You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by Konrad Windszus <ko...@gmx.de> on 2019/12/05 12:11:22 UTC
Class.getProtectionDomain() does not contain correct CodeSource
Hi,
I am currently running into the following exception when trying leverage BouncyCastle (deployed as signed jar bundles inside Felix).
....
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
at javax.crypto.Cipher.getInstance(Cipher.java:656)
at org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
at org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder$1.get(Unknown Source)
... 88 common frames omitted
Caused by: java.net.MalformedURLException: Stream handler unavailable due to: invalid url: jcrinstall:/apps/netcentric/actool/install/bcprov-jdk15on-1.64.jar!/ (java.net.MalformedURLException: Unknown protocol: jcrinstall)
at java.net.URL.<init>(URL.java:644)
at java.net.URL.<init>(URL.java:507)
at java.net.URL.<init>(URL.java:456)
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:420)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363)
at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
at javax.crypto.Cipher.getInstance(Cipher.java:652)
... 90 common frames omitted
Caused by: java.lang.IllegalStateException: Stream handler unavailable due to: invalid url: jcrinstall:/apps/netcentric/actool/install/bcprov-jdk15on-1.64.jar!/ (java.net.MalformedURLException: Unknown protocol: jcrinstall)
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:431)
at java.net.URL.<init>(URL.java:639)
... 98 common frames omitted
Caused by: java.net.MalformedURLException: invalid url: jcrinstall:/apps/netcentric/actool/install/bcprov-jdk15on-1.64.jar!/ (java.net.MalformedURLException: Unknown protocol: jcrinstall)
at java.net.URL.<init>(URL.java:644)
at org.apache.felix.framework.util.SecureAction.createURL(SecureAction.java:256) [org.apache.felix.webconsole:4.3.8]
at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:423)
... 99 common frames omitted
Caused by: java.lang.NullPointerException: invalid url: jcrinstall:/apps/netcentric/actool/install/bcprov-jdk15on-1.64.jar!/ (java.net.MalformedURLException: Unknown protocol: jcrinstall)
at sun.net.www.protocol.jar.Handler.parseAbsoluteSpec(Handler.java:191)
at sun.net.www.protocol.jar.Handler.parseURL(Handler.java:164)
at java.net.URL.<init>(URL.java:639)
... 101 common frames omitted
I traced it down to the following method https://github.com/openjdk/jdk/blob/7bf82983443025248a22949b22e5ce9f16744b60/src/java.base/share/classes/javax/crypto/JceSecurity.java.template#L261 <https://github.com/openjdk/jdk/blob/7bf82983443025248a22949b22e5ce9f16744b60/src/java.base/share/classes/javax/crypto/JceSecurity.java.template#L261> which tries to retrieve a URL for a loaded class.
The URL seems to contain the bundle location (in this case the bundle has been installed via https://sling.apache.org/documentation/bundles/jcr-installer-provider.html <https://sling.apache.org/documentation/bundles/jcr-installer-provider.html>) which set the URL's prefix to "jcrinstall") which cannot be verified.
Instead the code source should contain the the filesystem URL of the underlying JAR. WDYT?
When looking at the Felix souce I found https://github.com/apache/felix/blob/91800a17a726244f7a3853053fdc9b4616230865/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java <https://github.com/apache/felix/blob/91800a17a726244f7a3853053fdc9b4616230865/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java> which seems to do the thing correctly, but this doesn't seem to be used in my case for some reason. Any idea why the bundle location appears in the code source for this particular class loaded via the bundle class loader?
Is that a bug in Felix?
Thanks for any hints,
Konrad
Re: Class.getProtectionDomain() does not contain correct CodeSource
Posted by Konrad Windszus <ko...@gmx.de>.
I debugged a bit further and indeed I am using the BundleProtectionDomain, but this seems to use the bundle's location by default (https://github.com/apache/felix/blob/91800a17a726244f7a3853053fdc9b4616230865/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java#L370 <https://github.com/apache/felix/blob/91800a17a726244f7a3853053fdc9b4616230865/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java#L370>)
I tried using the property "felix.bundlecodesource.usecachedurls=true",
and the URL with that one is "jar:bundle://8ece8acf-6cdf-4444-8b12-f267d8771d4c_585.0:0/!/ <bundle://8ece8acf-6cdf-4444-8b12-f267d8771d4c_585.0:0/!/>"
which can be verified.
I am wondering now what the reason is for that (undocumented flag) and why the default URL will leverage the bundle location?
Thanks for any input,
Konrad
> On 5. Dec 2019, at 13:11, Konrad Windszus <ko...@gmx.de> wrote:
>
> Hi,
> I am currently running into the following exception when trying leverage BouncyCastle (deployed as signed jar bundles inside Felix).
>
> ....
> Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
> at javax.crypto.Cipher.getInstance(Cipher.java:656)
> at org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
> at org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder$1.get(Unknown Source)
> ... 88 common frames omitted
> Caused by: java.net.MalformedURLException: Stream handler unavailable due to: invalid url: jcrinstall:/apps/netcentric/actool/install/bcprov-jdk15on-1.64.jar!/ (java.net.MalformedURLException: Unknown protocol: jcrinstall)
> at java.net.URL.<init>(URL.java:644)
> at java.net.URL.<init>(URL.java:507)
> at java.net.URL.<init>(URL.java:456)
> at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:420)
> at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363)
> at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
> at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
> at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
> at javax.crypto.Cipher.getInstance(Cipher.java:652)
> ... 90 common frames omitted
> Caused by: java.lang.IllegalStateException: Stream handler unavailable due to: invalid url: jcrinstall:/apps/netcentric/actool/install/bcprov-jdk15on-1.64.jar!/ (java.net.MalformedURLException: Unknown protocol: jcrinstall)
> at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:431)
> at java.net.URL.<init>(URL.java:639)
> ... 98 common frames omitted
> Caused by: java.net.MalformedURLException: invalid url: jcrinstall:/apps/netcentric/actool/install/bcprov-jdk15on-1.64.jar!/ (java.net.MalformedURLException: Unknown protocol: jcrinstall)
> at java.net.URL.<init>(URL.java:644)
> at org.apache.felix.framework.util.SecureAction.createURL(SecureAction.java:256) [org.apache.felix.webconsole:4.3.8]
> at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:423)
> ... 99 common frames omitted
> Caused by: java.lang.NullPointerException: invalid url: jcrinstall:/apps/netcentric/actool/install/bcprov-jdk15on-1.64.jar!/ (java.net.MalformedURLException: Unknown protocol: jcrinstall)
> at sun.net.www.protocol.jar.Handler.parseAbsoluteSpec(Handler.java:191)
> at sun.net.www.protocol.jar.Handler.parseURL(Handler.java:164)
> at java.net.URL.<init>(URL.java:639)
> ... 101 common frames omitted
>
> I traced it down to the following method https://github.com/openjdk/jdk/blob/7bf82983443025248a22949b22e5ce9f16744b60/src/java.base/share/classes/javax/crypto/JceSecurity.java.template#L261 <https://github.com/openjdk/jdk/blob/7bf82983443025248a22949b22e5ce9f16744b60/src/java.base/share/classes/javax/crypto/JceSecurity.java.template#L261> which tries to retrieve a URL for a loaded class.
> The URL seems to contain the bundle location (in this case the bundle has been installed via https://sling.apache.org/documentation/bundles/jcr-installer-provider.html <https://sling.apache.org/documentation/bundles/jcr-installer-provider.html>) which set the URL's prefix to "jcrinstall") which cannot be verified.
> Instead the code source should contain the the filesystem URL of the underlying JAR. WDYT?
>
> When looking at the Felix souce I found https://github.com/apache/felix/blob/91800a17a726244f7a3853053fdc9b4616230865/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java <https://github.com/apache/felix/blob/91800a17a726244f7a3853053fdc9b4616230865/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java> which seems to do the thing correctly, but this doesn't seem to be used in my case for some reason. Any idea why the bundle location appears in the code source for this particular class loaded via the bundle class loader?
>
> Is that a bug in Felix?
>
> Thanks for any hints,
> Konrad