Description of problem: Customer applied bouncy castle jar in application, but meet two different errors with code as below: ~~~ try{ this.rc4Cipher = Cipher.getInstance("RC4", "BC"); this.generateKey(); isInitialized = true ; }catch (NoSuchAlgorithmException e){ e.printStackTrace(); }catch(NoSuchPaddingException e){ e.printStackTrace(); }catch(NoSuchProviderException e){ e.printStackTrace(); } ~~~ 1. using other algorithms instead of RC4 due to security recommendations of EAP 6.4 in the above code: error stack: ~~~ 11:23:28,468 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/depositnow].[ProcessController]] (http-/127.0.0.1:8080-1) JBWEB000235: Allocate exception for servlet ProcessController: java.util.zip.ZipException: zip file is empty at java.util.zip.ZipFile.open(Native Method) [rt.jar:1.7.0_76]using other algorithms instead of RC4 in the above code: at java.util.zip.ZipFile.(ZipFile.java:215) [rt.jar:1.7.0_76] at java.util.zip.ZipFile.(ZipFile.java:145) [rt.jar:1.7.0_76] at java.util.jar.JarFile.(JarFile.java:154) [rt.jar:1.7.0_76] at sun.net.www.protocol.jar.URLJarFile.(URLJarFile.java:88) [rt.jar:1.7.0_76] at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:221) [rt.jar:1.7.0_76] at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:216) [rt.jar:1.7.0_76] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_76] at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:215) [rt.jar:1.7.0_76] at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71) [rt.jar:1.7.0_76] at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:109) [rt.jar:1.7.0_76] at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122) [rt.jar:1.7.0_76] at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89) [rt.jar:1.7.0_76] at javax.crypto.JarVerifier$2.run(JarVerifier.java:399) [jce.jar:1.7.0_71] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_76] at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:384) [jce.jar:1.7.0_71] at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322) [jce.jar:1.7.0_71] at javax.crypto.JarVerifier.verify(JarVerifier.java:250) [jce.jar:1.7.0_71] at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161) [jce.jar:1.7.0_71] at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187) [jce.jar:1.7.0_71] at javax.crypto.Cipher.getInstance(Cipher.java:638) [jce.jar:1.7.0_71] at javax.crypto.Cipher.getInstance(Cipher.java:580) [jce.jar:1.7.0_71] at com.bs.depositnow.ocr.OcrServerAccessManager.initilize(OcrServerAccessManager.java:132) [classes:] ~~~ 2. using below code instead: ~~~ this.rc4Cipher = Cipher.getInstance("OTHER ALGORITHMS"); ~~~ error stack: ~~~ 08:29:27,347 ERROR [stderr] (ServerService Thread Pool -- 54) java.security.NoSuchAlgorithmException: No such algorithm: Signature.MD5WITHRSA at javax.crypto.Cipher.getInstance(Cipher.java:673) at javax.crypto.Cipher.getInstance(Cipher.java:580) at com.bs.depositnow.ocr.OcrServerAccessManager.initilize(OcrServerAccessManager.java:129) at com.bs.depositnow.controller.Startup.start(Startup.java:53) at com.bs.depositnow.controller.ProcessController.init(ProcessController.java:471) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1194) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1100) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802) at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163) at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61) at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:122) ~~~~ Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Doing the preparation based on "https://access.redhat.com/solutions/162993". 2. Starting EAP 6.4 and deploy "cipherpilot.war" in it. 3. Visiting http://localhost:8080/cipherpilot, and click on the "Submit" button. 4. Two different error message will be printed in server log. Actual results: ~~~ 15:57:30,326 ERROR [stderr] (http-/127.0.0.1:8080-1) java.lang.SecurityException: JCE cannot authenticate the provider BC 15:57:30,326 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.Cipher.getInstance(Cipher.java:642) 15:57:30,326 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.Cipher.getInstance(Cipher.java:580) 15:57:30,327 ERROR [stderr] (http-/127.0.0.1:8080-1) at cipher.pilot.CipherPilotServlet.doPost(CipherPilotServlet.java:91) 15:57:30,327 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) 15:57:30,327 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) 15:57:30,328 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) 15:57:30,328 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) 15:57:30,328 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) 15:57:30,329 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) 15:57:30,329 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) 15:57:30,329 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) 15:57:30,330 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) 15:57:30,330 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) 15:57:30,330 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) 15:57:30,331 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) 15:57:30,331 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) 15:57:30,331 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) 15:57:30,332 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.lang.Thread.run(Thread.java:745) 15:57:30,332 ERROR [stderr] (http-/127.0.0.1:8080-1) Caused by: java.lang.SecurityException: Cannot verify jar:vfs:/content/cipherpilot.war/WEB-INF/lib/bcprov-jdk15on-153.jar!/ 15:57:30,332 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:406) 15:57:30,333 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322) 15:57:30,333 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.JarVerifier.verify(JarVerifier.java:250) 15:57:30,333 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161) 15:57:30,334 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187) 15:57:30,334 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.Cipher.getInstance(Cipher.java:638) 15:57:30,334 ERROR [stderr] (http-/127.0.0.1:8080-1) ... 17 more 15:57:30,335 ERROR [stderr] (http-/127.0.0.1:8080-1) Caused by: java.security.PrivilegedActionException: java.util.zip.ZipException: zip file is empty 15:57:30,335 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.security.AccessController.doPrivileged(Native Method) 15:57:30,335 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:384) 15:57:30,336 ERROR [stderr] (http-/127.0.0.1:8080-1) ... 22 more 15:57:30,336 ERROR [stderr] (http-/127.0.0.1:8080-1) Caused by: java.util.zip.ZipException: zip file is empty 15:57:30,336 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.util.zip.ZipFile.open(Native Method) 15:57:30,337 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.util.zip.ZipFile.<init>(ZipFile.java:215) 15:57:30,337 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.util.zip.ZipFile.<init>(ZipFile.java:145) 15:57:30,337 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.util.jar.JarFile.<init>(JarFile.java:154) 15:57:30,337 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:88) 15:57:30,338 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:221) 15:57:30,338 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:216) 15:57:30,341 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.security.AccessController.doPrivileged(Native Method) 15:57:30,341 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:215) 15:57:30,342 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71) 15:57:30,342 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99) 15:57:30,343 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122) 15:57:30,343 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89) 15:57:30,343 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.JarVerifier$2.run(JarVerifier.java:399) 15:57:30,344 ERROR [stderr] (http-/127.0.0.1:8080-1) ... 24 more 15:57:30,344 ERROR [stderr] (http-/127.0.0.1:8080-1) Suppressed: java.nio.file.NoSuchFileException: /tmp/jar_cache6363102412784908678.tmp 15:57:30,345 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86) 15:57:30,346 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) 15:57:30,346 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) 15:57:30,346 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:244) 15:57:30,347 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.nio.fs.AbstractFileSystemProvider.delete(AbstractFileSystemProvider.java:103) 15:57:30,348 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.nio.file.Files.delete(Files.java:1079) 15:57:30,348 ERROR [stderr] (http-/127.0.0.1:8080-1) at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:226) 15:57:30,348 ERROR [stderr] (http-/127.0.0.1:8080-1) ... 32 more 15:57:30,349 INFO [stdout] (http-/127.0.0.1:8080-1) ------------------------------------------------------------- 15:57:30,349 ERROR [stderr] (http-/127.0.0.1:8080-1) java.security.NoSuchAlgorithmException: No such algorithm: 3DES 15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.Cipher.getInstance(Cipher.java:673) 15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.crypto.Cipher.getInstance(Cipher.java:580) 15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) at cipher.pilot.CipherPilotServlet.doPost(CipherPilotServlet.java:110) 15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) 15:57:30,350 ERROR [stderr] (http-/127.0.0.1:8080-1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) 15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) 15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) 15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) 15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) 15:57:30,351 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) 15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) 15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) 15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) 15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) 15:57:30,352 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) 15:57:30,353 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) 15:57:30,353 ERROR [stderr] (http-/127.0.0.1:8080-1) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) 15:57:30,353 ERROR [stderr] (http-/127.0.0.1:8080-1) at java.lang.Thread.run(Thread.java:745) ~~~ Expected results: No errors. Additional info: Project is attached.
Created attachment 1087169 [details] project to reproduce this issue. volume 1
Created attachment 1087170 [details] project to reproduce this issue. volume 2
Created attachment 1087915 [details] Example War that uses BouncyCastle
The 1st error is due to a configuration issue. The provided WAR is not correctly defined, see the attached exampleWar.tar.gz file for an example of a working war file based upon the original reproducer. The important parts are that a dependecy on org.bouncycastle is declared in "jboss-deployment-structure.xml" in the WAR's WEB-INF folder. Furthermore, it is also possible that the customer's EAP configuration may be causing an issue. I tried following the guidelines stated at [1], which I believe was forwarded to the customer, however the suggested module.xml content would not work for me. Instead I set my module.xml, in $JBOSS_HOME/modules/system/layers/base/org/bouncycastle/main, as follows: <module name="org.bouncycastle" xmlns="urn:jboss:module:1.3"> <resources> <artifact name="org.bouncycastle:bcprov-jdk15on:1.53"/> </resources> <dependencies> <module name="javax.api"/> <module name="javax.mail.api" optional="true"/> <module name="javax.activation.api" optional="true"/> </dependencies> </module> I believe the second error occurs because the algorithm "3DES" does not exist in BouncyCastle-1.53. As you can see in [2], the algorithm is not listed. [1] https://access.redhat.com/solutions/162993 [2] https://github.com/bcgit/bc-java/blob/r1rv53/prov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java#L70-L76