Using bouncy castle v1.58, Tomcat 8.5, java 1.8.
I have the unlimited security policy files installed, the BC jars in
my WEB-INF/lib directory and in order to register the BC provider, I
do
static {
Security.addProvider(new BouncyCastleProvider());
}
in a utility class that handles the keyring
setup/encryption/decryption methods for me. This works great until I
update the jar that contains my utility class and reload the webapp.
Then I get an exception thrown from it being unable to locate the BC
provider.
mypackage.crypto.CryptoException:
org.bouncycastle.openpgp.PGPException: exception on setup:
java.security.NoSuchAlgorithmException: class configured for
MessageDigest (provider: BC) cannot be found.
at mypackage.crypto.PGPUtils.decrypt(PGPUtils.java:304) ~[mypackage.jar:na]
at mypackage.web.action.user.priv.settings.View.view(View.java:139)
~[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.8.0_141]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[na:1.8.0_141]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.8.0_141]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_141]
at
net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:456)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:176)
[stripes-1.6.0.jar:1.6.0]
at
mypackage.web.interceptors.AuthenticateInterceptor.intercept(AuthenticateInterceptor.java:41)
[classes/:na]
at
net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:173)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:173)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:86)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:454)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:278)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.DispatcherServlet.service(DispatcherServlet.java:160)
[stripes-1.6.0.jar:1.6.0]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
[servlet-api.jar:na]
at
net.sourceforge.stripes.controller.DynamicMappingFilter$2.doFilter(DynamicMappingFilter.java:464)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:260)
[stripes-1.6.0.jar:1.6.0]
at
net.sourceforge.stripes.controller.DynamicMappingFilter.doFilter(DynamicMappingFilter.java:451)
[stripes-1.6.0.jar:1.6.0]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[catalina.jar:8.5.23]
at
org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
[urlrewritefilter-4.0.3.jar:4.0.3]
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
[urlrewritefilter-4.0.3.jar:4.0.3]
at
org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
[urlrewritefilter-4.0.3.jar:4.0.3]
at
org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394)
[urlrewritefilter-4.0.3.jar:4.0.3]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[catalina.jar:8.5.23]
at
org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[catalina.jar:8.5.23]
at
ch.qos.logback.classic.helpers.MDCInsertingServletFilter.doFilter(MDCInsertingServletFilter.java:51)
[logback-classic-1.0.9.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
[catalina.jar:8.5.23]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:595)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
[catalina.jar:8.5.23]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
[catalina.jar:8.5.23]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
[catalina.jar:8.5.23]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
[catalina.jar:8.5.23]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
[catalina.jar:8.5.23]
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486)
[tomcat-coyote.jar:8.5.23]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat-coyote.jar:8.5.23]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
[tomcat-coyote.jar:8.5.23]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
[tomcat-coyote.jar:8.5.23]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-coyote.jar:8.5.23]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_141]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_141]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:8.5.23]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_141]
Caused by: org.bouncycastle.openpgp.PGPException: exception on setup:
java.security.NoSuchAlgorithmException: class configured for
MessageDigest (provider: BC) cannot be found.
at
org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder$1.get(Unknown
Source) ~[bcpg-jdk15on-157.jar:1.57.0]
at org.bouncycastle.openpgp.operator.PGPUtil.makeKeyFromPassPhrase(Unknown
Source) ~[bcpg-jdk15on-157.jar:1.57.0]
at
org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor.makeKeyFromPassPhrase(Unknown
Source) ~[bcpg-jdk15on-157.jar:1.57.0]
at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(Unknown
Source) ~[bcpg-jdk15on-157.jar:1.57.0]
at org.bouncycastle.openpgp.PGPSecretKey.extractPrivateKey(Unknown
Source) ~[bcpg-jdk15on-157.jar:1.57.0]
at mypackage.crypto.PGPUtils.extractPrivateKey(PGPUtils.java:347)
~[mypackage.jar:na]
at mypackage.crypto.PGPUtils.decrypt(PGPUtils.java:263) ~[mypackage.jar:na]
... 50 common frames omitted
Caused by: java.security.NoSuchAlgorithmException: class configured
for MessageDigest (provider: BC) cannot be found.
at java.security.Provider$Service.getImplClass(Provider.java:1649)
~[na:1.8.0_141]
at java.security.Provider$Service.newInstance(Provider.java:1592)
~[na:1.8.0_141]
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
~[na:1.8.0_141]
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
~[na:1.8.0_141]
at java.security.Security.getImpl(Security.java:698) ~[na:1.8.0_141]
at java.security.MessageDigest.getInstance(MessageDigest.java:227)
~[na:1.8.0_141]
at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createDigest(Unknown
Source) ~[bcprov-jdk15on-157.jar:1.57.0]
at
org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createDigest(Unknown
Source) ~[bcpg-jdk15on-157.jar:1.57.0]
... 57 common frames omitted
Caused by: java.lang.ClassNotFoundException: Illegal access: this web
application instance has been stopped already. Could not load
[org.bouncycastle.jcajce.provider.digest.SHA256$Digest]. The following
stack trace is thrown for debugging purposes as well as to attempt to
terminate the thread which caused the illegal access.
at
org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1301)
~[catalina.jar:8.5.23]
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1158)
~[catalina.jar:8.5.23]
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119)
~[catalina.jar:8.5.23]
at java.security.Provider$Service.getImplClass(Provider.java:1636)
~[na:1.8.0_141]
... 64 common frames omitted
Caused by: java.lang.IllegalStateException: Illegal access: this web
application instance has been stopped already. Could not load
[org.bouncycastle.jcajce.provider.digest.SHA256$Digest]. The following
stack trace is thrown for debugging purposes as well as to attempt to
terminate the thread which caused the illegal access.
at
org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading(WebappClassLoaderBase.java:1311)
~[catalina.jar:8.5.23]
at
org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1299)
~[catalina.jar:8.5.23]
... 67 common frames omitted
As soon as I restart Tomcat it's ok. If I reload tomcat after changing
anything else but the jar containing my crypto utility class, it is
also OK. It is only when the jar containing
the crypto stuff is updated (not the BC libraries though) that the
classloader loses the BC provider.
If I move the call
Security.addProvider(new BouncyCastleProvider())
into the contextInitialized() method of a ServletContextListener,
everything works on reloading a webapp, no matter what classes or jars
I update.
Can someone explain why the static initializer breaks down here please?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
