Jul 19, 2018

Spring Boot / SSL and BadPaddingException

Are you working on getting SSL self signed certificates working with Spring Boot and getting a javax.crypto.BadPaddingException? Hopefully this post will save you some time.

I created this post to help remind myself and hopefully spare others the frustration of an issue that my co-worker and I ran into when setting up SSL on a project.

We developed a script that would generate a self signed p12 keystore for the application to use for local development and to test out our process before requesting the private key / certificates we needed from the client to secure the application we were developing.

#!/usr/bin/env sh
 
# passwords for the local generated certs
export KEY_STORE_PASSWORD=keyStorePassword
export KEY_PASSWORD=keyPassword
 
# Pick which OpenSSL to use - system default or one installed with Homebrew
export OPENSSL=openssl
#export OPENSSL=/usr/local/opt/openssl/bin/openssl
 
# Clean any previously-generated keys or certs
rm -rf ./generated
mkdir ./generated
 
# Generate Root CA Certificate
 
$OPENSSL genrsa -aes256 \
                -out ./generated/ca.key.pem -passout env:KEY_PASSWORD \
                4096
 
$OPENSSL req -config openssl.ca.cnf -batch \
             -new -x509 -days 3650 \
             -key ./generated/ca.key.pem -passin env:KEY_PASSWORD \
             -out ./generated/ca.cert.pem -passout env:KEY_PASSWORD
 
# Generate Server Certificate signed by Root CA
 
$OPENSSL genrsa -aes256 \
                -out ./generated/localhost.key.pem -passout env:KEY_PASSWORD \
                4096
 
$OPENSSL req -config openssl.server.cnf -extensions server_cert -batch \
             -new -days 3650 \
             -key ./generated/localhost.key.pem -passin env:KEY_PASSWORD \
             -out ./generated/localhost.cert.csr -passout env:KEY_PASSWORD
 
$OPENSSL x509 -extfile openssl.server.cnf -extensions server_cert \
              -req -sha512 -days 3650 \
              -in ./generated/localhost.cert.csr -passin env:KEY_PASSWORD \
              -CAkey ./generated/ca.key.pem -CA ./generated/ca.cert.pem -set_serial 1000 \
              -out ./generated/localhost.cert.pem
 
# Convert Server Key and Certificate to proper format for java trust store
 
$OPENSSL pkcs12 -export -name localhost -caname "Localhost CA" \
                -inkey ./generated/localhost.key.pem -passin env:KEY_PASSWORD \
                -in ./generated/localhost.cert.pem \
                -certfile ./generated/ca.cert.pem \
                -out ./generated/localhost.p12 -passout env:KEY_STORE_PASSWORD

Once we had created the keystore and verified the certs looked correct, we started up the application with the new keystore referenced in the application configuration.

server:
  port: 8443
  ssl:
    enabled: true
    key-store: ./certs/generated/localhost.p12
    key-store-password: keyStorePassword
    key-store-provider: SunJSSE
    key-store-type: PKCS12
    key-password: keyPassword
    key-alias: localhost

To our surprise we were greeted with the following error.

Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991) ~[sunjce_provider.jar:1.8.0_171]
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847) ~[sunjce_provider.jar:1.8.0_171]
        at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:399) ~[sunjce_provider.jar:1.8.0_171]
        at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:431) ~[sunjce_provider.jar:1.8.0_171]
        at javax.crypto.Cipher.doFinal(Cipher.java:2164) ~[na:1.8.0_171]
        at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:371) ~[na:1.8.0_171]
        ... 34 common frames omitted

Ok, we must have done something wrong when generating the key, certificates, or keystore, right? After following a number of guides trying to recreate the keystore using different methods and a lot of googling what could be causing this error, we changed the key store password and key password to match on a whim, and presto the application started up correctly.

server:
  port: 8443
  ssl:
    enabled: true
    key-store: ./certs/generated/localhost.p12
    key-store-password: keyStorePassword
    key-store-provider: SunJSSE
    key-store-type: PKCS12
    key-password: keyStorePassword
    key-alias: localhost

It turns out that the `passout` variable of the `OPENSSL pkcs12` command changes both the key store password and the key password to the supplied value. This was not readily apparent from the man (linux manual) pages we were examining.

OPENSSL pkcs12 -export -name localhost -caname "Localhost CA" \
                -inkey ./generated/localhost.key.pem -passin env:KEY_PASSWORD \
                -in ./generated/localhost.cert.pem \
                -certfile ./generated/ca.cert.pem \
                -out ./generated/localhost.p12 -passout env:KEY_STORE_PASSWORD

In summary, when using ‘openssl pksc12 -export’, the value supplied to ‘-passout’ will need to be provided to Spring Boot for both the ‘key-store-password’ and ‘key-password’ properties.

I created an example project that demonstrates this which can be found at github.

About the Author

Rob Boler profile.

Rob Boler

Sr. Consultant

Rob has always been interested in computers, and remembers first attempting programming a hangman game on an Apple IIE in grade school. He has over 15 years of software development experience using Java / Spring, primarily in the transportation and defense industries. He prides himself as being able to solve complex software problems, while also being able to lead small teams of developers. Rob has a wide range of project experience ranging from dynamic web applications to high volume message processing, to applying Big Data technologies for data pattern analysis.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Blog Posts
SwiftGen with Image & Color Asset Catalogs
You might remember back in 2015 when iOS 9 was introduced, and we were finally given a way to manage all of our assets in one place with Asset Catalogs. A few years later, support […]
Managing your Helm deployments with Helmfile
As we’ve been using Kubernetes to build software delivery platforms for our clients, we’ve found Helm to be a reasonable solution to templating and managing deployments to Kubernetes.  Although templating alternatives such as Kustomize have […]
AWS CodeBuild Test Reports for Gradle builds
Although AWS documentation has instructions for adding Test Reports for a maven build they currently lack instructions for a gradle build. You can find the maven instructions here: https://aws.amazon.com/blogs/devops/test-reports-with-aws-codebuild/ Assuming you have your gradle wrapper […]
Structuring SwiftUI Previews for API Calls
SwiftUI, together with Combine and Xcode 11+, provide a powerful toolset for quickly creating an app with a native UI. In Xcode 11+, the preview pane was introduced in order to provide live snapshots of […]