-
1. Re: bouncy castle not registered?
rwelty Oct 1, 2012 4:16 PM (in response to rwelty)switched to the latest oracle/sun jdk 1.7, same result.
-
2. Re: bouncy castle not registered?
davsclaus Oct 2, 2012 2:20 AM (in response to rwelty)You would need Fuse ESB Enterprise 7.1 or better for Java 7 supported. The 7.1 release is currently in works.
-
3. Re: bouncy castle not registered?
rwelty Oct 2, 2012 9:36 AM (in response to davsclaus)since the behavior is the same, i'm happy to switch back to 1.6. however, bouncy castle is still not registering properly. in reviewing the source code for apache sshd, in SecurityUtils.java i see the following, which suggests that an exception message/stack trace is being discarded in favor of a generic (and therefore useless) message. any suggestions on how to figure out why bouncy castle won't register?
private static void register() {
if (!registrationDone) {
if (securityProvider == null && (registerBouncyCastle == null || registerBouncyCastle)) {
// Use an inner class to avoid a strong dependency from SshServer on BouncyCastle
try {
new BouncyCastleRegistration().run();
} catch (Throwable t) {
if (registerBouncyCastle == null) {
LOG.info("BouncyCastle not registered, using the default JCE provider");
} else {
LOG.error("Failed to register BouncyCastle as the defaut JCE provider");
throw new RuntimeException("Failed to register BouncyCastle as the defaut JCE provider", t);
}
}
}
registrationDone = true;
}
}
private static class BouncyCastleRegistration {
public void run() throws Exception {
if (java.security.Security.getProvider(BOUNCY_CASTLE) == null) {
LOG.info("Trying to register BouncyCastle as a JCE provider");
java.security.Security.addProvider(new BouncyCastleProvider());
MessageDigest.getInstance("MD5", BOUNCY_CASTLE);
KeyAgreement.getInstance("DH", BOUNCY_CASTLE);
LOG.info("Registration succeeded");
} else {
LOG.info("BouncyCastle already registered as a JCE provider");
}
securityProvider = BOUNCY_CASTLE;
}
}
-
4. Re: bouncy castle not registered?
rwelty Oct 2, 2012 4:37 PM (in response to rwelty)still not solved yet, but i have new information.
i built a copy of apache sshd 0.5.0 and altered the SecurityUtil class slightly, so that it put the exception & stacktrace into the log instead of simply discarding it, and inserted the resulting class files into the appropriate bundle.jar. the result was the following, which suggest that the Oracle/Sun jdk is having issues validating the signed bouncy castle jce provider jar (openjdk 1.6 & 1.7 ignore the signatures on the JCE providers which is why i didn't see a problem with them). i haven't found much on the subject with respect to Fuse ESB, but apparently JBoss has similar issues.
the traces:
- sshd-core - 0.5.0 | BouncyCastle not registered, using the default JCE provider
java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)
at javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:223)
at org.apache.sshd.common.util.SecurityUtils$BouncyCastleRegistration.run(SecurityUtils.java:97)[27:sshd-core:0.5.0]
...
Caused by: java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:240)[:1.7.0]
at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:193)[:1.7.0]
at java.util.jar.JarVerifier.processEntry(JarVerifier.java:262)[:1.7.0]
at java.util.jar.JarVerifier.update(JarVerifier.java:216)[:1.7.0]
-
5. Re: bouncy castle not registered?
rwelty Oct 4, 2012 9:48 AM (in response to rwelty)i finally got the bouncy castle provider to show up. i had to register it statically with the jre by editing $JAVA_HOME/lib/security/java.security:
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
and adding the bouncy castle jar to the classpath.
now i'm back to the "javax.net.ssl.SSLKeyException: RSA premaster secret error" issue which is more of a java crypto/httpclient thing than a Fuse ESB thing, i think. i have already installed the unlimited strength JCE policy files, so that's not it.
richard
-
6. Re: bouncy castle not registered?
davsclaus Oct 4, 2012 11:29 AM (in response to rwelty)Thanks for keeping us posted with your journey with the bouncy castle.
-
7. Re: bouncy castle not registered?
ffang Oct 8, 2012 12:35 AM (in response to rwelty)Hi,
To deploy a specific security provider, you need follow the instruction here[1], the "Deploying security providers" chapter. Basically the steps is
put your provider jar in FUSE_ESB/lib/ext
modify the FUSE_ESB/etc/config.properties configuration file to add the following property
org.apache.karaf.security.providers = xxx,yyy
The value of this property is a comma separated list of the provider class names to register.
For example:
org.apache.karaf.security.providers = org.bouncycastle.jce.provider.BouncyCastleProvider
In addition, you may want to provide access to the classes from those providers from the system bundle so that all bundles can access those. It can be done by modifying the org.osgi.framework.bootdelegation property in the same configuration file:
org.osgi.framework.bootdelegation = ...,org.bouncycastle*
http://karaf.apache.org/manual/latest-2.2.x/users-guide/security.html
Freeman
Edited by: ffang on Oct 8, 2012 4:35 AM
-
8. Re: bouncy castle not registered?
rwelty Oct 9, 2012 9:23 AM (in response to ffang)ok, thanks. but another document calls for this:
org.apache.felix.karaf.security.providers = org.bouncycastle.jce.provider.BouncyCastleProvider
rather than this:
org.apache.karaf.security.providers = org.bouncycastle.jce.provider.BouncyCastleProvider
in config.properties. which is correct?
thanks,
richard
-
9. Re: bouncy castle not registered?
ffang Oct 9, 2012 9:35 AM (in response to rwelty)Hi,
Given the FUSE ESB version you're using, it should be
org.apache.karaf.security.providers = org.bouncycastle.jce.provider.BouncyCastleProvider
Freeman
-
10. Re: bouncy castle not registered?
rwelty Oct 9, 2012 9:46 AM (in response to ffang)ok trying it now.
note though, that the procedure i used that worked (static installation in the JRE) is technically correct too, the procedure you pointed out is just narrower in scope, which has some obvious advantages.
richard
-
11. Re: bouncy castle not registered?
ffang Oct 9, 2012 10:02 AM (in response to rwelty)Hi,
Yeah, your approach works, it just has global effect, it may affect other process which don't want that configuration.
Freeman
-
12. Re: bouncy castle not registered?
lees_efstech Dec 5, 2013 11:50 AM (in response to ffang)I was using Fabric so I had to add the configuration to FUSE_ESB/instances/CONTAINER_NAME/etc/config.properties to get it working.