[kepler-dev] Bouncy Castle issue within Kepler

Aaron Schultz aschultz at nceas.ucsb.edu
Wed Sep 3 14:53:29 PDT 2008 

Hi Michal,

jce-jdk13-117.jar is a well used jar, it has 189 dependencies from the 
code sets listed below

kepler
ptII
cog-jglobus.jar
commons-httpclient-2.0-rc2.jar
db2jcc.jar
dnsjava-1.3.2.jar
jsch-0.1.31.jar
xmlsec.jar
xws-security.jar
commons-httpclient-3.0.1.jar

I found both the 117 and the 120 signed jars at ftp.bouncycastle.org.  
This post I found on the internet 
http://www.globus.org/mail_archive/java/2003/11/msg00112.html
suggests that the signed 117 jar has a faulty certificate and so that 
may be why the Kepler jar had it's certificates deleted back in 2004 as 
a quick fix to get around this.  So replacing the 117 jar with the 
signed 117 version will likely not work since the jar was built in 
january of 2003 and has not changed since then.  Upgrading to the 120 
version is probably the best course of action and since it seems to work 
well for you Michal I think we should just go ahead and delete the 117 
jar and put the 120 jar into SVN and fix any resulting bugs from the 
change as they come up.

Aaron


Matt Jones wrote:
> Hi Michal,
>
> We certainly would be willing to upgrade the jar file if it doesn't 
> cause problems for other components in Kepler.  I wonder if the only 
> issue is that the new version of the jar file is signed, and the old 
> one is not?  If this is the case, we also could look into getting a 
> signed version of the 117 jar file.
>
> Aaron -- can you look at the other classes that depend on this jar 
> file and determine if an upgrade will break anything?  If it looks 
> safe, could you replace it?
>
> Matt
>
> On Wed, Sep 3, 2008 at 3:01 AM, Michal Owsiak <michalo at man.poznan.pl 
> <mailto:michalo at man.poznan.pl>> wrote:
>
>     Hi,
>
>     I am trying to develop an actor which will be able to use grid
>     proxy. To manipulate the proxy I am using bouncy castle library -
>     and here come the troubles.
>
>     When I try to use jce-jdk13-117.jar library (which is distributed
>     along with Kepler)  I get an error while accessing the private key:
>
>     Following code (org.globus.gsi.bc.BouncyCastleOpenSSLKey is
>     located inside cog-jglobus.jar)
>
>     --- CUT ---
>     OpenSSLKey key = new
>     org.globus.gsi.bc.BouncyCastleOpenSSLKey(userPrivateKeyPath);
>
>     if (key.isEncrypted()) {
>            key.decrypt(userPrivateKeyPassword);
>     }
>     --- CUT ---
>
>     throws an exception:
>
>     Exception in thread "main" java.lang.SecurityException: JCE cannot
>     authenticate the provider BC
>            at javax.crypto.Cipher.getInstance(DashoA12275)
>            at javax.crypto.Cipher.getInstance(DashoA12275)
>            at org.globus.gsi.OpenSSLKey.getCipher(OpenSSLKey.java:341)
>            at org.globus.gsi.OpenSSLKey.decrypt(OpenSSLKey.java:208)
>            at org.globus.gsi.OpenSSLKey.decrypt(OpenSSLKey.java:187)
>            at
>     example.tutorial.ProxyHelper.createUserPrivateKey(ProxyHelper.java:134)
>            at
>     example.tutorial.ProxyHelper.createProxy(ProxyHelper.java:60)
>            at example.tutorial.ProxyHelper.main(ProxyHelper.java:167)
>     Caused by: java.util.jar.JarException:
>     file:/home/michalo/Kepler-1.0.0/lib/jar/jce-jdk13-117.jar is not
>     signed.
>
>
>     When I replace jce-jdk13-117.jar with jce-jdk13-120.jar everything
>     works just fine (jce-jdk13-120.jar is signed).
>
>     shell>jarsigner -verify -certs -verbose jce-jdk13-120.jar~ | more
>
>           98759 Thu Dec 29 16:23:56 CET 2005 META-INF/MANIFEST.MF
>           98552 Thu Dec 29 16:23:56 CET 2005 META-INF/BCKEY.SF
>            2213 Thu Dec 29 16:23:56 CET 2005 META-INF/BCKEY.DSA
>               0 Thu Dec 29 16:16:38 CET 2005 META-INF/
>               0 Thu Dec 29 16:16:36 CET 2005 javax/
>               0 Thu Dec 29 16:16:36 CET 2005 javax/crypto/
>     sm       235 Thu Dec 29 16:16:36 CET 2005
>     javax/crypto/BadPaddingException.class
>
>          X.509, CN=The Legion of the Bouncy Castle, OU=Java Software
>     Code Signing,
>     O=Sun Microsystems Inc
>          [certificate will expire on 9/28/08 2:16 AM]
>          X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing,
>     O=Sun Micros
>     ystems Inc, L=Palo Alto, ST=CA, C=US
>          [certificate is valid from 4/25/01 9:00 AM to 4/25/20 9:00 AM]
>          [NetscapeCertType extension does not support code signing]
>
>     shell>jarsigner -verify jce-jdk13-117.jar
>     no manifest.
>     jar is unsigned. (signatures missing or not parsable)
>
>
>     Does anyone know how can I overcome this issue? What I do now is
>     replacing jce-jdk13-117.jar with jce-jdk13-120.jar (but this is
>     not a solution because jce-jdk13-117.jar comes with default Kepler
>     installation). Is it possible to upgrade jce-jdk13-117.jar to
>     jce-jdk13-120.jar within Kepler installation?
>
>     Cheers
>
>     -- 
>     Michal Owsiak <michalo at man.poznan.pl <mailto:michalo at man.poznan.pl>>
>     Poznan Supercomputing and Networking Center
>     ul. Noskowskiego 10, 61-704 Poznan, POLAND
>     http://www.man.poznan.pl
>     _______________________________________________
>     Kepler-dev mailing list
>     Kepler-dev at ecoinformatics.org <mailto:Kepler-dev at ecoinformatics.org>
>     http://mercury.nceas.ucsb.edu/ecoinformatics/mailman/listinfo/kepler-dev
>
>
>
>
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Matthew B. Jones
> Director of Informatics Research and Development
> National Center for Ecological Analysis and Synthesis (NCEAS)
> UC Santa Barbara
> jones at nceas.ucsb.edu <mailto:jones at nceas.ucsb.edu>                     
>   Ph: 1-907-523-1960
> http://www.nceas.ucsb.edu/ecoinfo
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Kepler-dev mailing list