Thanks again for your help. I did what you suggested. When I added BC to the beginning of the security provider list, i.e. priority 1, that caused all kinds of other errors to pop up - the Corba module didn't load because of a security error etc.
I tried the second position and the last position, but the original ClassNotFound error reappeared. I tried something else: I put the bountyCastls jar back into my application. Then I wrote code to get the class loader from within my web service application, dumped it to the log file along with its parents, and then try to use it to load the javax.crypto.Cipher class, and then got the class loader from javax.crypto.Cipher to see if it matched the class loader of my web app. It appears to. Here's the log output: classloader: [EMAIL PROTECTED] Delegation Mode: PARENT_LAST parent: [EMAIL PROTECTED] Local Classpath: Delegation mode: PARENT_LAST parent: [EMAIL PROTECTED] Local ClassPath: C:\Program Files\WebSphere\AppServer\lib\app Delegation Mode: PARENT_LAST parent: [EMAIL PROTECTED] parent: [EMAIL PROTECTED] parent: [EMAIL PROTECTED] parent: [EMAIL PROTECTED] loaded class class javax.crypto.Cipher loader: [EMAIL PROTECTED] I did that to try to force it to grab the crypto classes from my project rather than from the jre. I guess other websphere modules (like the Corba one that choked) load javax.crypto.Cipher before I can get at it, so I can't force the local class loader to load mine, even though the log output looks like it did. I'm aware that class loaders check to see if a class is already loaded before it tries to find it. cheers, md > -----Original Message----- > From: David Hook [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 17, 2007 7:00 PM > To: Davis, Michael > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [email protected] > Subject: RE: [dev-crypto] Bug in Cipher class? > > > > Try putting the provider jar in jre/lib/ext and add BC to the > java.security file as well. > > Regards, > > David > > On Tue, 2007-07-17 at 11:03 -0400, [EMAIL PROTECTED] > wrote: > > Thanks very much for your reply, David. Now I have > something to work with. > > > > I tried removing the BouncyCastle jar from my project, but > it looks like wss4j requires it. When I remove it, I get an > error saying that Cipher can't find a provider supporting the > algorithm. I tried it with the algorithms defined in wss4j, namely > > > > AES/CBC/ISO10126Padding and DESede/CBC/ISO10126Padding. > > > > this happens both on Sun's java with providers SUN, > SunJSSE, SunRsaSign, SunJCE and SunJGSS, and on IBM's java > with providers IBMJCE, IBMJSSE, IBMJGSSProvider, IBMCertPath > and IBMPKCS11. (I get those by printing out what's returned > by Security.getProviders() ). > > > > I tried setting the algorithm to "AES" to see if that > works, but that causes a null pointer exception in wss4j, so > I figure I need to use the ones that are defined in wss4j. > > > > So I'm stuck. With IBM's java, I get the class loader issue > if I supply the BouncyCastle jar, and I get an > UnsupportedAlgorithm exception if I don't. > > > > Any hints would be very gratefully appreciated! > > > > cheers, > > Michael Davis > > > > > > > -----Original Message----- > > > From: David Hook [mailto:[EMAIL PROTECTED] > > > Sent: Monday, July 16, 2007 8:35 PM > > > To: Davis, Michael > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: [dev-crypto] Bug in Cipher class? > > > > > > > > > > > > It's a class loader issue - ciphers need to be loaded by > the system > > > class loader as the JCE is loaded by it. If the provider jar > > > gets loaded > > > by another untrusted class loader the getInstance() call on > > > Cipher will > > > fail with either ClassNotFoundException if no other class > loader can > > > return the class, or ClassCastException if the class is > returned by a > > > class loader but isn't properly annotated. > > > > > > You need to make sure the same class loader is picking up > the provider > > > jars as is picking up the JCE classes. > > > > > > Regards, > > > > > > David > > > On Mon, 2007-07-16 at 15:08 -0400, > [EMAIL PROTECTED] > > > wrote: > > > > Hi, > > > > > > > > I've asked this question on the Apache xml security mailing > > > list, but I got no answer. I figure you folks must be experts > > > on this stuff, so... > > > > > > > > I'm developing a web service using Axis2. I'm using its > > > WS-Security framework to encrypt the xml messages. This > > > framework ultimately uses the Apache XML Security library, > > > which has this line of code: > > > > > > > > instance._contextCipher = Cipher.getInstance(jceAlgorithm); > > > > > > > > This works fine using the Sun jdk1.4, which uses Sun's > > > jce.jar and sunjce_provider.jar. It also works fine using the > > > BouncyCastle classes - Sun's Cipher class finds and returns > > > the appropriate BC class. > > > > > > > > However, when I try to run the app on WebSphere 5.1, I get > > > this error: > > > > > > > > java.lang.ClassCastException: com.ibm.crypto.provider.AESCipher > > > > at javax.crypto.Cipher.getInstance(Unknown Source) > > > > > > > > This is getting thrown by IBM's javax.crypto.Cipher class > > > in ibmjcefw.jar. > > > > > > > > This happens even if I manipuate the providers to load the > > > BC classes first - in that case the class causing the > > > ClassCastException is > > > org.bouncycastle.jce.provider.JCEBlockCipher$AES. > > > > > > > > Have any of you ever seen this problem before? > > > > > > > > Many thanks, > > > > Michael Davis > > > > Ottawa > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
