java.lang.SecurityException: Cannot set up certs for trusted CAs (JBoss AS 7)

Question

(Using eclipse)

I am using classes from a JAR provided by a third party. The third party JAR has the line:

var = Cipher.getInstance("AES");

When this line gets executed, it throws the following stack trace:

13:38:00,120 ERROR [stderr] (EJB default - 1) java.lang.ExceptionInInitializerError
13:38:00,121 ERROR [stderr] (EJB default - 1)   at javax.crypto.Cipher.getInstance([DashoPro-V1.2-120198])

...
BLAH BLAH BLAH 
(Stack trace which leads all the way down to the call I make through the third party jar)
...

13:38:00,154 ERROR [stderr] (EJB default - 1) Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
13:38:00,154 ERROR [stderr] (EJB default - 1)   at javax.crypto.b.<clinit>([DashoPro-V1.2-120198])
13:38:00,155 ERROR [stderr] (EJB default - 1)   ... 55 more

Previously, I accessed this JAR by pasting it into a folder in my eclipse project, then adding the JAR to my build-path and deployment assembly.

However, because we want two different deployments to use the same instance of an object initialized from this third party jar, the decision was made to move the third party JAR into a JBoss AS 7 "module"

We maintained the reference to the JAR in the project within the build path, but removed it from the deployment assembly. I also added a "Dependencies: com...[the path specified in the module]"

This appears to have worked, as the project will build and deploy.

However, whenever I attempt to call a method which has been called hundreds of thousands of times already, I get this exception.

The exception appears to be getting thrown during the static initialization of SunJCE_b.class, but i'm not sure at all.

Here is the stack at the time that the first SecurityException gets thrown:

b.e() line: not available   
b.clinit() line: not available  
Cipher.getInstance(String) line: not available  
OtherCompanyCryptography.getCipherInstance() line: not available    

I can't find any references to javax.crypto.b.e() online.

How is it that previously this worked, but when I turned it into a JBoss module, it stopped working?

Also, how can I resolve this issue?

Answer 1

Dear people of the future:

The workaround we ended up using was to package the thrid party jar into a separate project, which we called ApiCommons.

We then created a combined application called ApplicationBundle.ear

ApplicationBundle.ear contains the two deployment modules that we wanted to have using the same object, shared between the two via JNDI.

The ApplicationBundle project contains the jars in ApiCommons in its "deployment assembly"

We were able to keep the two deployment modules as separate eclipse projects, but they deploy in a single .EAR file, and both bundled projects have ApiCommons on their build path, but not their deployment assembly.

Answer 2

First of all you provided information about two different JVMs:

1. SunJCE_b class is from Oracle (Sun) JVM
2. javax.crypto.b class is from IBM JVM

Particularly they are doing the same thing. They are responsible of verifying cryptographic components signatures. In most of the cases such a stack trace is caused by wrong jurisdiction policy files on the class path. Then i.e. on IBM JVM you can see in the stack trace:

Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers! 
at javax.crypto.b.a

Another reason may be cryptographic provider with invalid (or old) signature. If you provide more detailed stack trace then I will be able to help more.