AEM 6.5 Authentication Cipher issue with BouncyCastle that doesn't appear in 6.3

Avatar

Avatar
Validate 1
Level 3
sdouglasmc
Level 3

Likes

22 likes

Total Posts

83 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 5
Boost 3
View profile

Avatar
Validate 1
Level 3
sdouglasmc
Level 3

Likes

22 likes

Total Posts

83 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 5
Boost 3
View profile
sdouglasmc
Level 3

30-07-2020

We are migrating a site in AEM 6.3 to 6.5(6.5.5).  During authentication, there is the use of PKCS7PADDING which is not working in 6.5 but does work in 6.3 with both environments having bcprov-bcprov- 1.66 installed: 
final Cipher decrypterWithPad = Cipher.getInstance("AES/CBC/PKCS7PADDING",
BouncyCastleProvider.PROVIDER_NAME);
--Provider Name being "BC" as seen in the error below---


I've stripped out everything and created a small test package (with only slight changes needed for versions of 2 dependencies in the core pom) that I could quickly test in fresh 6.5 and 6.3 environments - no service packs in either.
-Start up fresh publish instances of 6.3 and 6.5
-Install bcprov-bcprov- 1.66 manually in OSGI
-Install my little package to both 6.3 and 6.5
-Hit my servlet by path which calls the above lines of code (obviously a bit more).
6.3 Works great!  6.5 returns the same below log.  So something has changed fundamentally in 6.5.  I'm wondering if it is something in the sling.properties issue.  Both are using the same Java 8 version.

 

30.07.2020 20:54:55.184 *ERROR* [0:0:0:0:0:0:0:1 [1596153295173] GET /bin/bouncy/cookieTest HTTP/1.1] com.bouncy.service.BouncyAuthCookie Could not decrypt val:t=NAE7xPWDo62oRc5Ly6i_jJo_dzptFgmp2EzIJmVkHmkyOBnYp5RTi1n1bJe9bnCQk9t0RLyDFSg5-ncOxwvw0IhbqVIGdzsVsEPpVIes2XOgGknK1B32wRK0UtychXvPeuR3EZFJa7rRydw2IQY3Mzylth-BH6dEqioD8C0QuTDdIyjSaN2t5J9-MSgWq9jRQfz2XWtrMgryh8rk8kcjonOZx25HtIQRPIU9QSyP69GY4CKiJIH8pmcaau69EP6h4GYs3w2LbZMDFfoLXvy5_ag0TZyLSeV8HqtkYmA8H6quAFpYubONObqNMiR3my7cQtV7RSGfTfTweqWBdsfT_NlRLBxI4rIlmE9QTlfz_KmQsBy1CHiQm8mAqNo1ZmIHVLH2eHf0fKL4cEHZUXxRbNpH4eJiwuTAtaK5N8IiVXsEFLwC84Et56s4fQJHaj22nKh4JLRCK_40lyebpp9k_G6rFloGanZ9htx_YATXusTO7fufpyZ4yFLOkEh5WgeyC6sOFRe_021I_cRZMuJUoj-4MCW5GBd2hFkyatW6IbsLV6QT3cP4F1CLbCIUKVlYwvXPXKUdQzw5aVnd-aWIrQNVLbZFEsWQUjYT6-T9OXgHzE_iiBmiyItsN0hjO5Si9jiLA8fsWhZV92dNLDRAhTOzRMWk_gsPOotordmM-V5htYXSnbJ5z3VvoPoOT8KKU1zYI5yvfsItbdHz965YopwvJGLD3CG7RPt5YEDlHzEQzbkS3pykab00wCLFJeRHDJQ4c-XoQ1PHaQvKHywtfhT8bLdBZ4OLn5xnshqDPB7V8W3sbdRQXVRa6PfiuOMstEQRhBHHGuZeiOUOEWncl3XhAilavZPih7Dcx7yJ6EPhMt9IFjuGDoL6mC0k4BaZpXl7WaPYkZDJXSWYgSl2EYWbX-V_L5Bru74zC5evnaVX3sUjpd_SEzJl3cD8bdG_zLzEeidydNZP2YgI66uBm710qd9ILP8oLl2Khe_Jvwy4bOp-X2t7BWvzb2r7SXkua3leuC4u3b5iueBiHslMMybNyCNK7PRKWigPGaiPkK7sN4_dIIryUXUb1gtJb1vTGkyRYYCvxg57JMylv_dFFehMC6FfdtSImrNJvCp9NR4~
java.lang.SecurityException: JCE cannot authenticate the provider BC

.......
Caused by: java.lang.IllegalStateException: Stream handler unavailable due to: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:431)
at java.net.URL.<init>(URL.java:622)
... 139 common frames omitted
Caused by: java.net.MalformedURLException: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at java.net.URL.<init>(URL.java:627)
at org.apache.felix.framework.util.SecureAction.createURL(SecureAction.java:256)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:423)
... 140 common frames omitted
Caused by: java.lang.NullPointerException: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at sun.net.www.protocol.jar.Handler.parseAbsoluteSpec(Handler.java:178)
at sun.net.www.protocol.jar.Handler.parseURL(Handler.java:151)
at java.net.URL.<init>(URL.java:622)
... 142 common frames omitted




Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Validate 1
Level 3
sdouglasmc
Level 3

Likes

22 likes

Total Posts

83 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 5
Boost 3
View profile

Avatar
Validate 1
Level 3
sdouglasmc
Level 3

Likes

22 likes

Total Posts

83 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 5
Boost 3
View profile
sdouglasmc
Level 3

09-08-2020

I found the actual issue. The issue is with the updated Felix Framework code. The BundleProtectionDomain has been updated since 6.4 and seems to be breaking in 6.5 because of the ProtectionDomain Code Source returning a different value. In 6.4 and below, it returns a jar input type in the CodeSource and location of:
jar:bundle://546.0:0/!/

Whereas in 6.5, although the Protection Domain is set the same (for the most part- [bcprov [583](R 583.0)]) as in 6.4 [bcprov [546](R 546.0)] - the CodeSource value returns the actual jar name and "bundle install method" which is not compliant with java URL: (inputstream:bcprov-jdk15to18-166.jar)

Answers (3)

Answers (3)

Avatar

Avatar
Validate 1
Level 1
vibhuranjan21
Level 1

Likes

2 likes

Total Posts

8 posts

Correct reply

2 solutions
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 1
vibhuranjan21
Level 1

Likes

2 likes

Total Posts

8 posts

Correct reply

2 solutions
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile
vibhuranjan21
Level 1

05-02-2021

Following is the working solution for this issue:

 

1. Place the bouncycastle jar under crx-quickstart\launchpad\ext (you may have to create the directory)
2. Add the following to the sling.properties:
sling.bootdelegation.class.org.bouncycastle.jce.provider.BouncyCastleProvider=org.bouncycastle.*
sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.*

 

 

Avatar

Avatar
Validate 1
Level 3
sdouglasmc
Level 3

Likes

22 likes

Total Posts

83 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 5
Boost 3
View profile

Avatar
Validate 1
Level 3
sdouglasmc
Level 3

Likes

22 likes

Total Posts

83 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 5
Boost 3
View profile
sdouglasmc
Level 3

10-08-2020

The hack for this - for Java 8 and 11, in this case is to place the bouncycastle jar under crx-quickstart\launchpad\ext (you may have to create the directory),

Add the folowing to the sling.properties: 
sling.bootdelegation.class.org.bouncycastle.jce.provider.BouncyCastleProvider=org.bouncycastle.*
sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.* (not really sure this one is needed)

This is a complete hack as it breaks modularity which is the premise of OSGI.  Versioning/restrictions are not attainable so any updates to the code using the BC package will be open to CNF exceptions.  

Since this didn't have to be done until AEM 6.5 (which it shouldn't), I've created a support ticket as this will blow up in the Cloud as well.

Avatar

Avatar
Springboard
MVP
Shashi_Mulugu
MVP

Likes

232 likes

Total Posts

294 posts

Correct reply

67 solutions
Top badges earned
Springboard
Bedrock
Validate 1
Applaud 100
Establish
View profile

Avatar
Springboard
MVP
Shashi_Mulugu
MVP

Likes

232 likes

Total Posts

294 posts

Correct reply

67 solutions
Top badges earned
Springboard
Bedrock
Validate 1
Applaud 100
Establish
View profile
Shashi_Mulugu
MVP

31-07-2020