search

OxalisCommunity / oxalis

Oxalis - PEPPOL Access Point open source implementation - Core component
Other
121 stars 90 forks source link

ClassCastException during mode detection after upgrading to Oxalis 4.1.2 #500

Closed carher closed 3 years ago

carher commented 3 years ago

We are currently trying to upgrade our access point from using Oxalis 4.0.4 to 4.1.2. When starting up the test server, we get the following error:

{"timestamp":"2021-02-05 16:46:59,451","log_level":"ERROR","app_name":"ail-oxalis-inbound","jclass":"no.difi.oxalis.commons.guice.GuiceModuleLoader","thread":"main","log_type":"trace","payload":"Unable to detect mode.","stacktrace":"n.d.v.p.c.l.PeppolLoadingException: Unable to detect mode for certificate 'C=NO, O=SpareBank 1 Banksamarbeidet DA, OU=PEPPOL TEST AP, CN=PNO000287'.\n\tat n.d.v.p.s.ModeDetector.detect(ModeDetector.java:56)\n\tat n.d.o.c.m.ModeProvider.get(ModeProvider.java:74)\n\t... 64 common frames omitted\nWrapped by: n.d.o.a.l.OxalisLoadingException: Unable to detect mode.\n\tat n.d.o.c.m.ModeProvider.get(ModeProvider.java:78)\n\tat n.d.o.c.m.ModeProvider.get(ModeProvider.java:47)\n\tat c.g.i.i.ProviderInternalFactory.provision(ProviderInternalFactory.java:85)\n\tat c.g.i.i.BoundProviderFactory.provision(BoundProviderFactory.java:77)\n\tat c.g.i.i.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:59)\n\tat c.g.i.i.BoundProviderFactory.get(BoundProviderFactory.java:61)\n\tat c.g.i.i.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)\n\tat c.g.i.i.SingletonScope$1.get(SingletonScope.java:168)\n\tat c.g.i.i.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)\n\tat c.g.i.i.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211)\n\tat c.g.i.i.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182)\n\tat c.g.i.i.InternalInjectorCreator.build(InternalInjectorCreator.java:109)\n\tat c.g.inject.Guice.createInjector(Guice.java:87)\n\tat c.g.inject.Guice.createInjector(Guice.java:69)\n\tat n.d.o.c.g.GuiceModuleLoader.initiate(GuiceModuleLoader.java:66)\n\tat n.d.o.i.OxalisGuiceContextListener.(OxalisGuiceContextListener.java:45)\n\tat s.r.NativeConstructorAccessorImpl.newInstance0(NativeConstructorAccessorImpl.java)\n\tat s.r.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat j.l.r.Constructor.newInstance(Constructor.java:423)\n\tat o.e.j.s.h.ContextHandler$StaticContext.createInstance(ContextHandler.java:2784)\n\tat o.e.j.s.ServletContextHandler$Context.createInstance(ServletContextHandler.java:1280)\n\tat o.e.j.s.h.ContextHandler$StaticContext.createListener(ContextHandler.java:2795)\n\tat o.e.j.s.ListenerHolder.doStart(ListenerHolder.java:92)\n\tat o.e.j.u.c.AbstractLifeCycle.start(AbstractLifeCycle.java:72)\n\tat o.e.j.s.ServletContextHandler.startContext(ServletContextHandler.java:350)\n\tat o.e.j.w.WebAppContext.startWebapp(WebAppContext.java:1445)\n\tat o.e.j.w.WebAppContext.startContext(WebAppContext.java:1409)\n\tat o.e.j.s.h.ContextHandler.doStart(ContextHandler.java:822)\n\tat o.e.j.s.ServletContextHandler.doStart(ServletContextHandler.java:275)\n\t... 35 frames truncated\n"}

So I did some more investigation, and added a bit of logging in the source code and compiled new snapshots. We then got curious information about the underlying exception:

no.difi.vefa.peppol.security.lang.PeppolSecurityException: Exception when reading AIA: 'org.bouncycastle.asn1.DLTaggedObject cannot be cast to org.bouncycastle.asn1.DERTaggedObject'. at no.difi.vefa.peppol.security.util.DifiCertificateValidator.validate(DifiCertificateValidator.java:67) at no.difi.vefa.peppol.security.ModeDetector.detect(ModeDetector.java:52) at no.difi.oxalis.commons.mode.ModeProvider.get(ModeProvider.java:72) at no.difi.oxalis.commons.mode.ModeProvider.get(ModeProvider.java:46) at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:85) at com.google.inject.internal.BoundProviderFactory.provision(BoundProviderFactory.java:77) at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:59) at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42) at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65) at com.google.inject.internal.ProviderMethod.doProvision(ProviderMethod.java:173) at com.google.inject.internal.InternalProviderInstanceBindingImpl$CyclicFactory.provision(InternalProviderInstanceBindingImpl.java:185) at com.google.inject.internal.InternalProviderInstanceBindingImpl$CyclicFactory.get(InternalProviderInstanceBindingImpl.java:162) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42) at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:52) at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:147) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:124) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:52) at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:147) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:124) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62) at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:52) at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:147) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:124) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211) at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182) at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:109) at com.google.inject.Guice.createInjector(Guice.java:87) at com.google.inject.Guice.createInjector(Guice.java:69) at no.difi.oxalis.commons.guice.GuiceModuleLoader.initiate(GuiceModuleLoader.java:66) at no.difi.oxalis.outbound.OxalisOutboundComponent.(OxalisOutboundComponent.java:45) at no.difi.oxalis.outbound.OxalisOutboundComponent$$FastClassByGuice$$727f1988.newInstance() at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1050) at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1086) at no.sb1.peppol.oxalis.AilPersisterHandler.(AilPersisterHandler.java:93) at no.sb1.peppol.oxalis.AilPersisterHandler$$FastClassByGuice$$b2564860.newInstance() at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211) at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182) at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:109) at com.google.inject.Guice.createInjector(Guice.java:87) at com.google.inject.Guice.createInjector(Guice.java:69) at no.difi.oxalis.commons.guice.GuiceModuleLoader.initiate(GuiceModuleLoader.java:66) at no.difi.oxalis.inbound.OxalisGuiceContextListener.(OxalisGuiceContextListener.java:45) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.eclipse.jetty.server.handler.ContextHandler$StaticContext.createInstance(ContextHandler.java:2784) at org.eclipse.jetty.servlet.ServletContextHandler$Context.createInstance(ServletContextHandler.java:1280) at org.eclipse.jetty.server.handler.ContextHandler$StaticContext.createListener(ContextHandler.java:2795) at org.eclipse.jetty.servlet.ListenerHolder.doStart(ListenerHolder.java:92) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:350) at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1445) at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1409) at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:822) at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275) at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:46) at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:188) at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:513) at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:154) at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:173) at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:447) at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:66) at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:784) at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:753) at org.eclipse.jetty.util.Scanner.scan(Scanner.java:641) at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:540) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:146) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:599) at org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:249) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) at org.eclipse.jetty.server.Server.start(Server.java:407) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:100) at org.eclipse.jetty.server.Server.doStart(Server.java:371) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$0(XmlConfiguration.java:1888) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1837) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.eclipse.jetty.start.Main.invokeMain(Main.java:218) at org.eclipse.jetty.start.Main.start(Main.java:491) at org.eclipse.jetty.start.Main.main(Main.java:77) Caused by: no.difi.certvalidator.api.FailedValidationException: Exception when reading AIA: 'org.bouncycastle.asn1.DLTaggedObject cannot be cast to org.bouncycastle.asn1.DERTaggedObject'. at no.difi.certvalidator.rule.OCSPRule.validate(OCSPRule.java:44) at no.difi.certvalidator.rule.AbstractRule.validate(AbstractRule.java:24) at no.difi.certvalidator.rule.HandleErrorRule.validate(HandleErrorRule.java:44) at no.difi.certvalidator.rule.AbstractRule.validate(AbstractRule.java:17) at no.difi.certvalidator.structure.AndJunction.validate(AndJunction.java:29) at no.difi.certvalidator.structure.AbstractJunction.validate(AbstractJunction.java:36) at no.difi.certvalidator.util.CachedValidatorRule.load(CachedValidatorRule.java:43) at no.difi.certvalidator.util.CachedValidatorRule.load(CachedValidatorRule.java:13) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155) at no.difi.certvalidator.structure.AbstractJunction.validate(AbstractJunction.java:36) at no.difi.certvalidator.util.CachedValidatorRule.load(CachedValidatorRule.java:43) at no.difi.certvalidator.util.CachedValidatorRule.load(CachedValidatorRule.java:13) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2045) at com.google.common.cache.LocalCache.get(LocalCache.java:3951) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974) at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4958) at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4964) at no.difi.certvalidator.util.CachedValidatorRule.validate(CachedValidatorRule.java:30) at no.difi.certvalidator.util.CachedValidatorRule.validate(CachedValidatorRule.java:35) at no.difi.certvalidator.structure.AndJunction.validate(AndJunction.java:29) at no.difi.certvalidator.ValidatorGroup.validate(ValidatorGroup.java:79) at no.difi.certvalidator.ValidatorGroup.validate(ValidatorGroup.java:70) at no.difi.vefa.peppol.security.util.DifiCertificateValidator.validate(DifiCertificateValidator.java:63) ... 132 more Caused by: net.klakegg.pkix.ocsp.OcspException: Exception when reading AIA: 'org.bouncycastle.asn1.DLTaggedObject cannot be cast to org.bouncycastle.asn1.DERTaggedObject'. at net.klakegg.pkix.ocsp.AbstractOcspClient.detectOcspUri(AbstractOcspClient.java:95) at net.klakegg.pkix.ocsp.OcspClient.verify(OcspClient.java:56) at net.klakegg.pkix.ocsp.OcspClient.verify(OcspClient.java:49) at net.klakegg.pkix.ocsp.OcspClient.verify(OcspClient.java:45) at no.difi.certvalidator.rule.OCSPRule.validate(OCSPRule.java:35) ... 153 more Caused by: java.lang.ClassCastException: org.bouncycastle.asn1.DLTaggedObject cannot be cast to org.bouncycastle.asn1.DERTaggedObject at net.klakegg.pkix.ocsp.AbstractOcspClient.detectOcspUri(AbstractOcspClient.java:87) ... 157 more

Is this a known error? Is there something we need to do differently with Oxalis 4.1.2?

carher commented 3 years ago

Further investigation into this: As the stacktrace suggests, it is the OCSPRule that fails during the validation. And the exception occurs in this class, in the pkix-ocsp library included by no.difi.commons.commons-certvalidator: https://github.com/klakegg/pkix-ocsp/blob/master/src/main/java/net/klakegg/pkix/ocsp/AbstractOcspClient.java

If I start editing libraries and in commons-certvalidator remove OCSPType from the list of rules, I can get Oxalis up and running fine. That's not how we wish to solve the issue, though...

What actually fails in AbstractOcspClient.java is the first of these lines: DERTaggedObject location = (DERTaggedObject) obj.getObjectAt(1); if (location.getTagNo() == GeneralName.uniformResourceIdentifier) { DEROctetString uri = (DEROctetString) location.getObject(); return URI.create(new String(uri.getOctets())); }

It seems that for some reason, our test certificate gives a DLTaggedObject instead of a DERTaggedObject. It also seems that it should be possible to extract a URI from a DLTaggedObject. But then I wonder if we should really change the code of pkix-ocsp and go through the cascade of releases/updates versions of dependencies ending up in Oxalis, or if there is something else that is the problem here? Could it be something related to our Access Point certificate? It should be a standard certificate ordered through the standard OpenPEPPOL channels, though. And why are we the only ones reporting this problem? Could this be a configuration issue we have overlooked, or are not aware of?

hjkjorstad commented 3 years ago

I think you might have multiple dependencies to (incompatible) BouncyCastle (BC) packages ..

carher commented 3 years ago

Yes, good observation.

Since we use maven-enforcer-plugin, we discovered that both 1.57 and 1.58 were included in the dependency tree. We tried excluding one version at the time, but couldn't see any difference in behaviour, though.

carher commented 3 years ago

Interestingly, the solution was actually specifying which exact versions to include. This is what eventually worked for us:

bcmail-jdk15on-1.57.jar bcpkix-jdk15on-1.58.jar bcprov-jdk15on-1.58.jar

pekaaw commented 3 years ago

We got the same problem. The only difference between working and not working, was when a dependency to AS4 was included:

implementation 'network.oxalis:oxalis-as4:5.0.2'

This caused bcprov to bump version from 1.58 to 1.64. Reason unknown.

The solution we found was to ensure version 1.58. We did this by explicitly define that verson:

/// build.gradle
dependencies {
    ...
    implementation('org.bouncycastle:bcprov-jdk15on') {
        version {
            strictly '1.58'
        }
    }
    ...
}

We are now up and running šŸ‘