Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

AEM 6.5 Authentication Cipher issue with BouncyCastle that doesn't appear in 6.3

sdouglasmc
Level 4
Level 4

We are migrating a site in AEM 6.3 to 6.5(6.5.5).  During authentication, there is the use of PKCS7PADDING which is not working in 6.5 but does work in 6.3 with both environments having bcprov-bcprov- 1.66 installed: 
final Cipher decrypterWithPad = Cipher.getInstance("AES/CBC/PKCS7PADDING",
BouncyCastleProvider.PROVIDER_NAME);
--Provider Name being "BC" as seen in the error below---


I've stripped out everything and created a small test package (with only slight changes needed for versions of 2 dependencies in the core pom) that I could quickly test in fresh 6.5 and 6.3 environments - no service packs in either.
-Start up fresh publish instances of 6.3 and 6.5
-Install bcprov-bcprov- 1.66 manually in OSGI
-Install my little package to both 6.3 and 6.5
-Hit my servlet by path which calls the above lines of code (obviously a bit more).
6.3 Works great!  6.5 returns the same below log.  So something has changed fundamentally in 6.5.  I'm wondering if it is something in the sling.properties issue.  Both are using the same Java 8 version.

 

30.07.2020 20:54:55.184 *ERROR* [0:0:0:0:0:0:0:1 [1596153295173] GET /bin/bouncy/cookieTest HTTP/1.1] com.bouncy.service.BouncyAuthCookie Could not decrypt val:t=NAE7xPWDo62oRc5Ly6i_jJo_dzptFgmp2EzIJmVkHmkyOBnYp5RTi1n1bJe9bnCQk9t0RLyDFSg5-ncOxwvw0IhbqVIGdzsVsEPpVIes2XOgGknK1B32wRK0UtychXvPeuR3EZFJa7rRydw2IQY3Mzylth-BH6dEqioD8C0QuTDdIyjSaN2t5J9-MSgWq9jRQfz2XWtrMgryh8rk8kcjonOZx25HtIQRPIU9QSyP69GY4CKiJIH8pmcaau69EP6h4GYs3w2LbZMDFfoLXvy5_ag0TZyLSeV8HqtkYmA8H6quAFpYubONObqNMiR3my7cQtV7RSGfTfTweqWBdsfT_NlRLBxI4rIlmE9QTlfz_KmQsBy1CHiQm8mAqNo1ZmIHVLH2eHf0fKL4cEHZUXxRbNpH4eJiwuTAtaK5N8IiVXsEFLwC84Et56s4fQJHaj22nKh4JLRCK_40lyebpp9k_G6rFloGanZ9htx_YATXusTO7fufpyZ4yFLOkEh5WgeyC6sOFRe_021I_cRZMuJUoj-4MCW5GBd2hFkyatW6IbsLV6QT3cP4F1CLbCIUKVlYwvXPXKUdQzw5aVnd-aWIrQNVLbZFEsWQUjYT6-T9OXgHzE_iiBmiyItsN0hjO5Si9jiLA8fsWhZV92dNLDRAhTOzRMWk_gsPOotordmM-V5htYXSnbJ5z3VvoPoOT8KKU1zYI5yvfsItbdHz965YopwvJGLD3CG7RPt5YEDlHzEQzbkS3pykab00wCLFJeRHDJQ4c-XoQ1PHaQvKHywtfhT8bLdBZ4OLn5xnshqDPB7V8W3sbdRQXVRa6PfiuOMstEQRhBHHGuZeiOUOEWncl3XhAilavZPih7Dcx7yJ6EPhMt9IFjuGDoL6mC0k4BaZpXl7WaPYkZDJXSWYgSl2EYWbX-V_L5Bru74zC5evnaVX3sUjpd_SEzJl3cD8bdG_zLzEeidydNZP2YgI66uBm710qd9ILP8oLl2Khe_Jvwy4bOp-X2t7BWvzb2r7SXkua3leuC4u3b5iueBiHslMMybNyCNK7PRKWigPGaiPkK7sN4_dIIryUXUb1gtJb1vTGkyRYYCvxg57JMylv_dFFehMC6FfdtSImrNJvCp9NR4~
java.lang.SecurityException: JCE cannot authenticate the provider BC

.......
Caused by: java.lang.IllegalStateException: Stream handler unavailable due to: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:431)
at java.net.URL.<init>(URL.java:622)
... 139 common frames omitted
Caused by: java.net.MalformedURLException: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at java.net.URL.<init>(URL.java:627)
at org.apache.felix.framework.util.SecureAction.createURL(SecureAction.java:256)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:423)
... 140 common frames omitted
Caused by: java.lang.NullPointerException: invalid url: inputstream:bcprov-jdk15to18-166.jar!/ (java.net.MalformedURLException: Unknown protocol: inputstream)
at sun.net.www.protocol.jar.Handler.parseAbsoluteSpec(Handler.java:178)
at sun.net.www.protocol.jar.Handler.parseURL(Handler.java:151)
at java.net.URL.<init>(URL.java:622)
... 142 common frames omitted




AEM 6.5
1 Accepted Solution
sdouglasmc
Correct answer by
Level 4
Level 4

I found the actual issue. The issue is with the updated Felix Framework code. The BundleProtectionDomain has been updated since 6.4 and seems to be breaking in 6.5 because of the ProtectionDomain Code Source returning a different value. In 6.4 and below, it returns a jar input type in the CodeSource and location of:
jar:bundle://546.0:0/!/

Whereas in 6.5, although the Protection Domain is set the same (for the most part- [bcprov [583](R 583.0)]) as in 6.4 [bcprov [546](R 546.0)] - the CodeSource value returns the actual jar name and "bundle install method" which is not compliant with java URL: (inputstream:bcprov-jdk15to18-166.jar)

View solution in original post

9 Replies
sdouglasmc
Level 4
Level 4
Got it working with Java 8 because I can update the included JRE with the bc jar. Since Java 11 doesn't have this, and that's what we are actually using, I'm trying to figure out how to get it working in there.
Shashi_Mulugu
Community Advisor
Community Advisor
@sdouglasmc I think you need to Jlink tool to add modules/jars to classpath https://docs.oracle.com/javase/9/tools/jlink.htm, alternatively try if you can use some maven plugin to copy dependency to classpath at runtime, or atlast try to place this file somewhere in filesystem and use system scope.
sdouglasmc
Level 4
Level 4
my thought was to create a modular jar file from the jar and put it under jdk-11.0.4\jmods. But since I don't have the source it makes it pretty difficult.
sdouglasmc
Level 4
Level 4
This is definitely a bug with 6.5. In 6.3 AND 6.4 you don't have to do anything but install the bouncy castle jar file in OSGI. I didn't even have to add the sling bootleg delegation entries.
sdouglasmc
Correct answer by
Level 4
Level 4

I found the actual issue. The issue is with the updated Felix Framework code. The BundleProtectionDomain has been updated since 6.4 and seems to be breaking in 6.5 because of the ProtectionDomain Code Source returning a different value. In 6.4 and below, it returns a jar input type in the CodeSource and location of:
jar:bundle://546.0:0/!/

Whereas in 6.5, although the Protection Domain is set the same (for the most part- [bcprov [583](R 583.0)]) as in 6.4 [bcprov [546](R 546.0)] - the CodeSource value returns the actual jar name and "bundle install method" which is not compliant with java URL: (inputstream:bcprov-jdk15to18-166.jar)

View solution in original post

sdouglasmc
Level 4
Level 4

The hack for this - for Java 8 and 11, in this case is to place the bouncycastle jar under crx-quickstart\launchpad\ext (you may have to create the directory),

Add the folowing to the sling.properties: 
sling.bootdelegation.class.org.bouncycastle.jce.provider.BouncyCastleProvider=org.bouncycastle.*
sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.* (not really sure this one is needed)

This is a complete hack as it breaks modularity which is the premise of OSGI.  Versioning/restrictions are not attainable so any updates to the code using the BC package will be open to CNF exceptions.  

Since this didn't have to be done until AEM 6.5 (which it shouldn't), I've created a support ticket as this will blow up in the Cloud as well.

vibhuranjan21
Level 2
Level 2

Following is the working solution for this issue:

 

1. Place the bouncycastle jar under crx-quickstart\launchpad\ext (you may have to create the directory)
2. Add the following to the sling.properties:
sling.bootdelegation.class.org.bouncycastle.jce.provider.BouncyCastleProvider=org.bouncycastle.*
sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.*

 

 

sdouglasmc
Level 4
Level 4
Right, I'm pretty sure that is what I wrote in my comment on 10-08-2020