.c3p0.max_size [200] [main]
2022-03-03 20:43:39,378  INFO SpInfo:119 - database.connection.pool.min > hibernate.c3p0.min_size [5] [main]
2022-03-03 20:43:39,378  INFO SpInfo:119 - database.connection.idle-timeout-secs > hibernate.c3p0.timeout [600] [main]
2022-03-03 20:43:39,379  INFO SpInfo:119 - database.connection.idle-timeout-test-secs > hibernate.c3p0.idle_test_period [120] [main]
2022-03-03 20:43:39,379  INFO SpInfo:119 - database.connection.statement-cache > hibernate.c3p0.max_statements [50] [main]
2022-03-03 20:43:39,844  INFO SpInfo:119 - PDF Standard Fonts: [14] substitutes retrieved. [main]
2022-03-03 20:43:39,853  INFO SpInfo:119 - SSL Mail protocols [TLSv1.2] [main]
2022-03-03 20:43:44,239  INFO SpInfo:119 - SOffice converter started with 2 workers. [main]
2022-03-03 20:43:44,478  INFO SpInfo:119 - Print Job Status monitor started. [main]
2022-03-03 20:43:44,894  INFO SpInfo:119 - Database [tbl_sequences] OK. [main]
2022-03-03 20:43:44,958  INFO SpInfo:119 - Jetty 9.4.43.v20210629 [main]
2022-03-03 20:43:44,958  INFO SpInfo:119 - Web Server started on port 8631 and 8632 (SSL) [main]
2022-03-03 20:43:44,958  INFO SpInfo:119 - Web Server acceptor threads [1] and [1] (SSL) [main]
2022-03-03 20:43:44,958  INFO SpInfo:119 - server.threadpool.queue.capacity [3000] [main]
2022-03-03 20:43:44,959  INFO SpInfo:119 - server.threadpool.maxthreads [200] [main]
2022-03-03 20:43:44,960  INFO SpInfo:119 - server.threadpool.minthreads [20] [main]
2022-03-03 20:43:44,960  INFO SpInfo:119 - server.threadpool.idle-timeout-msec [30000] [main]
2022-03-03 20:43:44,960  INFO SpInfo:119 - server.session.scavenge.interval-sec [600] [main]
2022-03-03 20:43:44,961  INFO SpInfo:119 - SSL Cert Issuer  [R3] self-signed. [main]
2022-03-03 20:43:44,961  INFO SpInfo:119 - SSL Cert Subject [printshop.example.com] [main]
2022-03-03 20:43:44,962  INFO SpInfo:119 - SSL Cert Created [March 3, 2022 8:14:06 PM] [main]
2022-03-03 20:43:44,962  INFO SpInfo:119 - SSL Cert Expires [June 1, 2022 5:07:35 PM] [main]
2022-03-03 20:43:45,055  INFO SpInfo:119 - Loaded plugins [0] [main]
2022-03-03 20:43:45,065  INFO SpInfo:119 - IPP Print Server started. [main]
2022-03-03 20:43:45,077  INFO SpInfo:119 - IP Print Server started on port 9100. [Thread-35]
2022-03-03 20:43:45,358 ERROR WebServer:1004 - Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. [main]
java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:455)
	at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:71)
	at java.security.KeyStore.getKey(KeyStore.java:1023)
	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1249)
	at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2363)
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:373)
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:244)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
	at org.eclipse.jetty.server.Server.doStart(Server.java:401)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
	at org.savapage.server.WebServer.main(WebServer.java:988)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
	at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
	at com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:323)
	at javax.crypto.Cipher.doFinal(Cipher.java:2168)
	at sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:396)
	at sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:285)
	at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:390)
	... 24 more
2022-03-03 20:43:46,070  INFO SpInfo:119 - | Cleaning AccountTrx [4] ... [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,110  INFO SpInfo:119 - UserHomeClean
+==============================+===========+=========+
| User Home Clean              | Conflicts |       0 |
+====================+=========+===========+=========+
| Scope              |  Before |   Cleaned |   After |
+------------+--- ---+---------+-----------+---------+
| Home       | users |       1 |         0 |         |
| Print-In   | jobs  |       1 |         0 |       1 |
|            | size  |  468 KB |         0 |  468 KB |
| Print-Hold | jobs  |       0 |         0 |       0 |
|            | size  |       0 |         0 |       0 |
+============+=======+=========+===========+=========+
| Completed after 7 msec.                            |
+====================================================+ [DefaultQuartzScheduler_Worker-7]
2022-03-03 20:43:46,180  INFO SpInfo:119 - |          108ms : 0 AccountTrx cleaned. [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,182  INFO SpInfo:119 - | Cleaning DocLog/AccountTrx [4] ... [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,283  INFO SpInfo:119 - |          81ms : 0 DocLog/AccountTrx cleaned. [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,285  INFO SpInfo:119 - | Cleaning DocLog/DocOut [4] ... [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,369  INFO SpInfo:119 - |          82ms : 0 DocLog/DocOut cleaned. [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,371  INFO SpInfo:119 - | Cleaning DocLog/DocIn [4] ... [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,430  INFO SpInfo:119 - |          59ms : 0 DocLog/DocIn cleaned. [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,439  INFO SpInfo:119 - | Cleaning User [1] ... [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,453  INFO SpInfo:119 - |          14ms : 0 User cleaned. [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,463  INFO SpInfo:119 - | Cleaning Printer [2] ... [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,474  INFO SpInfo:119 - |          10ms : 0 Printer cleaned. [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,480  INFO SpInfo:119 - | Cleaning IppQueue [7] ... [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,489  INFO SpInfo:119 - |          8ms : 0 IppQueue cleaned. [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,498  INFO SpInfo:119 - | Cleaning Account [1] ... [DefaultQuartzScheduler_Worker-4]
2022-03-03 20:43:46,511  INFO SpInfo:119 - |          12ms : 0 Account cleaned. [DefaultQuartzScheduler_Worker-4]

I tried PCKS12 format for the keystore as well, but get a different error about invalid password so I reverted back to JKS format.

-Todd

worraps · March 4, 2022, 12:05am

I did start with Java 11 but switched to 8 with same result.

rijkr · March 4, 2022, 11:47am

Hi @worraps Welcome to SavaPage! This error has been fixed in the latest SavaPage 1.4.0-rc which you can download from here. Please let me know if this solves your issue.

worraps · March 4, 2022, 2:41pm

Wow! thanks for the quick fix and reply!!!
https://issues.savapage.org/view.php?id=1216

Will test later today!

worraps · March 4, 2022, 2:49pm

Confirmed fixed! keystore is now read as expected. Server comes up with SSL enabled.

Thank You,

Todd