[kepler-dev] Bouncy Castle issue within Kepler

Michal Owsiak michalo at man.poznan.pl
Mon Sep 8 02:46:39 PDT 2008 

Hello again,

I have finally tested the whole use case inside Kepler and it seems that 
there are two jars that have to be replaced in order to use Bouncy Castle.

I have replaced:

cog-jglobus.jar
jce-jdk13-117.jar

with newer versions of these libraries (cog-jglobus.jar and 
jce-jdk13-120.jar) - so far so good.

Additionally, Bernard Guillerminet suggested replacing cryptix-asn1.jar 
as well, thus I have replaced this file and checked everything once again.

It seems that everything is OK, but I can't tell what are the 
implications for the whole Kepler application. But, at least, I can 
generate proxy and then I am able to extend it with voms attributes.

Cheers

Michal

> 
> Hi Michal,
> 
> jce-jdk13-117.jar is a well used jar, it has 189 dependencies from the 
> code sets listed below
> 
> kepler
> ptII
> cog-jglobus.jar
> commons-httpclient-2.0-rc2.jar
> db2jcc.jar
> dnsjava-1.3.2.jar
> jsch-0.1.31.jar
> xmlsec.jar
> xws-security.jar
> commons-httpclient-3.0.1.jar
> 
> I found both the 117 and the 120 signed jars at ftp.bouncycastle.org.  
> This post I found on the internet 
> http://www.globus.org/mail_archive/java/2003/11/msg00112.html
> suggests that the signed 117 jar has a faulty certificate and so that 
> may be why the Kepler jar had it's certificates deleted back in 2004 as 
> a quick fix to get around this.  So replacing the 117 jar with the 
> signed 117 version will likely not work since the jar was built in 
> january of 2003 and has not changed since then.  Upgrading to the 120 
> version is probably the best course of action and since it seems to work 
> well for you Michal I think we should just go ahead and delete the 117 
> jar and put the 120 jar into SVN and fix any resulting bugs from the 
> change as they come up.
> 
> Aaron
> 
> 
> Matt Jones wrote:
>> Hi Michal,
>>
>> We certainly would be willing to upgrade the jar file if it doesn't 
>> cause problems for other components in Kepler.  I wonder if the only 
>> issue is that the new version of the jar file is signed, and the old 
>> one is not?  If this is the case, we also could look into getting a 
>> signed version of the 117 jar file.
>>
>> Aaron -- can you look at the other classes that depend on this jar 
>> file and determine if an upgrade will break anything?  If it looks 
>> safe, could you replace it?
>>
>> Matt
>>
>> On Wed, Sep 3, 2008 at 3:01 AM, Michal Owsiak <michalo at man.poznan.pl 
>> <mailto:michalo at man.poznan.pl>> wrote:
>>
>>     Hi,
>>
>>     I am trying to develop an actor which will be able to use grid
>>     proxy. To manipulate the proxy I am using bouncy castle library -
>>     and here come the troubles.
>>
>>     When I try to use jce-jdk13-117.jar library (which is distributed
>>     along with Kepler)  I get an error while accessing the private key:
>>
>>     Following code (org.globus.gsi.bc.BouncyCastleOpenSSLKey is
>>     located inside cog-jglobus.jar)
>>
>>     --- CUT ---
>>     OpenSSLKey key = new
>>     org.globus.gsi.bc.BouncyCastleOpenSSLKey(userPrivateKeyPath);
>>
>>     if (key.isEncrypted()) {
>>            key.decrypt(userPrivateKeyPassword);
>>     }
>>     --- CUT ---
>>
>>     throws an exception:
>>
>>     Exception in thread "main" java.lang.SecurityException: JCE cannot
>>     authenticate the provider BC
>>            at javax.crypto.Cipher.getInstance(DashoA12275)
>>            at javax.crypto.Cipher.getInstance(DashoA12275)
>>            at org.globus.gsi.OpenSSLKey.getCipher(OpenSSLKey.java:341)
>>            at org.globus.gsi.OpenSSLKey.decrypt(OpenSSLKey.java:208)
>>            at org.globus.gsi.OpenSSLKey.decrypt(OpenSSLKey.java:187)
>>            at
>>     
>> example.tutorial.ProxyHelper.createUserPrivateKey(ProxyHelper.java:134)
>>            at
>>     example.tutorial.ProxyHelper.createProxy(ProxyHelper.java:60)
>>            at example.tutorial.ProxyHelper.main(ProxyHelper.java:167)
>>     Caused by: java.util.jar.JarException:
>>     file:/home/michalo/Kepler-1.0.0/lib/jar/jce-jdk13-117.jar is not
>>     signed.
>>
>>
>>     When I replace jce-jdk13-117.jar with jce-jdk13-120.jar everything
>>     works just fine (jce-jdk13-120.jar is signed).
>>
>>     shell>jarsigner -verify -certs -verbose jce-jdk13-120.jar~ | more
>>
>>           98759 Thu Dec 29 16:23:56 CET 2005 META-INF/MANIFEST.MF
>>           98552 Thu Dec 29 16:23:56 CET 2005 META-INF/BCKEY.SF
>>            2213 Thu Dec 29 16:23:56 CET 2005 META-INF/BCKEY.DSA
>>               0 Thu Dec 29 16:16:38 CET 2005 META-INF/
>>               0 Thu Dec 29 16:16:36 CET 2005 javax/
>>               0 Thu Dec 29 16:16:36 CET 2005 javax/crypto/
>>     sm       235 Thu Dec 29 16:16:36 CET 2005
>>     javax/crypto/BadPaddingException.class
>>
>>          X.509, CN=The Legion of the Bouncy Castle, OU=Java Software
>>     Code Signing,
>>     O=Sun Microsystems Inc
>>          [certificate will expire on 9/28/08 2:16 AM]
>>          X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing,
>>     O=Sun Micros
>>     ystems Inc, L=Palo Alto, ST=CA, C=US
>>          [certificate is valid from 4/25/01 9:00 AM to 4/25/20 9:00 AM]
>>          [NetscapeCertType extension does not support code signing]
>>
>>     shell>jarsigner -verify jce-jdk13-117.jar
>>     no manifest.
>>     jar is unsigned. (signatures missing or not parsable)
>>
>>
>>     Does anyone know how can I overcome this issue? What I do now is
>>     replacing jce-jdk13-117.jar with jce-jdk13-120.jar (but this is
>>     not a solution because jce-jdk13-117.jar comes with default Kepler
>>     installation). Is it possible to upgrade jce-jdk13-117.jar to
>>     jce-jdk13-120.jar within Kepler installation?
>>
>>     Cheers
>>
>>     --     Michal Owsiak <michalo at man.poznan.pl 
>> <mailto:michalo at man.poznan.pl>>
>>     Poznan Supercomputing and Networking Center
>>     ul. Noskowskiego 10, 61-704 Poznan, POLAND
>>     http://www.man.poznan.pl
>>     _______________________________________________
>>     Kepler-dev mailing list
>>     Kepler-dev at ecoinformatics.org <mailto:Kepler-dev at ecoinformatics.org>
>>     
>> http://mercury.nceas.ucsb.edu/ecoinformatics/mailman/listinfo/kepler-dev
>>
>>
>>
>>
>> -- 
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Matthew B. Jones
>> Director of Informatics Research and Development
>> National Center for Ecological Analysis and Synthesis (NCEAS)
>> UC Santa Barbara
>> jones at nceas.ucsb.edu <mailto:jones at nceas.ucsb.edu>                     
>>   Ph: 1-907-523-1960
>> http://www.nceas.ucsb.edu/ecoinfo
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 


-- 
Michal Owsiak <michalo at man.poznan.pl>
Poznan Supercomputing and Networking Center
ul. Noskowskiego 10, 61-704 Poznan, POLAND
http://www.man.poznan.pl

More information about the Kepler-dev mailing list