Encryption SDK throws AwsCryptoException

[Avik1993]

I am trying to integrate Encryption SDK with Apache NiFi. NiFi already includes following versions of bouncy castle dependencies:-

        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk15on</artifactId>
            <version>1.59</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpg-jdk15on</artifactId>
            <version>1.59</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpkix-jdk15on</artifactId>
            <version>1.59</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-ext-jdk15on</artifactId>
            <version>1.59</version>
        </dependency>

But it throws below exception:-

2018-08-20 15:07:59,192 WARN [Timer-Driven Process Thread-5] o.a.n.controller.tasks.ConnectableTask Administratively Yielding AWSEncryptionProcessor[id=56b1bbfc-0165-1000-d94c-c242aa619d1b] due to uncaught Exception: com.amazonaws.encryptionsdk.exception.AwsCryptoException: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
com.amazonaws.encryptionsdk.exception.AwsCryptoException: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
    at com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager.getMaterialsForEncrypt(DefaultCryptoMaterialsManager.java:63)
    at com.amazonaws.encryptionsdk.AwsCrypto.encryptData(AwsCrypto.java:248)
    at com.amazonaws.encryptionsdk.AwsCrypto.encryptData(AwsCrypto.java:228)
    at org.apache.nifi.processors.aws.encryption.AWSEncryptionProcessor.onTrigger(AWSEncryptionProcessor.java:146)
    at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
    at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1165)
    at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:203)
    at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:117)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
    at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC.initialize(Unknown Source)
    at com.amazonaws.encryptionsdk.internal.TrailingSignatureAlgorithm$ECDSASignatureAlgorithm.generateKey(TrailingSignatureAlgorithm.java:88)
    at com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager.generateTrailingSigKeyPair(DefaultCryptoMaterialsManager.java:151)
    at com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager.getMaterialsForEncrypt(DefaultCryptoMaterialsManager.java:54)
    ... 14 common frames omitted

Any leads where things could be wrong?

[karlw00t]

We are taking a look at this. We'll have an update before Aug 28th.

[bdonlan]

This issue can occur if you have multiple versions of BouncyCastle in your classpath (e.g., if one version is shaded), and the one that is installed as the JVM-wide "BC" provider isn't the same one that is being used for the encryption SDK.

Can you please try this branch and see if it fixes your issue? https://github.com/bdonlan/aws-encryption-sdk-java/tree/bc_prov

[bdonlan]

Note that this can also happen if you have BC loaded via multiple classloaders as well, this might be closer to what you're seeing.

[TerrenceMiao]

I have the SAME issue ask reported. Exception thrown:

com.amazonaws.encryptionsdk.exception.AwsCryptoException: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
        at com.amazonaws.encryptionsdk.internal.EncryptionHandler.<init>(EncryptionHandler.java:114)
        at com.amazonaws.encryptionsdk.AwsCrypto.encryptData(AwsCrypto.java:185)
        at com.amazonaws.encryptionsdk.AwsCrypto.encryptString(AwsCrypto.java:211)
        at com.amazonaws.encryptionsdk.AwsCrypto.encryptString(AwsCrypto.java:223)

...

Caused by: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
        at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC.initialize(Unknown Source)
        at com.amazonaws.encryptionsdk.internal.EncryptionHandler.generateTrailingSigKeyPair(EncryptionHandler.java:367)
        at com.amazonaws.encryptionsdk.internal.EncryptionHandler.<init>(EncryptionHandler.java:105)
        ... 87 common frames omitted

Two Java apps has with same Bouncy Castle libraries deployed on Tomcat 9.0.13 on JDK 1.8.0_171.

    $TOMCAT_HOME/webapps/app1/WEB-INF/lib/bcprov-ext-jdk15on-1.55.jar
    $TOMCAT_HOME/webapps/app1/WEB-INF/lib/bcpkix-jdk15on-1.55.jar
    $TOMCAT_HOME/webapps/app1/WEB-INF/lib/bcprov-jdk15on-1.55.jar

    $TOMCAT_HOME/webapps/app2/WEB-INF/lib/bcprov-ext-jdk15on-1.55.jar
    $TOMCAT_HOME/webapps/app2/WEB-INF/lib/bcpkix-jdk15on-1.55.jar
    $TOMCAT_HOME/webapps/app2/WEB-INF/lib/bcprov-jdk15on-1.55.jar

With the fix bdonlan provided https://github.com/bdonlan/aws-encryption-sdk-java/commit/d57a75f74e7127eb854fc6fdd231958085d5204d, rebuild aws-encryption-sdk-java from master branch, and rerun the test, test passed, issue fixed.

When are you going to make this fix in aws-encryption-sdk-java next release?

Thanks