Re: AW: Bouncy castle +Websphere 6.0 + WSS4j 1.5 issue

Wed, 20 Sep 2006 13:04:16 -0700

Actually, I wonder if the following issue is related.

The WSSConfig class insists on inserting the Bouncycastle JCE provider "first" (or second...) in the list of JCE providers, if it can be found on the classpath.

The IBM JDK does not seem terribly appreciative of this fact, as the following test case illustrates.  For me, on AIX, using IBM's 1.4.02 JDK, the following code fails with "java.security.KeyStoreException: jks not found".  If I add the Bouncycastle provider to the end of the list of providers, I don't get the error.
public class Test {

    public static void
    main(
        String[] argv
    ) {
        try {

            java.security.Security.insertProviderAt(
                (java.security.Provider) 
                    Class.forName(
                        "org.bouncycastle.jce.provider.BouncyCastleProvider"
                    ).newInstance(), 
                2
            );
            final java.security.KeyStore keystore = 
                java.security.KeyStore.getInstance(
                    "jks"
            );
            java.io.FileInputStream fis =
                new java.io.FileInputStream(
                    "alice.jks"
                );
            keystore.load(fis, "password".toCharArray());

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
Truss on AIX shows some intersting behavior.  It looks like the JVM can't locate org/bouncycastle/jce/provider/JDKMessageDigest$SHA1.class, but it's a bit hard to decipher.

In any event, I think they fact that the WSS4j toolkit is statically injecting a provider into the JVM at runtime is pretty wrong, especially in library code that has to co-exist peacefully in an otherwise potentially hostile environment...

I'll file a bug, and consider what can be done for a patch.

-Fred

Dittmann, Werner wrote: 
IMHO it's quite simple: BC does not support the BKS keystore
type. Also you may define which provider to use and the keystore
type in the security property file.

Regards,
Werner


  
-----Ursprüngliche Nachricht-----
Von: vivek srinivasan [mailto:[EMAIL PROTECTED]] 
Gesendet: Dienstag, 19. September 2006 04:40
An: [EMAIL PROTECTED]; [email protected]
Betreff: RE: Bouncy castle +Websphere 6.0 + WSS4j 1.5 issue

Here isthestack trace
    [junit] java.security.KeyStoreException: BKS not found
    [junit]     at 
java.security.KeyStore.getInstance(KeyStore.java:233)
    [junit]     at 
org.apache.ws.axis.security.WSDoAllSender.invoke(WSDoAllSender
.java:56)
    [junit]     at 
org.apache.axis.strategies.InvocationStrategy.visit(Invocation
Strategy.java:32)
    [junit]     at 
org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
    [junit]     at 
org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
    [junit]     at 
org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
    [junit]     at 
org.apache.axis.client.Call.invokeEngine(Call.java:2784)
    [junit]     at org.apache.axis.client.Call.invoke(Call.java:2767)
    [junit]     at org.apache.axis.client.Call.invoke(Call.java:2443)
    [junit]     at org.apache.axis.client.Call.invoke(Call.java:2366)
    [junit]     at org.apache.axis.client.Call.invoke(Call.java:1812)
    [junit]     at 
test.com.ams.coretest.serverdependent.webservices.WSSecurityTe
stServiceSoapBindin
gStub.testX509NoFault(WSSecurityTestServiceSoapBindingStub.java:637)
    [junit]     at 
test.com.ams.coretest.serverdependent.webservices.WSSecurity_S
erviceTestCase.test
X509NoFault(WSSecurity_ServiceTestCase.java:65)
    [junit]     at 
sun.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
    [junit]     at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
orImpl.java:85)
    [junit]     at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
orImpl.java:58)
    [junit]     at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
odAccessorImpl.java
:60)
    [junit]     at java.lang.reflect.Method.invoke(Method.java:391)
    [junit]     at junit.framework.TestCase.runTest(TestCase.java:166)
    [junit]     at junit.framework.TestCase.runBare(TestCase.java:140)
    [junit]     at 
junit.framework.TestResult$1.protect(TestResult.java:106)
    [junit]     at 
junit.framework.TestResult.runProtected(TestResult.java:124)
    [junit]     at junit.framework.TestResult.run(TestResult.java:109)
    [junit]     at junit.framework.TestCase.run(TestCase.java:131)
    [junit]     at 
junit.framework.TestSuite.runTest(TestSuite.java:173)
    [junit]     at junit.framework.TestSuite.run(TestSuite.java:168)
    [junit]     at 
org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.r
un(JUnitTestRunner.
java:297)
    [junit]     at 
org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.l
aunch(JUnitTestRunn
er.java:672)
    [junit]     at 
org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.m
ain(JUnitTestRunner
.java:567)
    [junit] java.security.KeyStoreException: BKS not found
    [junit]     at 
java.security.KeyStore.getInstance(KeyStore.java:233)
    [junit]     at 
com.ams.core.security2.csf.webservices.WSS4JCSFCryptoImpl.<ini
t>(WSS4JCSFCryptoIm
pl.java:40)


    
From: "vivek srinivasan" <[EMAIL PROTECTED]>
To: [email protected]
Subject: Bouncy castle +Websphere 6.0 + WSS4j 1.5 issue 
      
Date: Tue, 19 Sep 
    
2006 02:33:45 +0000

Hi,

I have all the types of authentication(SAML,username token 
      
etc..) working 
    
in Weblogic using WSS4J . But when i try to use the IBM JVM, 
      
it does not 
    
recognize the BC provider and type BKS.The call to 
KeyStore.getInstance("BKS","BC") throws an exception that 
      
the Type BKS is 
    
unknown.Is WSS4j doing anything "special"? ANd does WSS4J run with 
websphere 6.0?
Here is the java.security file
security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
#security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.6=org.bouncycastle.jce.provider.BouncyCastl
      
eProvider
    
security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11
security.provider.8=com.ams.csf.provider.CSFProvider

I have the BC provider jar in jre/lib/ext.

_________________________________________________________________
Be seen and heard with Windows Live Messenger and Microsoft LifeCams 
http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?
      
href="" class="moz-txt-link-freetext" href="http://www.microsoft.com/hardware/digitalcommunication/de">http://www.microsoft.com/hardware/digitalcommunication/de
fault.mspx?locale=en-us&source=hmtagline
    
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

      
_________________________________________________________________
Add fun gadgets and colorful themes to express yourself on 
Windows Live 
Spaces   
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?h
ref=http://www.get.live.com/spaces/features


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


    

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to