Thursday, November 11, 2010

Algorithm DES/ECB is not available from provider Cryptix

I was tasked to port a very old Web Services application to Sun Glassfish Enterprise Server 2.1.1. This application uses a cryptography library from Cryptix. (Cryptix has been dead since 2005.)


 

On my development environment on MacBook, everything runs fine on Glassfish with JDK 1.6.0_16. However, when I ported to the production environment on Solaris 10, I kept getting the following error:


java.security.NoSuchAlgorithmException: algorithm DES/ECB is not available from provider Cryptix
at xjava.security.IJCE.getClassCandidate(IJCE.java:457)
at xjava.security.IJCE.getImplementationClass(IJCE.java:410)
at xjava.security.IJCE.getImplementation(IJCE.java:367)
at xjava.security.Cipher.getInstance(Cipher.java:489)
at xjava.security.Cipher.getInstance(Cipher.java:452)
at com.sun.moe.security.DESEncryptor.decrypt(DESEncryptor.java:133)
at com.sun.moe.login.AppLogin.main(AppLogin.java:80)


Very strange! After a long debugging session, I found the issue was with the JDK 1.6.x version.

I downgraded the JDK to 1.5.0_20 that shipped default with Solaris 10. It works!


I believe there must be some "tightening" done in this file in JRE, but I just cannot figure how to resolve it.

-bash-3.00$ cat /jdk/jdk1.6.0_16/jre/lib/security/sunpkcs11-solaris.cfg


#
# Configuration file to allow the SunPKCS11 provider to utilize
# the Solaris Cryptographic Framework, if it is available
#


name = Solaris


description = SunPKCS11 accessing Solaris Cryptographic Framework


library = /usr/lib/$ISA/libpkcs11.so


handleStartupErrors = ignoreAll


attributes = compatibility


disabledMechanisms = {
CKM_MD2
CKM_MD5
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_DSA_KEY_PAIR_GEN
# KEY_AND_MAC_DERIVE disabled due to Solaris bug 6306708
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE
# the following mechanisms are disabled due to performance issues (Solaris bug 6337157)
CKM_DSA_SHA1
CKM_MD5_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
# the following mechanisms are disabled to ensure backward compatibility (Solaris bug 6545046)
CKM_DES_CBC_PAD
CKM_DES3_CBC_PAD
CKM_AES_CBC_PAD
}


Anyone has an idea?

.

6 comments:

  1. Hi,
    After building and debugging cryptix source code, found out that the issue is with the Cryptix implementation. While searching for the provider properties, in case of 'DES' algorithm, Cryptix implementation is looking up for provider specific property name 'Alg.Alias.Cipher.DES'. This is, unluckily, used/implemented in SunPKCS11 provider implementation (jdk version 1.6) which returns 'DES/ECB' value, whereas version 1.5 returns null. But this is not recognized as a valid class name by Cryptix implementation. Hence the error. Possibly adding the Cryptix provider to the head of the providers' list resolves this issue or acts as a workaround.


    Are you able to find any permanent solution for this problem ?

    Madhav

    ReplyDelete
  2. Although it can also be solved by instantiating the cryptix.provider.cipher.DES and invoking Cipher.getInstance(Cipher, Mode, PaddingScheme) method. Forgot to mention earlier :-)

    ReplyDelete
  3. hello i am facing similar problem as given in article but my setup is following :
    ubuntu 13
    java-6-openjdk-amd64
    tomcat 7
    apache

    ReplyDelete

  4. Getting the above error while integrating the ICICI pg.
    ubuntu 12.04+tomcat6+java6+apache+javabridge.jar

    Any Solutions ??

    ReplyDelete
  5. Exception in encrypting data. algorithm DES/ECB is not available from provider Cryptix

    ReplyDelete
  6. After much head scratching this is solved.
    We had to upgrade to Java version provided by SUN and uninstall the openjdk.
    as the cryptix is not supported in openjdk.
    this link was helpful http://www.welarson.com/?page_id=281

    ReplyDelete