Bug 1217754 - [GSS](6.4.z) JCE jar file inside a deployment fails the signature check
Summary: [GSS](6.4.z) JCE jar file inside a deployment fails the signature check
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: VFS
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Peter Palaga
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-01 13:46 UTC by Tom Fonteyne
Modified: 2019-06-13 08:27 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-11-24 10:22:56 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
test case (4.80 MB, application/zip)
2015-05-01 13:46 UTC, Tom Fonteyne 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFLY-4576 0 Major Open JCE jar file inside a deployment fails the signature check 2018-11-16 03:13:06 UTC

Description Tom Fonteyne 2015-05-01 13:46:48 UTC 
Created attachment 1020870 [details]
test case

Description of problem:

deploy a war file which contains the bouncycastle (or any other JCE) signed jar file. Initialise and try to use a cipher results in a failure due to VFS not being able to read and verify the file


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. Install EAP 6.4 out-of-the-box
2. use the CLI to deploy the attached war file (inside the maven project)
3. access: /bouncycastle-2015-01-30/bc

Note that BC is *not* setup in the JDK, but is initialised in the deployment itself:
  row = Security.addProvider(new BouncyCastleProvider());

The code that fails:
  Cipher cipher = Cipher.getInstance("AES", "BC");

Actual results:

14:38:04,415 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1) java.lang.SecurityException: JCE cannot authenticate the provider BC
14:38:04,415 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.Cipher.getInstance(Cipher.java:647)
14:38:04,415 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.Cipher.getInstance(Cipher.java:585)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at com.redhat.gss.tfonteyn.bouncycastle.bc.processRequest(bc.java:60)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at com.redhat.gss.tfonteyn.bouncycastle.bc.doGet(bc.java:87)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
14:38:04,416 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
14:38:04,417 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.lang.Thread.run(Thread.java:745)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1) Caused by: java.lang.SecurityException: Cannot verify jar:vfs:/content/bouncycastleEAR.ear/lib/bcprov-jdk15on-151.jar!/
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:406)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
14:38:04,418 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.Cipher.getInstance(Cipher.java:643)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    ... 18 more
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1) Caused by: java.security.PrivilegedActionException: java.util.zip.ZipException: zip file is empty
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.security.AccessController.doPrivileged(Native Method)
14:38:04,419 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:384)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    ... 23 more
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1) Caused by: java.util.zip.ZipException: zip file is empty
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.util.zip.ZipFile.open(Native Method)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.util.zip.ZipFile.<init>(ZipFile.java:215)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.util.zip.ZipFile.<init>(ZipFile.java:145)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.util.jar.JarFile.<init>(JarFile.java:154)
14:38:04,420 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:88)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:221)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:216)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at java.security.AccessController.doPrivileged(Native Method)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:215)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
14:38:04,421 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    at javax.crypto.JarVerifier$2.run(JarVerifier.java:399)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    ... 25 more
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)    Suppressed: java.nio.file.NoSuchFileException: /tmp/jar_cache6912958235559817778.tmp
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
14:38:04,422 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:244)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.nio.fs.AbstractFileSystemProvider.delete(AbstractFileSystemProvider.java:103)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at java.nio.file.Files.delete(Files.java:1079)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:226)
14:38:04,423 ERROR [stderr] (http-orac.usersys.redhat.com/10.33.1.27:8080-1)            ... 33 more

Expected results:

that it works

Additional info:

workaround:
- deploy as a module and use a dependency
- register in the JDK as any other JCE library

However: this means extra configuration, while shipping inside the war file requires none at all.
Comment 1 David M. Lloyd 2015-05-01 13:57:30 UTC 
I'm guessing that this is VFS-related - maybe the verifier code is using the code source and somehow it isn't lining up with the real physical location of the JAR?

Maybe try adding a deployment-structure descriptor with usePhysicalCodeSource set to true, and see if that makes the verifier happy?
Comment 2 Tom Fonteyne 2015-05-01 13:59:42 UTC 
Can you please elaborate ?

The intention is to use no modules. Do you have an example of such a descriptor that would use the bc jar file under WEB-INF/lib ?
Comment 3 David M. Lloyd 2015-05-01 14:07:53 UTC 
I don't recall the exact format offhand and I'm not at my computer, but it's the jboss-deployment-structure.xml descriptor which you would put in the META-INF folder of the root archive (I guess it's a WAR in your case).  It should be pretty easy to find a reference for this file.

This will at least tell us if the code source is the problem, or if something else is happening.

Either way though there's definitely a VFS bug involved.
Comment 4 Tom Fonteyne 2015-05-01 14:27:31 UTC 
@David: that got it working !

<?xml version="1.0" encoding="UTF-8"?>
    <jboss-deployment-structure>  
       <deployment>  
          <resources>  
             <resource-root path="WEB-INF/lib/bcprov-jdk15on-1.51.jar" use-physical-code-source="true"/>  
          </resources>  
       </deployment>  
    </jboss-deployment-structure>

So yes, I agree there is indeed a bug as I logged -> please fix it :)
but the above is a nice workaround indeed so it might be sufficient to fix in upstream WFLY-4576 only for now.
Comment 6 Peter Palaga 2016-11-24 10:22:56 UTC 
Closing as WONTFIX as there is a valid workaround named in Comment#4 and the root issue will be fixed in some later version of EAP.
Note You need to log in before you can comment on or make changes to this bug.