java - JCEKS keystore no longer loading: com.sun.crypto.provider.SealedObjectForKeyProtector -

April 15, 2013

i have jceks keystore hold aes keys. has been working in dev environment , in gae runtime while.

last night deployed update (nothing crypto cases) , loading keystore throws ioexception: com.sun.crypto.provider.sealedobjectforkeyprotector , subsequently none of crypto works (as you'd expect given can't keys).

i've googled exception - 1 lead looked promising: convert key of jceks of provider store provider ... suggests keytore created 1 provider cannot read provider, doesn't seem case here working yesterday! https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/6.2/html/administration_and_configuration_guide/sect-password_vaults_for_sensitive_strings.html suggests incompatible providers.

i rolled app previous (working) version, same error.

has gae changed default provider? should explicitly declare required provider in code?

thanks steve

update 20/05/2015 - root cause identified

the problem ioexception thrown ks.load() below:

final keystore ks = keystore.getinstance(keystore_type_jceks); try {     inputstream = this.getclass().getclassloader().getresourceasstream("squirrol.keystore");     ks.load(is, getkeystorepassword().tochararray()); // ioexception thrown here     ... } catch (nosuchalgorithmexception | certificateexception | ioexception e) {     stringwriter sw = new stringwriter();     e.printstacktrace(new printwriter(sw));     throw new keystoreexception("failed load keystore: " + e.getlocalizedmessage()); }

the stack trace output leads off with:

at com.sun.crypto.provider.jcekeystore.engineload(jcekeystore.java:844)

googling class name has found source (possibly not the actual source, line number in stack trace aligns). line 844 suggests ioexception thrown result of classnotfoundexception message being name of class wasn't found - in case com.sun.crypto.provider.sealedobjectforkeyprotector:

http://www.docjar.com/html/api/com/sun/crypto/provider/jcekeystore.java.html

so, root cause google app engine runtime v1.9.21 cannot load keystore because cannot load class com.sun.crypto.provider.sealedobjectforkeyprotector google admit whitelisting issue.

temporary resolution result of support ticket, google have reverted runtime 1.9.20 doesn't have problem. i'm awaiting fix allows me onto automated engine updates.

update 04/06/15 - resolved google have fix in v1.9.22 runtime.

update 11/06/15 - not resolved after all problem persists in v1.9.22 runtime :(

update 30/06/15 - resolved & proven google fixed in v1.9.23 runtime. answer updated reflect.

this confirmed fixed in gae runtime 1.9.23 (not 1.9.22 - missed cut).

the problem runtime whitelisting, omitted 1 or more classes needed load jceks keystore.

this problem affects gae runtimes 1.9.21 & 1.9.22. note server engine version, not sdk version. can check server version in console.

Search This Blog

Lix

java - JCEKS keystore no longer loading: com.sun.crypto.provider.SealedObjectForKeyProtector -

Comments

Post a Comment

Popular posts from this blog

c++ - Difference between pre and post decrement in recursive function argument -

php - Nothing but 'run(); ' when browsing to my local project, how do I fix this? -

php - How can I echo out this array? -