Coach Thrasher
Don't update OSX: Java For MacOSX 10.5 Update 6 breaks WSS4J
After letting Apple's software update run, I'm no longer able to get WSS4J to read my PKCS12 or JKS key stores to allow for SSL calls using CXF. Crap!
There aren't any other reports of this out there yet (the update went live Dec 3, 2009), that I can find, so I'm posting in the hope that anyone else is having this issue will provide details of the problem, or resolution. Their official documentation for reversion of the Java Update 6 is to reinstall the OS.
Java for Mac OS X 10.5 Update 6
Security update details
I found the problem because my CXF stack is being used to talk to Amazon Web Wervices, using WSS4J. Here's the error I'm seeing after applying Apple's Java Update (below). Note that the "Keystore was tampered with, or password was incorrect" message is misleading as I've just create the keystore, and verified that it's valid with the right password. The problem seems to be that "java.security.KeyStore" isn't seeing the credentials that the Apache WSS4J package is passing in. Since WSS4J hasn't changed, and it worked before the VM update, it looks like a VM bug.
WARN [main] PhaseInterceptorChain.doLog(361) | Interceptor has thrown exception, unwinding now
java.lang.RuntimeException: org.apache.ws.security.components.crypto.Merlin cannot create instance
at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:225)
at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:180)
at org.apache.ws.security.components.crypto.CryptoFactory.getInstance(CryptoFactory.java:73)
at org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor.loadSignatureCrypto(AbstractWSS4JInterceptor.java:195)[SNIP]
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:501)
at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:211)
... 38 more
Caused by: org.apache.ws.security.components.crypto.CredentialException: Failed to load credentials.
at org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:174)
at org.apache.ws.security.components.crypto.AbstractCrypto.(AbstractCrypto.java:135)
at org.apache.ws.security.components.crypto.Merlin.(Merlin.java:71)
... 43 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)
at java.security.KeyStore.load(KeyStore.java:1150)
at org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:168)
... 45 more
Update: I've resolved it by using my Time Machine backup to revert the entire subdirectory of: /System/Library/Frameworks/JavaVM.framework" and it has fixed the problem. Though Apple's official line is that an entire OSX reinstall is needed to revert, this has indeed reverted both JDK 1.6 and 1.5 correctly. The Software Update app doesn't think that Java Update 6 has been applied.
Posted at 11:44AM Dec 10, 2009 by jason in Software | Comments[4]
Yep - got the same problem. Will be restoring from timemachine as well - thanks for the tip.
Posted by Theo on December 10, 2009 at 11:05 PM PST #
Same problem, what a waste of my night. Thanks, Apple. Unfortunately the Time Machine fix you suggested didn't work for me. I found another post indicating that changing the keystore password from 'changeme' to the more standard default 'changeit' fixed the problem, but that did not help me either.
Posted by Mark on December 11, 2009 at 09:25 PM PST #
I take back what I just said, I'm getting tired. Accidentally restored to the wrong directory. I fixed that and the problem is now corrected. Also, the Java update shows up again in Software Update. Good stuff, man, thank you!
Posted by Mark on December 11, 2009 at 09:35 PM PST #
I had the sam "Keystore was tampered with, or password was incorrect" message when trying to add a new cert to the keystore. I was unaware of the password and throught it was 'changeit'. Seeing Mark's comment made me try 'changeme' instead. That did work for me. No need to revert to a backup.
Posted by Martin on December 13, 2009 at 01:30 AM PST #