Coach Thrasher

Don't update OSX: Java For MacOSX 10.5 Update 6 breaks WSS4J

After letting Apple's software update run, I'm no longer able to get WSS4J to read my PKCS12 or JKS key stores to allow for SSL calls using CXF. Crap!

There aren't any other reports of this out there yet (the update went live Dec 3, 2009), that I can find, so I'm posting in the hope that anyone else is having this issue will provide details of the problem, or resolution. Their official documentation for reversion of the Java Update 6 is to reinstall the OS.

Java for Mac OS X 10.5 Update 6
Security update details

I found the problem because my CXF stack is being used to talk to Amazon Web Wervices, using WSS4J. Here's the error I'm seeing after applying Apple's Java Update (below). Note that the "Keystore was tampered with, or password was incorrect" message is misleading as I've just create the keystore, and verified that it's valid with the right password. The problem seems to be that "java.security.KeyStore" isn't seeing the credentials that the Apache WSS4J package is passing in. Since WSS4J hasn't changed, and it worked before the VM update, it looks like a VM bug.

WARN [main] PhaseInterceptorChain.doLog(361) | Interceptor has thrown exception, unwinding now

java.lang.RuntimeException: org.apache.ws.security.components.crypto.Merlin cannot create instance

	at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:225)

	at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:180)

	at org.apache.ws.security.components.crypto.CryptoFactory.getInstance(CryptoFactory.java:73)

	at org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor.loadSignatureCrypto(AbstractWSS4JInterceptor.java:195)



[SNIP]


Caused by: java.lang.reflect.InvocationTargetException

	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)

	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)

	at java.lang.reflect.Constructor.newInstance(Constructor.java:501)

	at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:211)

	... 38 more

Caused by: org.apache.ws.security.components.crypto.CredentialException: Failed to load credentials.

	at org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:174)

	at org.apache.ws.security.components.crypto.AbstractCrypto.(AbstractCrypto.java:135)

	at org.apache.ws.security.components.crypto.Merlin.(Merlin.java:71)

	... 43 more

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)

	at java.security.KeyStore.load(KeyStore.java:1150)

	at org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:168)

	... 45 more

Update: I've resolved it by using my Time Machine backup to revert the entire subdirectory of: /System/Library/Frameworks/JavaVM.framework" and it has fixed the problem. Though Apple's official line is that an entire OSX reinstall is needed to revert, this has indeed reverted both JDK 1.6 and 1.5 correctly. The Software Update app doesn't think that Java Update 6 has been applied.

Posted at 11:44AM Dec 10, 2009 by jason in Software  |  Comments[4]