[#6576] - Static Key Encryption: Error Loading Keystore

Category:
Bug report
Priority:
High
Status:
New
Project: Severity:
Major
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:

In order to encrypt j_password parameter, I've enabled static key encryption.
Unfortunately, it is not possible to load keystore from both classpath and external file due to errors.

When in configuration (jasperserver-pro.war/WEB-INF/classes/esapi/security-config.properties) keystore location is set to classpath:

encryption.on=true
encryption.dynamic.key=false
keystore.location=keystore.jks

I've got an exception:

Caused by: java.lang.IllegalArgumentException: URI scheme is not "file"
at java.io.File.<init>(File.java:421)
at com.jaspersoft.jasperserver.api.security.encryption.EncryptionManager.generateKeys(EncryptionManager.java:124)

When in configuration (jasperserver-pro.war/WEB-INF/classes/esapi/security-config.properties) keystore location is set to external file:

encryption.on=true
encryption.dynamic.key=false
keystore.location=file:///opt/path/to/keystore.jks

I've got NPE:

Caused by: java.lang.NullPointerException
at com.jaspersoft.jasperserver.api.security.encryption.EncryptionManager.generateKeys(EncryptionManager.java:118)

According to source code from jasperreports-server-cp-6.1.0-src.zip com.jaspersoft.jasperserver.api.security.encryption.EncryptionManager#generateKeys:

File keystoreFile = null;
final URL keystoreResource = EncryptionManager.class.getClassLoader().getResource(keystoreLocation);
is = keystoreResource.openStream(); //line 118
if (is == null) {//if not on the classpath, look for an external file on the system
keystoreFile = new File(keystoreLocation);
is = new FileInputStream(keystoreLocation);
}
else
keystoreFile = new File(keystoreResource.toURI()); //line 124

it's a bug in code, because javadoc of ClassLoader#getResource(String) http://docs.oracle.com/javase/7/docs/api/java/lang/ClassLoader.html#getR... says:
Returns:
A URL object for reading the resource, or null if the resource could not be found or the invoker doesn't have adequate privileges to get the resource.

So when resource with location specified by keystore.location property can't be found on classpath, it will return null and line 118 keystoreResource.openStream() will throw NPE.

When resource can be found on classpath, is == null will be false and line 124 new File(keystoreResource.toURI()) will throw IllegalArgumentException: URI scheme is not "file".

v6.2
evgeniy.khist's picture
Joined: Dec 8 2015 - 12:40am
Last seen: 7 years 1 month ago
Feedback