Bug 1217754

Summary: [GSS](6.4.z) JCE jar file inside a deployment fails the signature check
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Tom Fonteyne <tfonteyn>
Component: VFSAssignee: Peter Palaga <ppalaga>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 6.4.0CC: bmaxwell, chaowan, david.lloyd, msochure, ppalaga
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-24 10:22:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
test case none

Description Tom Fonteyne 2015-05-01 13:46:48 UTC 
Created attachment 1020870 [details]
test case

Description of problem:

deploy a war file which contains the bouncycastle (or any other JCE) signed jar file. Initialise and try to use a cipher results in a failure due to VFS not being able to read and verify the file


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. Install EAP 6.4 out-of-the-box
2. use the CLI to deploy the attached war file (inside the maven project)
3. access: /bouncycastle-2015-01-30/bc

Note that BC is *not* setup in the JDK, but is initialised in the deployment itself:
  row = Security.addProvider(new BouncyCastleProvider());

The code that fails:
  Cipher cipher = Cipher.getInstance("AES", "BC");

Actual results:

14:38:04,415 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1) java.lang.SecurityException: JCE cannot authenticate the provider BC
14:38:04,415 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.Cipher.getInstance(Cipher.java:647)
14:38:04,415 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.Cipher.getInstance(Cipher.java:585)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at com.redhat.gss.tfonteyn.bouncycastle.bc.processRequest(bc.java:60)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at com.redhat.gss.tfonteyn.bouncycastle.bc.doGet(bc.java:87)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.lang.Thread.run(Thread.java:745)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1) Caused by: java.lang.SecurityException: Cannot verify jar:vfs:/content/bouncycastleEAR.ear/lib/bcprov-jdk15on-151.jar!/
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:406)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.Cipher.getInstance(Cipher.java:643)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    ... 18 more
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1) Caused by: java.security.PrivilegedActionException: java.util.zip.ZipException: zip file is empty
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.security.AccessController.doPrivileged(Native Method)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:384)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    ... 23 more
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1) Caused by: java.util.zip.ZipException: zip file is empty
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.util.zip.ZipFile.open(Native Method)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.util.zip.ZipFile.<init>(ZipFile.java:215)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.util.zip.ZipFile.<init>(ZipFile.java:145)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.util.jar.JarFile.<init>(JarFile.java:154)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:88)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:221)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:216)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.security.AccessController.doPrivileged(Native Method)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:215)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier$2.run(JarVerifier.java:399)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    ... 25 more
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    Suppressed: java.nio.file.NoSuchFileException: /tmp/jar_cache6912958235559817778.tmp
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:244)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.AbstractFileSystemProvider.delete(AbstractFileSystemProvider.java:103)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at java.nio.file.Files.delete(Files.java:1079)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:226)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            ... 33 more

Expected results:

that it works

Additional info:

workaround:
- deploy as a module and use a dependency
- register in the JDK as any other JCE library

However: this means extra configuration, while shipping inside the war file requires none at all.
Comment 1 David M. Lloyd 2015-05-01 13:57:30 UTC 
I'm guessing that this is VFS-related - maybe the verifier code is using the code source and somehow it isn't lining up with the real physical location of the JAR?

Maybe try adding a deployment-structure descriptor with usePhysicalCodeSource set to true, and see if that makes the verifier happy?
Comment 2 Tom Fonteyne 2015-05-01 13:59:42 UTC 
Can you please elaborate ?

The intention is to use no modules. Do you have an example of such a descriptor that would use the bc jar file under WEB-INF/lib ?
Comment 3 David M. Lloyd 2015-05-01 14:07:53 UTC 
I don't recall the exact format offhand and I'm not at my computer, but it's the jboss-deployment-structure.xml descriptor which you would put in the META-INF folder of the root archive (I guess it's a WAR in your case).  It should be pretty easy to find a reference for this file.

This will at least tell us if the code source is the problem, or if something else is happening.

Either way though there's definitely a VFS bug involved.
Comment 4 Tom Fonteyne 2015-05-01 14:27:31 UTC 
@David: that got it working !

<?xml version="1.0" encoding="UTF-8"?>
    <jboss-deployment-structure>  
       <deployment>  
          <resources>  
             <resource-root path="WEB-INF/lib/bcprov-jdk15on-1.51.jar" use-physical-code-source="true"/>  
          </resources>  
       </deployment>  
    </jboss-deployment-structure>

So yes, I agree there is indeed a bug as I logged -> please fix it :)
but the above is a nice workaround indeed so it might be sufficient to fix in upstream WFLY-4576 only for now.
Comment 6 Peter Palaga 2016-11-24 10:22:56 UTC 
Closing as WONTFIX as there is a valid workaround named in Comment#4 and the root issue will be fixed in some later version of EAP.