AEM 6.5 Authentication Cipher issue with BouncyCastle that doesn't appear in 6.3

Avatar

Avatar

sdouglasmc

Avatar

sdouglasmc

sdouglasmc

30-07-2020

We are migrating a site in AEM 6.3 to 6.5(6.5.5).  During authentication, there is the use of PKCS7PADDING which is not working in 6.5 but does work in 6.3 with both environments having bcprov-bcprov- 1.66 installed: 
final Cipher decrypterWithPad = Cipher.getInstance("AES/CBC/PKCS7PADDING",
BouncyCastleProvider.PROVIDER_NAME);
--Provider Name being "BC" as seen in the error below---


I've stripped out everything and created a small test package (with only slight changes needed for versions of 2 dependencies in the core pom) that I could quickly test in fresh 6.5 and 6.3 environments - no service packs in either.
-Start up fresh publish instances of 6.3 and 6.5
-Install bcprov-bcprov- 1.66 manually in OSGI
-Install my little package to both 6.3 and 6.5
-Hit my servlet by path which calls the above lines of code (obviously a bit more).
6.3 Works great!  6.5 returns the same below log.  So something has changed fundamentally in 6.5.  I'm wondering if it is something in the sling.properties issue.  Both are using the same Java 8 version.

 

30.07.2020 20:54:55.184 *ERROR* [0:0:0:0:0:0:0:1 [1596153295173] GET /bin/bouncy/cookieTest HTTP/1.1] com.bouncy.service.BouncyAuthCookie Could not decrypt val:t=NAE7xPWDo62oRc5Ly6i_jJo_dzptFgmp2EzIJmVkHmkyOBnYp5RTi1n1bJe9bnCQk9t0RLyDFSg5-ncOxwvw0IhbqVIGdzsVsEPpVIes2XOgGknK1B32wRK0UtychXvPeuR3EZFJa7rRydw2IQY3Mzylth-BH6dEqioD8C0QuTDdIyjSaN2t5J9-MSgWq9jRQfz2XWtrMgryh8rk8kcjonOZx25HtIQRPIU9QSyP69GY4CKiJIH8pmcaau69EP6h4GYs3w2LbZMDFfoLXvy5_ag0TZyLSeV8HqtkYmA8H6quAFpYubONObqNMiR3my7cQtV7RSGfTfTweqWBdsfT_NlRLBxI4rIlmE9QTlfz_KmQsBy1CHiQm8mAqNo1ZmIHVLH2eHf0fKL4cEHZUXxRbNpH4eJiwuTAtaK5N8IiVXsEFLwC84Et56s4fQJHaj22nKh4JLRCK_40lyebpp9k_G6rFloGanZ9htx_YATXusTO7fufpyZ4yFLOkEh5WgeyC6sOFRe_021I_cRZMuJUoj-4MCW5GBd2hFkyatW6IbsLV6QT3cP4F1CLbCIUKVlYwvXPXKUdQzw5aVnd-aWIrQNVLbZFEsWQUjYT6-T9OXgHzE_iiBmiyItsN0hjO5Si9jiLA8fsWhZV92dNLDRAhTOzRMWk_gsPOotordmM-V5htYXSnbJ5z3VvoPoOT8KKU1zYI5yvfsItbdHz965YopwvJGLD3CG7RPt5YEDlHzEQzbkS3pykab00wCLFJeRHDJQ4c-XoQ1PHaQvKHywtfhT8bLdBZ4OLn5xnshqDPB7V8W3sbdRQXVRa6PfiuOMstEQRhBHHGuZeiOUOEWncl3XhAilavZPih7Dcx7yJ6EPhMt9IFjuGDoL6mC0k4BaZpXl7WaPYkZDJXSWYgSl2EYWbX-V_L5Bru74zC5evnaVX3sUjpd_SEzJl3cD8bdG_zLzEeidydNZP2YgI66uBm710qd9ILP8oLl2Khe_Jvwy4bOp-X2t7BWvzb2r7SXkua3leuC4u3b5iueBiHslMMybNyCNK7PRKWigPGaiPkK7sN4_dIIryUXUb1gtJb1vTGkyRYYCvxg57JMylv_dFFehMC6FfdtSImrNJvCp9NR4~
java.lang.SecurityException: JCE cannot authenticate the provider BC

.......
Caused by: java.lang.IllegalStateException: Stream handler unavailable due to: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:431)
at java.net.URL.<init>(URL.java:622)
... 139 common frames omitted
Caused by: java.net.MalformedURLException: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at java.net.URL.<init>(URL.java:627)
at org.apache.felix.framework.util.SecureAction.createURL(SecureAction.java:256)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:423)
... 140 common frames omitted
Caused by: java.lang.NullPointerException: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at sun.net.www.protocol.jar.Handler.parseAbsoluteSpec(Handler.java:178)
at sun.net.www.protocol.jar.Handler.parseURL(Handler.java:151)
at java.net.URL.<init>(URL.java:622)
... 142 common frames omitted




AEM 6.5

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

sdouglasmc

Avatar

sdouglasmc

sdouglasmc

09-08-2020

I found the actual issue. The issue is with the updated Felix Framework code. The BundleProtectionDomain has been updated since 6.4 and seems to be breaking in 6.5 because of the ProtectionDomain Code Source returning a different value. In 6.4 and below, it returns a jar input type in the CodeSource and location of:
jar:bundle://546.0:0/!/

Whereas in 6.5, although the Protection Domain is set the same (for the most part- [bcprov [583](R 583.0)]) as in 6.4 [bcprov [546](R 546.0)] - the CodeSource value returns the actual jar name and "bundle install method" which is not compliant with java URL: (inputstream:bcprov-jdk15to18-166.jar)

Answers (2)

Answers (2)

Avatar

Avatar

Shashi_Mulugu

MVP

Avatar

Shashi_Mulugu

MVP

Shashi_Mulugu
MVP

31-07-2020

Avatar

Avatar

sdouglasmc

Avatar

sdouglasmc

sdouglasmc

10-08-2020

The hack for this - for Java 8 and 11, in this case is to place the bouncycastle jar under crx-quickstart\launchpad\ext (you may have to create the directory),

Add the folowing to the sling.properties: 
sling.bootdelegation.class.org.bouncycastle.jce.provider.BouncyCastleProvider=org.bouncycastle.*
sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.* (not really sure this one is needed)

This is a complete hack as it breaks modularity which is the premise of OSGI.  Versioning/restrictions are not attainable so any updates to the code using the BC package will be open to CNF exceptions.  

Since this didn't have to be done until AEM 6.5 (which it shouldn't), I've created a support ticket as this will blow up in the Cloud as well.