Expand my Community achievements bar.

SOLVED

AEM 6.5 Authentication Cipher issue with BouncyCastle that doesn't appear in 6.3

Avatar

Level 5

We are migrating a site in AEM 6.3 to 6.5(6.5.5).  During authentication, there is the use of PKCS7PADDING which is not working in 6.5 but does work in 6.3 with both environments having bcprov-bcprov- 1.66 installed: 
final Cipher decrypterWithPad = Cipher.getInstance("AES/CBC/PKCS7PADDING",
BouncyCastleProvider.PROVIDER_NAME);
--Provider Name being "BC" as seen in the error below---


I've stripped out everything and created a small test package (with only slight changes needed for versions of 2 dependencies in the core pom) that I could quickly test in fresh 6.5 and 6.3 environments - no service packs in either.
-Start up fresh publish instances of 6.3 and 6.5
-Install bcprov-bcprov- 1.66 manually in OSGI
-Install my little package to both 6.3 and 6.5
-Hit my servlet by path which calls the above lines of code (obviously a bit more).
6.3 Works great!  6.5 returns the same below log.  So something has changed fundamentally in 6.5.  I'm wondering if it is something in the sling.properties issue.  Both are using the same Java 8 version.

 

30.07.2020 20:54:55.184 *ERROR* [0:0:0:0:0:0:0:1 [1596153295173] GET /bin/bouncy/cookieTest HTTP/1.1] com.bouncy.service.BouncyAuthCookie Could not decrypt val:t=NAE7xPWDo62oRc5Ly6i_jJo_dzptFgmp2EzIJmVkHmkyOBnYp5RTi1n1bJe9bnCQk9t0RLyDFSg5-ncOxwvw0IhbqVIGdzsVsEPpVIes2XOgGknK1B32wRK0UtychXvPeuR3EZFJa7rRydw2IQY3Mzylth-BH6dEqioD8C0QuTDdIyjSaN2t5J9-MSgWq9jRQfz2XWtrMgryh8rk8kcjonOZx25HtIQRPIU9QSyP69GY4CKiJIH8pmcaau69EP6h4GYs3w2LbZMDFfoLXvy5_ag0TZyLSeV8HqtkYmA8H6quAFpYubONObqNMiR3my7cQtV7RSGfTfTweqWBdsfT_NlRLBxI4rIlmE9QTlfz_KmQsBy1CHiQm8mAqNo1ZmIHVLH2eHf0fKL4cEHZUXxRbNpH4eJiwuTAtaK5N8IiVXsEFLwC84Et56s4fQJHaj22nKh4JLRCK_40lyebpp9k_G6rFloGanZ9htx_YATXusTO7fufpyZ4yFLOkEh5WgeyC6sOFRe_021I_cRZMuJUoj-4MCW5GBd2hFkyatW6IbsLV6QT3cP4F1CLbCIUKVlYwvXPXKUdQzw5aVnd-aWIrQNVLbZFEsWQUjYT6-T9OXgHzE_iiBmiyItsN0hjO5Si9jiLA8fsWhZV92dNLDRAhTOzRMWk_gsPOotordmM-V5htYXSnbJ5z3VvoPoOT8KKU1zYI5yvfsItbdHz965YopwvJGLD3CG7RPt5YEDlHzEQzbkS3pykab00wCLFJeRHDJQ4c-XoQ1PHaQvKHywtfhT8bLdBZ4OLn5xnshqDPB7V8W3sbdRQXVRa6PfiuOMstEQRhBHHGuZeiOUOEWncl3XhAilavZPih7Dcx7yJ6EPhMt9IFjuGDoL6mC0k4BaZpXl7WaPYkZDJXSWYgSl2EYWbX-V_L5Bru74zC5evnaVX3sUjpd_SEzJl3cD8bdG_zLzEeidydNZP2YgI66uBm710qd9ILP8oLl2Khe_Jvwy4bOp-X2t7BWvzb2r7SXkua3leuC4u3b5iueBiHslMMybNyCNK7PRKWigPGaiPkK7sN4_dIIryUXUb1gtJb1vTGkyRYYCvxg57JMylv_dFFehMC6FfdtSImrNJvCp9NR4~
java.lang.SecurityException: JCE cannot authenticate the provider BC

.......
Caused by: java.lang.IllegalStateException: Stream handler unavailable due to: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:431)
at java.net.URL.<init>(URL.java:622)
... 139 common frames omitted
Caused by: java.net.MalformedURLException: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at java.net.URL.<init>(URL.java:627)
at org.apache.felix.framework.util.SecureAction.createURL(SecureAction.java:256)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:423)
... 140 common frames omitted
Caused by: java.lang.NullPointerException: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at sun.net.www.protocol.jar.Handler.parseAbsoluteSpec(Handler.java:178)
at sun.net.www.protocol.jar.Handler.parseURL(Handler.java:151)
at java.net.URL.<init>(URL.java:622)
... 142 common frames omitted




Topics

Topics help categorize Community content and increase your ability to discover relevant content.

6.5
1 Accepted Solution

Avatar

Correct answer by
Level 5

I found the actual issue. The issue is with the updated Felix Framework code. The BundleProtectionDomain has been updated since 6.4 and seems to be breaking in 6.5 because of the ProtectionDomain Code Source returning a different value. In 6.4 and below, it returns a jar input type in the CodeSource and location of:
jar:bundle://546.0:0/!/

Whereas in 6.5, although the Protection Domain is set the same (for the most part- [bcprov [583](R 583.0)]) as in 6.4 [bcprov [546](R 546.0)] - the CodeSource value returns the actual jar name and "bundle install method" which is not compliant with java URL: (inputstream:bcprov-jdk15to18-166.jar)

View solution in original post

9 Replies

Avatar

Level 5
Got it working with Java 8 because I can update the included JRE with the bc jar. Since Java 11 doesn't have this, and that's what we are actually using, I'm trying to figure out how to get it working in there.

Avatar

Community Advisor
@sdouglasmc I think you need to Jlink tool to add modules/jars to classpath https://docs.oracle.com/javase/9/tools/jlink.htm, alternatively try if you can use some maven plugin to copy dependency to classpath at runtime, or atlast try to place this file somewhere in filesystem and use system scope.

Avatar

Level 5
my thought was to create a modular jar file from the jar and put it under jdk-11.0.4\jmods. But since I don't have the source it makes it pretty difficult.

Avatar

Level 5
This is definitely a bug with 6.5. In 6.3 AND 6.4 you don't have to do anything but install the bouncy castle jar file in OSGI. I didn't even have to add the sling bootleg delegation entries.

Avatar

Correct answer by
Level 5

I found the actual issue. The issue is with the updated Felix Framework code. The BundleProtectionDomain has been updated since 6.4 and seems to be breaking in 6.5 because of the ProtectionDomain Code Source returning a different value. In 6.4 and below, it returns a jar input type in the CodeSource and location of:
jar:bundle://546.0:0/!/

Whereas in 6.5, although the Protection Domain is set the same (for the most part- [bcprov [583](R 583.0)]) as in 6.4 [bcprov [546](R 546.0)] - the CodeSource value returns the actual jar name and "bundle install method" which is not compliant with java URL: (inputstream:bcprov-jdk15to18-166.jar)

Avatar

Level 5

The hack for this - for Java 8 and 11, in this case is to place the bouncycastle jar under crx-quickstart\launchpad\ext (you may have to create the directory),

Add the folowing to the sling.properties: 
sling.bootdelegation.class.org.bouncycastle.jce.provider.BouncyCastleProvider=org.bouncycastle.*
sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.* (not really sure this one is needed)

This is a complete hack as it breaks modularity which is the premise of OSGI.  Versioning/restrictions are not attainable so any updates to the code using the BC package will be open to CNF exceptions.  

Since this didn't have to be done until AEM 6.5 (which it shouldn't), I've created a support ticket as this will blow up in the Cloud as well.

Avatar

Level 2

Following is the working solution for this issue:

 

1. Place the bouncycastle jar under crx-quickstart\launchpad\ext (you may have to create the directory)
2. Add the following to the sling.properties:
sling.bootdelegation.class.org.bouncycastle.jce.provider.BouncyCastleProvider=org.bouncycastle.*
sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.*

 

 

Avatar

Level 5
Right, I'm pretty sure that is what I wrote in my comment on 10-08-2020