Bug 1275970 - Problem with initializing Cipher in JBoss EAP 6.4.0.GA
Problem with initializing Cipher in JBoss EAP 6.4.0.GA
Status: CLOSED NOTABUG
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.4.0
All All
high Severity high
: ---
: ---
Assigned To: Ryan Emerson
Josef Cacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-28 04:54 EDT by xuzhan
Modified: 2015-12-02 03:03 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-20 09:28:40 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
project to reproduce this issue. volume 1 (15.00 MB, application/x-7z-compressed)
2015-10-28 05:02 EDT, xuzhan
no flags Details
project to reproduce this issue. volume 2 (14.53 MB, application/octet-stream)
2015-10-28 05:03 EDT, xuzhan
no flags Details
Example War that uses BouncyCastle (40.19 KB, application/x-gzip)
2015-10-30 07:26 EDT, Ryan Emerson
no flags Details

  None (edit)
Description xuzhan 2015-10-28 04:54:33 EDT
Description of problem:

Customer applied bouncy castle jar in application, but meet two different errors with code as below:
~~~
try{
      this.rc4Cipher = Cipher.getInstance("RC4", "BC");
      this.generateKey();
      isInitialized = true ;
}catch (NoSuchAlgorithmException e){
      e.printStackTrace();
}catch(NoSuchPaddingException e){
      e.printStackTrace();
}catch(NoSuchProviderException e){
      e.printStackTrace();
}
~~~

1. using other algorithms instead of RC4 due to security recommendations of EAP 6.4 in the above code:

error stack:
~~~
11:23:28,468 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/depositnow].[ProcessController]] (http-/127.0.0.1:8080-1) JBWEB000235: Allocate exception for servlet ProcessController:
			java.util.zip.ZipException: zip file is empty
			at java.util.zip.ZipFile.open(Native Method) [rt.jar:1.7.0_76]using other algorithms instead of RC4 in the above code:
			at java.util.zip.ZipFile.(ZipFile.java:215) [rt.jar:1.7.0_76]
			at java.util.zip.ZipFile.(ZipFile.java:145) [rt.jar:1.7.0_76]
			at java.util.jar.JarFile.(JarFile.java:154) [rt.jar:1.7.0_76]
			at sun.net.www.protocol.jar.URLJarFile.(URLJarFile.java:88) [rt.jar:1.7.0_76]
			at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:221) [rt.jar:1.7.0_76]
			at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:216) [rt.jar:1.7.0_76]
			at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_76]
			at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:215) [rt.jar:1.7.0_76]
			at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71) [rt.jar:1.7.0_76]
			at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:109) [rt.jar:1.7.0_76]
			at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122) [rt.jar:1.7.0_76]
			at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89) [rt.jar:1.7.0_76]
			at javax.crypto.JarVerifier$2.run(JarVerifier.java:399) [jce.jar:1.7.0_71]
			at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_76]
			at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:384) [jce.jar:1.7.0_71]
			at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322) [jce.jar:1.7.0_71]
			at javax.crypto.JarVerifier.verify(JarVerifier.java:250) [jce.jar:1.7.0_71]
			at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161) [jce.jar:1.7.0_71]
			at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187) [jce.jar:1.7.0_71]
			at javax.crypto.Cipher.getInstance(Cipher.java:638) [jce.jar:1.7.0_71]
			at javax.crypto.Cipher.getInstance(Cipher.java:580) [jce.jar:1.7.0_71]
			at com.bs.depositnow.ocr.OcrServerAccessManager.initilize(OcrServerAccessManager.java:132) [classes:]
~~~

2. using below code instead:
~~~
this.rc4Cipher = Cipher.getInstance("OTHER ALGORITHMS");
~~~

error stack:
~~~
08:29:27,347 ERROR [stderr] (ServerService Thread Pool -- 54) java.security.NoSuchAlgorithmException: No such algorithm: Signature.MD5WITHRSA
				at javax.crypto.Cipher.getInstance(Cipher.java:673)
				at javax.crypto.Cipher.getInstance(Cipher.java:580)
				at com.bs.depositnow.ocr.OcrServerAccessManager.initilize(OcrServerAccessManager.java:129)
				at com.bs.depositnow.controller.Startup.start(Startup.java:53)
				at com.bs.depositnow.controller.ProcessController.init(ProcessController.java:471)
				at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1194)
				at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1100)
				at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
				at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
				at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
				at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
				at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
				at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
				at java.util.concurrent.FutureTask.run(FutureTask.java:262)
				at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
				at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
				at java.lang.Thread.run(Thread.java:745)
				at org.jboss.threads.JBossThread.run(JBossThread.java:122)

~~~~

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Doing the preparation based on "https://access.redhat.com/solutions/162993".
2. Starting EAP 6.4 and deploy "cipherpilot.war" in it.
3. Visiting http://localhost:8080/cipherpilot, and click on the "Submit" button.
4. Two different error message will be printed in server log.

Actual results:
~~~
15:57:30,326 ERROR [stderr] (http-/127.0.0.1:8080-1) java.lang.SecurityException: JCE cannot authenticate the provider BC
15:57:30,326 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.Cipher.getInstance(Cipher.java:642)
15:57:30,326 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.Cipher.getInstance(Cipher.java:580)
15:57:30,327 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at cipher.pilot.CipherPilotServlet.doPost(CipherPilotServlet.java:91)
15:57:30,327 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
15:57:30,327 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
15:57:30,328 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
15:57:30,328 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
15:57:30,328 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
15:57:30,329 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
15:57:30,329 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
15:57:30,329 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
15:57:30,330 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
15:57:30,330 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
15:57:30,330 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
15:57:30,331 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
15:57:30,331 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
15:57:30,331 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
15:57:30,332 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at java.lang.Thread.run(Thread.java:745)
15:57:30,332 ERROR [stderr] (http-/127.0.0.1:8080-1) Caused by: java.lang.SecurityException: Cannot verify jar:vfs:/content/cipherpilot.war/WEB-INF/lib/bcprov-jdk15on-153.jar!/
15:57:30,332 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:406)
15:57:30,333 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
15:57:30,333 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
15:57:30,333 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
15:57:30,334 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
15:57:30,334 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.Cipher.getInstance(Cipher.java:638)
15:57:30,334 ERROR [stderr] (http-/127.0.0.1:8080-1) 	... 17 more
15:57:30,335 ERROR [stderr] (http-/127.0.0.1:8080-1) Caused by: java.security.PrivilegedActionException: java.util.zip.ZipException: zip file is empty
15:57:30,335 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at java.security.AccessController.doPrivileged(Native Method)
15:57:30,335 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:384)
15:57:30,336 ERROR [stderr] (http-/127.0.0.1:8080-1) 	... 22 more
15:57:30,336 ERROR [stderr] (http-/127.0.0.1:8080-1) Caused by: java.util.zip.ZipException: zip file is empty
15:57:30,336 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at java.util.zip.ZipFile.open(Native Method)
15:57:30,337 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at java.util.zip.ZipFile.<init>(ZipFile.java:215)
15:57:30,337 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at java.util.zip.ZipFile.<init>(ZipFile.java:145)
15:57:30,337 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at java.util.jar.JarFile.<init>(JarFile.java:154)
15:57:30,337 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:88)
15:57:30,338 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:221)
15:57:30,338 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:216)
15:57:30,341 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at java.security.AccessController.doPrivileged(Native Method)
15:57:30,341 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:215)
15:57:30,342 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
15:57:30,342 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
15:57:30,343 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
15:57:30,343 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
15:57:30,343 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.JarVerifier$2.run(JarVerifier.java:399)
15:57:30,344 ERROR [stderr] (http-/127.0.0.1:8080-1) 	... 24 more
15:57:30,344 ERROR [stderr] (http-/127.0.0.1:8080-1) 	Suppressed: java.nio.file.NoSuchFileException: /tmp/jar_cache6363102412784908678.tmp
15:57:30,345 ERROR [stderr] (http-/127.0.0.1:8080-1) 		at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
15:57:30,346 ERROR [stderr] (http-/127.0.0.1:8080-1) 		at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
15:57:30,346 ERROR [stderr] (http-/127.0.0.1:8080-1) 		at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
15:57:30,346 ERROR [stderr] (http-/127.0.0.1:8080-1) 		at sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:244)
15:57:30,347 ERROR [stderr] (http-/127.0.0.1:8080-1) 		at sun.nio.fs.AbstractFileSystemProvider.delete(AbstractFileSystemProvider.java:103)
15:57:30,348 ERROR [stderr] (http-/127.0.0.1:8080-1) 		at java.nio.file.Files.delete(Files.java:1079)
15:57:30,348 ERROR [stderr] (http-/127.0.0.1:8080-1) 		at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:226)
15:57:30,348 ERROR [stderr] (http-/127.0.0.1:8080-1) 		... 32 more
15:57:30,349 INFO  [stdout] (http-/127.0.0.1:8080-1) -------------------------------------------------------------
15:57:30,349 ERROR [stderr] (http-/127.0.0.1:8080-1) java.security.NoSuchAlgorithmException: No such algorithm: 3DES
15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.Cipher.getInstance(Cipher.java:673)
15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.crypto.Cipher.getInstance(Cipher.java:580)
15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at cipher.pilot.CipherPilotServlet.doPost(CipherPilotServlet.java:110)
15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
15:57:30,353 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
15:57:30,353 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
15:57:30,353 ERROR [stderr] (http-/127.0.0.1:8080-1) 	at java.lang.Thread.run(Thread.java:745)
~~~

Expected results:
No errors.

Additional info:
Project is attached.
Comment 1 xuzhan 2015-10-28 05:02 EDT
Created attachment 1087169 [details]
project to reproduce this issue. volume 1
Comment 2 xuzhan 2015-10-28 05:03 EDT
Created attachment 1087170 [details]
project to reproduce this issue. volume 2
Comment 4 Ryan Emerson 2015-10-30 07:26 EDT
Created attachment 1087915 [details]
Example War that uses BouncyCastle
Comment 5 Ryan Emerson 2015-10-30 07:26:57 EDT
The 1st error is due to a configuration issue.  The provided WAR is not correctly defined, see the attached exampleWar.tar.gz file for an example of a working war file based upon the original reproducer. The important parts are that a dependecy on org.bouncycastle is declared in "jboss-deployment-structure.xml" in the WAR's WEB-INF folder.  

Furthermore, it is also possible that the customer's EAP configuration may be causing an issue.  I tried following the guidelines stated at [1], which I believe was forwarded to the customer, however the suggested module.xml content would not work for me. Instead I set my module.xml, in $JBOSS_HOME/modules/system/layers/base/org/bouncycastle/main, as follows:

<module name="org.bouncycastle" xmlns="urn:jboss:module:1.3">
	<resources>
		<artifact name="org.bouncycastle:bcprov-jdk15on:1.53"/>
	</resources>
	<dependencies>
		<module name="javax.api"/>
		<module name="javax.mail.api" optional="true"/>
		<module name="javax.activation.api" optional="true"/>
	</dependencies>
</module>




I believe the second error occurs because the algorithm "3DES" does not exist in BouncyCastle-1.53.  As you can see in [2], the algorithm is not listed.

[1] https://access.redhat.com/solutions/162993
[2] https://github.com/bcgit/bc-java/blob/r1rv53/prov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java#L70-L76

Note You need to log in before you can comment on or make changes to this bug.