Cannot find any provider supporting BLOWFISH/CTR/PKCS5Padding

[41GitHub]

I'm not sure how to get the library necessary for this. I tried adding bouncycastle to the lib directory.

154: // using master encryption, encrypt with the master key 155: onePass = encrypt( arguments.value, variables.masterKey, 'AES/CBC/PKCS5Padding', 'HEX' ); 156: lastPass = encrypt( onePass, variables.masterKey, 'BLOWFISH/CTR/PKCS5Padding', 'HEX' ); 157: break; 158:

java.security.NoSuchAlgorithmException

Version Lucee 6.0.1.0 Version Name Gelert Release date Oct 17, 2023 Label
Installed tag libraries - Lucee Core Tag Library Installed function libraries - Lucee Core Function Library Remote IP 127.0.0.1 Loader Version 6.0.1.0 Servlet Container WildFly / Undertow - 2.2.28.Final Java 21.0.2 (Homebrew) 64bit Host Name 127.0.0.1 OS Mac OS X (14.3.1) 64bit Architecture 64bit

[ddspringle]

@41GitHub I haven’t tested this on Lucee 6 yet, but that algorithm should be built-in (no need to add bouncycastle, it should already be there).

I’ll spin this up in 6 in the next day or so and see what I can figure out. This could be a regression in Lucee 6.

You could also change the code from using blowfish to using AES as a workaround in the meantime.

I’ll post an update once I have this tested on Lucee 6.

[ddspringle]

So I spun this up in CommandBox locally running Lucee 6.0.1.83 and was not able to reproduce the encryption issue. I also tried doing some encryption using BLOWFISH on trycf.com with the Lucee 6 beta running there and didn't have any issues. So not sure how to assist - as far as I can tell this is still supported out of the box in Lucee 6. It is possible that perhaps you're using the light version and it is not supported out of the box in light without one of the security extensions being installed, but as for out of the box Lucee in CommandBox this seems to work just fine.

[41GitHub]

I have no idea. Just spun up a fresh CommandBox 6.0.1.83 and I get:

Error: Cannot find any provider supporting AES/CTR/PKCS5Padding
Type: java.security.NoSuchAlgorithmException
fw1_sa180.model.services.securityservice_cfc$cf.udfCall4(/fw1-sa/model/services/SecurityService.cfc:1506)

Do I need an SSL certificate configured?

The bouncycastle jars are loaded in green.

[ddspringle]

@41GitHub Soooo... it turns out that this is actually an issue... the issue is with the CTR mode of encryption and JDK17. It appears in JDK17 they started enforcing a requirement to have an Initialization Vector (IV) when using the CTR mode of encryption, which my code uses for encrypting/decrypting the master key for the keyring file, but I'm not using an IV for it.

I am using an IV for the keys in the keyring, so those should be ok, I believe (further testing to be done) but the master key algorithm either needs to be changed to something other than CTR (CBC, for example) or an IV added to it in dataDec() and dataEnc() in the SecurityService.cfc.

I'll be updating the repo later this evening with some changes based on my additional testing.

Sorry I missed the JDK17 changes earlier. I was running JDK11 which does not have the IV requirement for CTR block mode when I originally tested this.

But someone else came to me with the same issue in ACF2023 and through a process of elimination I figured out the issue is the CTR with no IV.

HTH and sorry for the long delay in getting back to you on this.