Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-4576

JCE jar file inside a deployment fails the signature check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 9.0.0.Beta2
    • Fix Version/s: None
    • Component/s: VFS
    • Labels:
      None
    • Environment:

      Wildfly build from master on April 22, 2015

    • Steps to Reproduce:
      Hide

      1. Install WildFly (22-apr-2015 snapshot) out-of-the-box
      2. use the CLI to deploy the attached war file (inside the maven project)
      3. access: /bouncycastle-2015-01-30/bc

      Note that BC is not setup in the JDK, but is initialised in the deployment itself:
      row = Security.addProvider(new BouncyCastleProvider());

      The code that fails:
      Cipher cipher = Cipher.getInstance("AES", "BC");

      14:49:13,582 ERROR [stderr] (default task-1) java.lang.SecurityException: JCE cannot authenticate the provider BC
      14:49:13,583 ERROR [stderr] (default task-1)    at javax.crypto.Cipher.getInstance(Cipher.java:647)
      14:49:13,583 ERROR [stderr] (default task-1)    at javax.crypto.Cipher.getInstance(Cipher.java:585)
      14:49:13,583 ERROR [stderr] (default task-1)    at com.redhat.gss.tfonteyn.bouncycastle.bc.processRequest(bc.java:60)
      14:49:13,583 ERROR [stderr] (default task-1)    at com.redhat.gss.tfonteyn.bouncycastle.bc.doGet(bc.java:87)
      14:49:13,584 ERROR [stderr] (default task-1)    at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
      14:49:13,584 ERROR [stderr] (default task-1)    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      14:49:13,584 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
      14:49:13,584 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
      14:49:13,584 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      14:49:13,585 ERROR [stderr] (default task-1)    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      14:49:13,585 ERROR [stderr] (default task-1)    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      14:49:13,585 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      14:49:13,585 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      14:49:13,585 ERROR [stderr] (default task-1)    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      14:49:13,586 ERROR [stderr] (default task-1)    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      14:49:13,586 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      14:49:13,586 ERROR [stderr] (default task-1)    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
      14:49:13,586 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
      14:49:13,587 ERROR [stderr] (default task-1)    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      14:49:13,587 ERROR [stderr] (default task-1)    at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
      14:49:13,587 ERROR [stderr] (default task-1)    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      14:49:13,587 ERROR [stderr] (default task-1)    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      14:49:13,587 ERROR [stderr] (default task-1)    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      14:49:13,588 ERROR [stderr] (default task-1)    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      14:49:13,588 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:278)
      14:49:13,588 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
      14:49:13,588 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
      14:49:13,588 ERROR [stderr] (default task-1)    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
      14:49:13,589 ERROR [stderr] (default task-1)    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
      14:49:13,589 ERROR [stderr] (default task-1)    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
      14:49:13,589 ERROR [stderr] (default task-1)    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      14:49:13,589 ERROR [stderr] (default task-1)    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      14:49:13,590 ERROR [stderr] (default task-1)    at java.lang.Thread.run(Thread.java:745)
      14:49:13,590 ERROR [stderr] (default task-1) Caused by: java.lang.SecurityException: Cannot verify jar:vfs:/content/bouncycastle-2015-01-30.war/WEB-INF/lib/bcprov-jdk15on-1.51.jar!/
      14:49:13,590 ERROR [stderr] (default task-1)    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:406)
      14:49:13,590 ERROR [stderr] (default task-1)    at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
      14:49:13,590 ERROR [stderr] (default task-1)    at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
      14:49:13,591 ERROR [stderr] (default task-1)    at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
      14:49:13,591 ERROR [stderr] (default task-1)    at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
      14:49:13,591 ERROR [stderr] (default task-1)    at javax.crypto.Cipher.getInstance(Cipher.java:643)
      14:49:13,591 ERROR [stderr] (default task-1)    ... 32 more
      14:49:13,591 ERROR [stderr] (default task-1) Caused by: java.security.PrivilegedActionException: java.util.zip.ZipException: zip file is empty
      14:49:13,592 ERROR [stderr] (default task-1)    at java.security.AccessController.doPrivileged(Native Method)
      14:49:13,592 ERROR [stderr] (default task-1)    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:384)
      14:49:13,592 ERROR [stderr] (default task-1)    ... 37 more
      14:49:13,592 ERROR [stderr] (default task-1) Caused by: java.util.zip.ZipException: zip file is empty
      14:49:13,592 ERROR [stderr] (default task-1)    at java.util.zip.ZipFile.open(Native Method)
      14:49:13,593 ERROR [stderr] (default task-1)    at java.util.zip.ZipFile.<init>(ZipFile.java:215)
      14:49:13,593 ERROR [stderr] (default task-1)    at java.util.zip.ZipFile.<init>(ZipFile.java:145)
      14:49:13,593 ERROR [stderr] (default task-1)    at java.util.jar.JarFile.<init>(JarFile.java:154)
      14:49:13,593 ERROR [stderr] (default task-1)    at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:88)
      14:49:13,593 ERROR [stderr] (default task-1)    at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:221)
      14:49:13,593 ERROR [stderr] (default task-1)    at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:216)
      14:49:13,594 ERROR [stderr] (default task-1)    at java.security.AccessController.doPrivileged(Native Method)
      14:49:13,594 ERROR [stderr] (default task-1)    at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:215)
      14:49:13,594 ERROR [stderr] (default task-1)    at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
      14:49:13,594 ERROR [stderr] (default task-1)    at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
      14:49:13,594 ERROR [stderr] (default task-1)    at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
      14:49:13,594 ERROR [stderr] (default task-1)    at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
      14:49:13,595 ERROR [stderr] (default task-1)    at javax.crypto.JarVerifier$2.run(JarVerifier.java:399)
      14:49:13,595 ERROR [stderr] (default task-1)    ... 39 more
      14:49:13,595 ERROR [stderr] (default task-1)    Suppressed: java.nio.file.NoSuchFileException: /tmp/jar_cache5134542653689112775.tmp
      14:49:13,595 ERROR [stderr] (default task-1)            at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
      14:49:13,595 ERROR [stderr] (default task-1)            at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
      14:49:13,596 ERROR [stderr] (default task-1)            at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
      14:49:13,596 ERROR [stderr] (default task-1)            at sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:244)
      14:49:13,596 ERROR [stderr] (default task-1)            at sun.nio.fs.AbstractFileSystemProvider.delete(AbstractFileSystemProvider.java:103)
      14:49:13,596 ERROR [stderr] (default task-1)            at java.nio.file.Files.delete(Files.java:1079)
      14:49:13,596 ERROR [stderr] (default task-1)            at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:226)
      14:49:13,596 ERROR [stderr] (default task-1)            ... 47 more
      

      Show
      1. Install WildFly (22-apr-2015 snapshot) out-of-the-box 2. use the CLI to deploy the attached war file (inside the maven project) 3. access: /bouncycastle-2015-01-30/bc Note that BC is not setup in the JDK, but is initialised in the deployment itself: row = Security.addProvider(new BouncyCastleProvider()); The code that fails: Cipher cipher = Cipher.getInstance("AES", "BC"); 14:49:13,582 ERROR [stderr] (default task-1) java.lang.SecurityException: JCE cannot authenticate the provider BC 14:49:13,583 ERROR [stderr] (default task-1) at javax.crypto.Cipher.getInstance(Cipher.java:647) 14:49:13,583 ERROR [stderr] (default task-1) at javax.crypto.Cipher.getInstance(Cipher.java:585) 14:49:13,583 ERROR [stderr] (default task-1) at com.redhat.gss.tfonteyn.bouncycastle.bc.processRequest(bc.java:60) 14:49:13,583 ERROR [stderr] (default task-1) at com.redhat.gss.tfonteyn.bouncycastle.bc.doGet(bc.java:87) 14:49:13,584 ERROR [stderr] (default task-1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) 14:49:13,584 ERROR [stderr] (default task-1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 14:49:13,584 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) 14:49:13,584 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 14:49:13,584 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 14:49:13,585 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 14:49:13,585 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 14:49:13,585 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 14:49:13,585 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 14:49:13,585 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 14:49:13,586 ERROR [stderr] (default task-1) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 14:49:13,586 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 14:49:13,586 ERROR [stderr] (default task-1) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) 14:49:13,586 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) 14:49:13,587 ERROR [stderr] (default task-1) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 14:49:13,587 ERROR [stderr] (default task-1) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) 14:49:13,587 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 14:49:13,587 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 14:49:13,587 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 14:49:13,588 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 14:49:13,588 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:278) 14:49:13,588 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255) 14:49:13,588 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) 14:49:13,588 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) 14:49:13,589 ERROR [stderr] (default task-1) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) 14:49:13,589 ERROR [stderr] (default task-1) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) 14:49:13,589 ERROR [stderr] (default task-1) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 14:49:13,589 ERROR [stderr] (default task-1) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 14:49:13,590 ERROR [stderr] (default task-1) at java.lang.Thread.run(Thread.java:745) 14:49:13,590 ERROR [stderr] (default task-1) Caused by: java.lang.SecurityException: Cannot verify jar:vfs:/content/bouncycastle-2015-01-30.war/WEB-INF/lib/bcprov-jdk15on-1.51.jar!/ 14:49:13,590 ERROR [stderr] (default task-1) at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:406) 14:49:13,590 ERROR [stderr] (default task-1) at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322) 14:49:13,590 ERROR [stderr] (default task-1) at javax.crypto.JarVerifier.verify(JarVerifier.java:250) 14:49:13,591 ERROR [stderr] (default task-1) at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161) 14:49:13,591 ERROR [stderr] (default task-1) at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187) 14:49:13,591 ERROR [stderr] (default task-1) at javax.crypto.Cipher.getInstance(Cipher.java:643) 14:49:13,591 ERROR [stderr] (default task-1) ... 32 more 14:49:13,591 ERROR [stderr] (default task-1) Caused by: java.security.PrivilegedActionException: java.util.zip.ZipException: zip file is empty 14:49:13,592 ERROR [stderr] (default task-1) at java.security.AccessController.doPrivileged(Native Method) 14:49:13,592 ERROR [stderr] (default task-1) at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:384) 14:49:13,592 ERROR [stderr] (default task-1) ... 37 more 14:49:13,592 ERROR [stderr] (default task-1) Caused by: java.util.zip.ZipException: zip file is empty 14:49:13,592 ERROR [stderr] (default task-1) at java.util.zip.ZipFile.open(Native Method) 14:49:13,593 ERROR [stderr] (default task-1) at java.util.zip.ZipFile.<init>(ZipFile.java:215) 14:49:13,593 ERROR [stderr] (default task-1) at java.util.zip.ZipFile.<init>(ZipFile.java:145) 14:49:13,593 ERROR [stderr] (default task-1) at java.util.jar.JarFile.<init>(JarFile.java:154) 14:49:13,593 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:88) 14:49:13,593 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:221) 14:49:13,593 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:216) 14:49:13,594 ERROR [stderr] (default task-1) at java.security.AccessController.doPrivileged(Native Method) 14:49:13,594 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:215) 14:49:13,594 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71) 14:49:13,594 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99) 14:49:13,594 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122) 14:49:13,594 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89) 14:49:13,595 ERROR [stderr] (default task-1) at javax.crypto.JarVerifier$2.run(JarVerifier.java:399) 14:49:13,595 ERROR [stderr] (default task-1) ... 39 more 14:49:13,595 ERROR [stderr] (default task-1) Suppressed: java.nio.file.NoSuchFileException: /tmp/jar_cache5134542653689112775.tmp 14:49:13,595 ERROR [stderr] (default task-1) at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86) 14:49:13,595 ERROR [stderr] (default task-1) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) 14:49:13,596 ERROR [stderr] (default task-1) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) 14:49:13,596 ERROR [stderr] (default task-1) at sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:244) 14:49:13,596 ERROR [stderr] (default task-1) at sun.nio.fs.AbstractFileSystemProvider.delete(AbstractFileSystemProvider.java:103) 14:49:13,596 ERROR [stderr] (default task-1) at java.nio.file.Files.delete(Files.java:1079) 14:49:13,596 ERROR [stderr] (default task-1) at sun.net.www.protocol.jar.URLJarFile$1.run(URLJarFile.java:226) 14:49:13,596 ERROR [stderr] (default task-1) ... 47 more
    • Workaround Description:
      Hide
      • deploy as a module and use a dependency
      • register in the JDK as any other JCE library

      or add jboss-deployment-structure.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-deployment-structure>
      <deployment>
      <resources>
      <resource-root path="WEB-INF/lib/bcprov-jdk15on-1.51.jar" use-physical-code-source="true"/>
      </resources>
      </deployment>
      </jboss-deployment-structure>
      

      Show
      deploy as a module and use a dependency register in the JDK as any other JCE library or add jboss-deployment-structure.xml <? xml version = "1.0" encoding = "UTF-8" ?> < jboss -deployment-structure> < deployment > < resources > < resource -root path = "WEB-INF/lib/bcprov-jdk15on-1.51.jar" use-physical-code-source = "true" /> </ resources > </ deployment > </ jboss -deployment-structure>
    • Bugzilla Update:
      Perform

      Description

      deploy a war file which contains the bouncycastle (or any other JCE) signed jar file. Initialise and try to use a cipher results in a failure due to VFS not being able to read and verify the file

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tfonteyn Tom Fonteyne
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: