tracker issue : CF-4006927

select a category, or use search below
(searches all categories and all time range)
Title:

JsafeJCE provider used by CF11 doesn't seem to support some ECC curves

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/Workaround

Reporter/Name(from Bugbase): Toan Dang / Toan Dang (Toan Dang)

Created: 06/15/2015

Components: Language, Java Integration

Versions: 11.0

Failure Type: Enhancement Request

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Normal / All users will encounter

Locale/System: English / Linux CentOS 6.4

Vote Count: 0

Problem Description:

Steps to Reproduce:

Actual Result:

Expected Result:

Any Workarounds:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4006927

External Customer Info:
External Company:  
External Customer Name: Toan
External Customer Email:  
External Test Config: Hi,



It seems that ColdFusion 11 loads "com.rsa.jsafe.provider.JsafeJCE" as the default security provider at startup. 

This causes some problems with other providers like IAIK ECCelerate. For example, when we try to parse a certificate request containing 

the ECC curve name (secp192r1):



-----BEGIN CERTIFICATE REQUEST-----

MIHVMIGMAgEAMDoxCzAJBgNVBAYTAlVTMQowCAYDVQQKEwFPMQswCQYDVQQLEwJP

VTESMBAGA1UEAxMJc2VjcDE5MnIxMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAE

bdgOTM8e+z2Rq36+U2R+l19wYAK/5pTeVRg4hgDnNhaovOcBAP0WgDXm1zhY/vBv

oAAwCQYHKoZIzj0EAQM5ADA2AhkAlBI19nEAe7eUJ6LewgFeJ1r0Z2DmPwKcAhkA

3xJ56vG7DXBJJhOkJ63nYQy2K9oUQVXM

-----END CERTIFICATE REQUEST-----



we are not able to determine the keylength of the public key of this certifcate request, neither to parse the information related to the curve (name, oid..) 

because the JsafeJCE provider is being used and doesn't seem to recognize this curve.



We tried to configure JRE 8 to use IAIK ECC as the second security provider, and JsafeJCE as the last security provider e.g.



security.provider.1=sun.security.provider.Sun

security.provider.2=iaik.security.ec.provider.ECCelerate

security.provider.3=sun.security.rsa.SunRsaSign

security.provider.4=sun.security.ec.SunEC

security.provider.5=com.sun.net.ssl.internal.ssl.Provider

security.provider.6=com.sun.crypto.provider.SunJCE

security.provider.7=sun.security.jgss.SunProvider

security.provider.8=com.sun.security.sasl.Provider

security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.10=sun.security.smartcardio.SunPCSC

security.provider.11=com.rsa.jsafe.provider.JsafeJCE



but this didn't help much: we still saw JsafeJCE was being used first instead of the IAIK ECC provider.

 

We also tried (in our java application) to explicetly cast the publickey to iaik.security.ec.common.ECPublicKey, but we failed with this error:



java.lang.ClassCastException: com.rsa.cryptoj.o.ep cannot be cast to iaik.security.ec.common.ECPublicKey



Is there a way to configure Coldfusion 11 to use IAIK ECCelerate provider as the preferred provider ? 



Note: under Coldfusion 9, we didn't experience this kind of problem, and could use IAIK ECCelerate provider to parse this ECC certificate request successfully.

Attachments:

Comments:

Adding customer note Hi, It seems that ColdFusion 11 loads "com.rsa.jsafe.provider.JsafeJCE" as the default security provider at startup. This causes some problems with other providers like IAIK ECCelerate. For example, when we try to parse a certificate request containing the ECC curve name (secp192r1): -----BEGIN CERTIFICATE REQUEST----- MIHVMIGMAgEAMDoxCzAJBgNVBAYTAlVTMQowCAYDVQQKEwFPMQswCQYDVQQLEwJP VTESMBAGA1UEAxMJc2VjcDE5MnIxMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAE bdgOTM8e+z2Rq36+U2R+l19wYAK/5pTeVRg4hgDnNhaovOcBAP0WgDXm1zhY/vBv oAAwCQYHKoZIzj0EAQM5ADA2AhkAlBI19nEAe7eUJ6LewgFeJ1r0Z2DmPwKcAhkA 3xJ56vG7DXBJJhOkJ63nYQy2K9oUQVXM -----END CERTIFICATE REQUEST----- we are not able to determine the keylength of the public key of this certifcate request, neither to parse the information related to the curve (name, oid..) because the JsafeJCE provider is being used and doesn't seem to recognize this curve. We tried to configure JRE 8 to use IAIK ECC as the second security provider, and JsafeJCE as the last security provider e.g. security.provider.1=sun.security.provider.Sun security.provider.2=iaik.security.ec.provider.ECCelerate security.provider.3=sun.security.rsa.SunRsaSign security.provider.4=sun.security.ec.SunEC security.provider.5=com.sun.net.ssl.internal.ssl.Provider security.provider.6=com.sun.crypto.provider.SunJCE security.provider.7=sun.security.jgss.SunProvider security.provider.8=com.sun.security.sasl.Provider security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.10=sun.security.smartcardio.SunPCSC security.provider.11=com.rsa.jsafe.provider.JsafeJCE but this didn't help much: we still saw JsafeJCE was being used first instead of the IAIK ECC provider. We also tried (in our java application) to explicetly cast the publickey to iaik.security.ec.common.ECPublicKey, but we failed with this error: java.lang.ClassCastException: com.rsa.cryptoj.o.ep cannot be cast to iaik.security.ec.common.ECPublicKey Is there a way to configure Coldfusion 11 to use IAIK ECCelerate provider as the preferred provider ? Note: under Coldfusion 9, we didn't experience this kind of problem, and could use IAIK ECCelerate provider to parse this ECC certificate request successfully.
Comment by S V.
7222 | October 11, 2015 11:59:31 PM GMT
Hi Toan, Can you try the below steps and please let us know the result. Adding the flag to -Dcoldfusion.disablejsafe=true (in jvm.config) and add your IAIK ECCelerate as first and jsafe provider as second in the java.security file. Setting up that flag disables adding jsafe as a default provider. Thanks, Pavan.
Comment by S V.
7223 | October 12, 2015 12:03:12 AM GMT
Hi. to solve the issue, we had to explicitely made changes into our application to do the following: 1. we check if the JsafeJCE provider was already installed, then determine its position in the list of installed providers. 2. set the IAIK ECC provider at the position occupied by JsafeJCE, and shift down one position all the other providers (including JsafeJCE) towards the end of the list. Like this, the IAIK provider is always ordered before JsafeJCE and we din't have that problem anymore.
Comment by External U.
7224 | October 12, 2015 03:36:48 AM GMT
Since the workaround suggested resolves the issue, closing the bug. Thanks!
Comment by S P.
7225 | October 29, 2015 01:14:22 AM GMT