hi
has anyone out there had any success using the IAIK JCE provider with JBoss AS 7?
when we run the following code:
IAIK.addAsProvider(true); try { PKCS12 p12 = new PKCS12(new FileInputStream(filename)); p12.decrypt(password.toCharArray()); } catch (Exception e) { logger.error("Error thrown when decrypting pks file.", e); }
When we run the above code using IAIK version 4 or 5 JAR file packaged within a web application we get a stack trace like the following:
17:35:53,369 INFO [stdout] (ajp-/10.14.30.139:8009-1) Installed security providers providers:
17:35:53,369 INFO [stdout] (ajp-/10.14.30.139:8009-1)
17:35:53,369 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 1: IAIK version: 4.0
17:35:53,369 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 2: SUN version: 1.6
17:35:53,370 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 3: SunRsaSign version: 1.5
17:35:53,370 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 4: SunJSSE version: 1.6
17:35:53,370 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 5: SunJCE version: 1.6
17:35:53,370 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 6: SunJGSS version: 1.0
17:35:53,370 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 7: SunSASL version: 1.5
17:35:53,370 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 8: XMLDSig version: 1.0
17:35:53,370 INFO [stdout] (ajp-/10.14.30.139:8009-1) Provider 9: SunPCSC version: 1.6
17:35:53,441 ERROR [org.epo.product.jboss.ref1.web.iaik.PksFileParser] (ajp-/10.14.30.139:8009-1) Error thrown when decrypting pks file.: iaik.pkcs.PKCSException: Unable to decrypt PrivateKey! iaik.pkcs.pkcs8.b: Unable to decrypt private key: javax.crypto.BadPaddingException: Given final block not properly padded
at iaik.pkcs.pkcs12.AuthenticatedSafe.decrypt(Unknown Source) [iaik_jce-signed-4.0.jar:4.0]
at iaik.pkcs.pkcs12.PKCS12.decrypt(Unknown Source) [iaik_jce-signed-4.0.jar:4.0]
at org.epo.product.jboss.ref1.web.iaik.PksFileParser.openPkcs12(PksFileParser.java:57) [classes:]
at org.epo.product.jboss.ref1.web.iaik.PksFileParser$Proxy$_$$_WeldClientProxy.openPkcs12(PksFileParser$Proxy$_$$_WeldClientProxy.java) [classes:]
at org.epo.product.jboss.ref1.web.iaik.upload.PfxFileUploadBean.parseUpload(PfxFileUploadBean.java:74) [classes:]
at org.epo.product.jboss.ref1.web.iaik.upload.PfxFileUploadBean$Proxy$_$$_WeldClientProxy.parseUpload(PfxFileUploadBean$Proxy$_$$_WeldClientProxy.java) [classes:]
at org.epo.product.jboss.ref1.web.iaik.upload.PfxFileUploadServlet.doPost(PfxFileUploadServlet.java:109) [classes:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.jboss.as.web.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:134) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]
at org.jboss.as.web.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:99) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]
at org.jboss.as.web.session.JvmRouteValve.invoke(JvmRouteValve.java:92) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]
at org.jboss.as.web.session.LockingValve.invoke(LockingValve.java:64) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.epoline.security.tomcat.SpnegoAuthenticator.invoke(SpnegoAuthenticator.java:130) [epo-spnego-tomcat-1.2.3-EAP6.jar:1.2.3-EAP6]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8-bz-970751.jar:7.2.0.Final-redhat-8]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:488) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_37]
Anybody come across similar issues? It looks not to be a JBoss AS 7 issue per se since if we run code like below it works well.
IAIK.addAsProvider(true); try { KeyStore store = KeyStore.getInstance("pkcs12", provider); store.load(fileInputStream, password.toCharArray()); Enumeration<String> aliases = store.aliases(); while (aliases.hasMoreElements()) { logger.info("Alias: " + aliases.nextElement()); } } catch (Exception e) { logger.error("Error thrown when decrypting pks file.", e); }
However we need to use the IAIK-JCE explicitly as shown above. Any questions or experiences with IAIK most welcome.
- Oliver
Comments