Unable to use password-protected JKS keystore

[mmeytin]

We attempted to use -ssl and -key options to establish SSL communication with the CoreNLP server per the documentation. The application crashes with exception below because it's not possible to pass a password for a password-protected Java keystore file. Is there another recommended method for enabling SSL-protected communication with the CoreNLP server? Thank you!

[main] INFO CoreNLP - — StanfordCoreNLPServer#main() called —
[main] INFO CoreNLP - Server default properties:
                        (Note: unspecified annotator properties are English defaults)
                        inputFormat = text
                        outputFormat = json
                        prettyPrint = false
[main] INFO CoreNLP - Threads: 8
[main] INFO CoreNLP - Starting server...
[main] INFO CoreNLP - Adding SSL context to server; key=/shared/mykeystore.jks
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Keystore was tampered with, or password was incorrect
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.addSSLContext(StanfordCoreNLPServer.java:1435)
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.run(StanfordCoreNLPServer.java:1525)
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.launchServer(StanfordCoreNLPServer.java:1624)
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.main(StanfordCoreNLPServer.java:1631)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:795)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
        at java.base/java.security.KeyStore.load(KeyStore.java:1479)
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.addSSLContext(StanfordCoreNLPServer.java:1410)
        ... 3 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:793)
        ... 6 more
[Thread-1] INFO CoreNLP - CoreNLP Server is shutting down.

[AngledLuffa]

Would you back up a bit and explain what you did to run the application?

[Illumin80]

I have the same issue.

I build this dockerfile:

#Use an Ubuntu base image
FROM ubuntu:latest

#Update packages
RUN apt-get update

#Install Java
RUN apt-get install -y default-jre

#Install wget to download files
RUN apt-get install -y wget

#Download Stanford CoreNLP
RUN wget https://nlp.stanford.edu/software/stanford-corenlp-4.5.6.zip

#Unzip Stanford CoreNLP
RUN apt-get install -y unzip
RUN unzip stanford-corenlp-4.5.6.zip

#Set the working directory to the unzipped CoreNLP directory
WORKDIR /stanford-corenlp-4.5.6

#Expose port 9000 for CoreNLP server
EXPOSE 9000

#Start Stanford CoreNLP server
CMD java -cp "*" edu.stanford.nlp.pipeline.StanfordCoreNLPServer -port 9000 -timeout 15000 -ssl -key /tmp/corenlp/corenlp.jks

And run it with:
sudo docker run -i -p 9000:9000 -v /home/path/to/jksfile/directory:/tmp/corenlp corenlp:latest

With a jks-file at the location
/home/path/to/jksfile/directory/corenlp.jks

I beforehand created this jks-file with this command:
keytool -importcert -file "mycertificate.cer" -keystore corenlp.jks -alias "corenlp"
Running this command, I was required to enter a password to secure this .jks file.

Then, when trying to run the docker container, I get the same Error as @mmeytin :

[main] INFO CoreNLP - --- StanfordCoreNLPServer#main() called ---
[main] INFO CoreNLP - Server default properties:
                        (Note: unspecified annotator properties are English defaults)
                        inputFormat = text
                        outputFormat = json
                        prettyPrint = false
[main] INFO CoreNLP - Threads: 2
[main] INFO CoreNLP - Starting server...
[main] INFO CoreNLP - Adding SSL context to server; key=/tmp/corenlp/corenlp.jks
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: keystore password was incorrect
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.addSSLContext(StanfordCoreNLPServer.java:1644)
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.run(StanfordCoreNLPServer.java:1734)
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.launchServer(StanfordCoreNLPServer.java:1834)
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.main(StanfordCoreNLPServer.java:1841)
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:249)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at edu.stanford.nlp.pipeline.StanfordCoreNLPServer.addSSLContext(StanfordCoreNLPServer.java:1619)
        ... 3 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 7 more
[Thread-0] INFO CoreNLP - CoreNLP Server is shutting down.

[Illumin80]

Update: I found a temporary workaround:

It seems, that the line that throws the exception is trying to open the .jks file with the hard coded password "corenlp"

This means that when you set the password of your .jks file also to "corenlp", it executes correctly.

However, I would propose to either include this information into the documentation of the API or to add a way to provide the password of the .jks file somewhere in the command

I hope this helped