How to fix ClassCastException when XMLSignatureFactory used in a WSO2-AM Mediator?

Question

I've created a new WSO2 Api Manager Mediator, which'll responsible for filtering Signed SOAP Envelopes. In the request, I receive a tag, which I want to parse with XMLSignatureFactory.

Digital Signature API: https://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html

Input:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                       Id="SIG-1F873A0D2A87BCE8721558280884557279">
            <ds:SignedInfo>
               ...
               <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
               <ds:Reference URI="#id-349F63E22F25E7CF2915581003601374">
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
                  <ds:DigestValue>..Base64 encoded value...</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>..Base64 encoded value...</ds:SignatureValue>
            <ds:KeyInfo Id="KI-1F873A0D2A87BCE8721558280884517277">
               ...
            </ds:KeyInfo>
         </ds:Signature>

Source code:

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
        // Find Signature element.

        NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
        if (nl.getLength() == 0) {
            throw new Exception("Cannot find Signature element");
        }

        // Create a DOMValidateContext and specify a KeySelector
        // and document context.
        DOMValidateContext valContext = new DOMValidateContext(cert.getPublicKey(), nl.item(0));

        // Unmarshal the XMLSignature.
        XMLSignature signature = fac.unmarshalXMLSignature(valContext);

        // Validate the XMLSignature.
        boolean coreValidity = signature.validate(valContext);

        // Check core validation status.
        if (coreValidity == false) {
            System.err.println("Signature failed core validation");
}

In a standard Java SE program it works fine, but when I use it in a Mediator, I've got the following error:

Exception occured! java.lang.ClassCastException: org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory cannot be cast to javax.xml.crypto.dsig.XMLSignatureFactory
        at javax.xml.crypto.dsig.XMLSignatureFactory.findInstance(XMLSignatureFactory.java:202)
        at javax.xml.crypto.dsig.XMLSignatureFactory.getInstance(XMLSignatureFactory.java:250)

Maven config:

...
<java.version>1.8</java.version>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
        <bouncycastle.version>1.61</bouncycastle.version>
...
<dependency>
            <groupId>org.apache.synapse</groupId>
            <artifactId>synapse-core</artifactId>
            <version>2.1.7-wso2v80</version>
        </dependency>
<dependency>
            <groupId>org.apache.ws.commons.axiom.wso2</groupId>
            <artifactId>axiom</artifactId>
            <version>1.2.11.wso2v11</version>
        </dependency>
<dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk15on</artifactId>
            <version>${bouncycastle.version}</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpkix-jdk15on</artifactId>
            <version>${bouncycastle.version}</version>
        </dependency>
...
<plugin>
                <groupId>org.apache.felix</groupId>
                <artifactId>maven-bundle-plugin</artifactId>
                <version>2.3.7</version>
                <extensions>true</extensions>
                <configuration>
                    <instructions>
                        <Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName>
                        <Bundle-Name>${project.artifactId}</Bundle-Name>
                        <!-- <Export-Package>mediator</Export-Package> -->
                        <!--<DynamicImport-Package>*</DynamicImport-Package>-->
                        <Import-Package>
                            !javax.xml.crypto.*; version="???",
                            org.apache.xml.security;version="0.0.0",
                            *
                        </Import-Package>
                    </instructions>
                </configuration>
            </plugin>

Hi Peter, did you solve your problem? What did you do to fix it? — Ali Malek, Oct 27 '22 at 09:15

score 0 · Answer 1 · answered May 22 '19 at 02:06

0

I guess this is happening due to package javax.xml.crypto.; version="xxx" exported with wso2 wss4j bundle is conflicting with the default javax.xml.crypto. package exported by the JDK.

In order to overcome this issue, you may pack the mediator as bundle ( OSGI bundle and place it in dropins folder ) and restrict that specific import in the mediator as follows.

Please start the AM in osgiConsole ( with flag -DosgiConsole ) and check the version of the javax.xml.crypto.* package which is being exported by wss4j. Then exclude that specific version from the import section of the mediator.

A sample code is as follows.

<plugin>
    <groupId>org.apache.felix</groupId>
    <artifactId>maven-bundle-plugin</artifactId>
    <version>2.3.7</version>
    <extensions>true</extensions>
    <configuration>
        <instructions>
            <Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName>
            <Bundle-Name>${project.artifactId}</Bundle-Name>
            <Import-Package>
                !javax.xml.crypto.*; version="xxx",
                org.apache.xml.security;version="0.0.0",
                *
            </Import-Package>
        </instructions>
    </configuration>
</plugin>

Thanks

answered May 22 '19 at 02:06

Nirothipan

314
1
2
14

I've packed my mediator in a simple JAR. What do you think, which one is better: JAR or OSGI? Many thanks, Peter – peter.szrnka May 22 '19 at 11:03
In this case OSGI would be better, since we can control the imports and sort this issue. – Nirothipan May 22 '19 at 11:41
I've checked it, and the Eclipse WSO2 plugin already converted my project to an OsGI bundle. I've added the maven dependencies+ configurations to my original posts. – peter.szrnka May 24 '19 at 11:15
You may find here an example on writing a class mediator as OSGi bundle https://medium.com/@nirothipanram/esb-few-tips-in-writing-a-custom-class-mediator-b9a322f4eaa8 . what is the current issue – Nirothipan May 24 '19 at 11:23
The current issue is the same, unfortunately. I've tried the dependencies found in your article, but nothing changed. Maybe BounceCastle causes this problem? – peter.szrnka May 24 '19 at 12:17
I'm using Java 8, is it a problem for WSO2 API Manager? – peter.szrnka May 24 '19 at 12:28
Were you able to identify the correct !javax.xml.crypto.*; version="???", version and restrict it in imports. ( asking since I'm see ??? there ) . Also JAVA 8 won't be an issue. – Nirothipan May 24 '19 at 16:57
Also from which dependency does your mediator gets org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory class. I couldn't find relevant dependency in the pom file. One such dependency which exports it is the following xml-security xmlsec – Nirothipan May 24 '19 at 17:01
Finally I've changed to an xmsec based solution, and now it works as I expected. Many thanks for your help :) – peter.szrnka May 27 '19 at 11:08
Well, problem still occurs after I've decided to give a try for this type of solution. So, I've checked what you recommend. 1) I've modified the pom.xml: !javax.xml.crypto.*; version="1.4.2.patched", org.apache.xml.security;version="0.0.0", * 2) Then there was problem with the Eclipse, which generated wrong MANIFEST.MF, so I fixed it. – peter.szrnka Jun 28 '19 at 14:49

How to fix ClassCastException when XMLSignatureFactory used in a WSO2-AM Mediator?

1 Answers1

Linked