Issue Details (XML | Word | Printable)

Key: JDBC-543
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Blocker Blocker
Assignee: Mark Rotteveel
Reporter: VENKATESH DODDATHIMMAIAH
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Jaybird JDBC Driver

Upgrade from 3.0.3 to 3.0.4 or 3.0.5-SNAPSHOT is broken. Results in "Encryption key did not meet algorithm requirements of Symmetric/Arc4"

Created: 22/Aug/18 09:24 AM   Updated: 23/Aug/18 11:31 AM
Component/s: Wire protocol
Affects Version/s: Jaybird 3.0.4
Fix Version/s: None

File Attachments: 1. Java Source File AppDb.java (3 kB)
2. Text File Build_Log_SonaType.txt (5 kB)
3. Text File Crypto_Permission_Check_Failed.txt (13 kB)
4. Text File Encryption key did not meet algorithm requirements of SymmetricArc4.txt (18 kB)
5. Java Source File HelloJaybird.java (0.3 kB)
6. Text File Java_1.8_161 - Jaybird JDK18 - 3.0.5-SNAPSHOT.txt (1 kB)
7. Java Archive File mobileclient.jar (2.57 MB)
8. XML File pom.xml (3 kB)

Environment: jaybird-jdk17 (3.0.5-SNAPSHOT), Firebird (3.0.3), c3p0 (0.9.5.1), Java 8 (1.8.0_161), Windows 10 & 2012 R2
Issue Links:
Relate


 Description  « Hide
Application
-------------------------------------------------------------------
A Java application for Firebird 3.0.3 via Jaybird 3.0.3 (being upgraded to 3.0.5-SNAPSHOT to utilize Fix from http://tracker.firebirdsql.org/browse/JDBC-542).

History
-------------------------------------------------------------------
1. Jaybird 3.0.3 had issue - http://tracker.firebirdsql.org/browse/JDBC-542
2. It is fixed in 3.0.5-SNAPSHOT as per the ticket
3. While upgrading from 3.0.3 to 3.0.5-SNAPSHOT, maven build throws exceptions as in attached log file "Encryption key did not meet algorithm requirements of SymmetricArc4.txt"
4. The upgrade was attempted by just changing the version from 3.0.3 to 3.0.5-SNAPSHOT

Other analysis
1. With jaybird-jdk17 and 3.0.4 also, the exception is thrown
2. With jaybird-jdk18 and 3.0.4 also, the exception is thrown
3. With jaybird-jdk17 and 3.0.5-SNAPSHOT also, the exception is thrown. However, the issue of http://tracker.firebirdsql.org/browse/JDBC-542 seems to have been fixed.

Firebird configuration
WireCrypt = Enabled. Have also changed this to Required, but still results in exception.

Simulation
-------------------------------------------------------------------
Attached is a sample application (with two Java files and associated pom) which can be used to directly simulate the issue.

Prerequisites
-------------------------------------------------------------------
1. Sample & valid FDB database file in a specific file system location
2. Firebird database server

Steps
-------------------------------------------------------------------
1. Change the source file "AppDb.java" to reflect above database file path & associated credentials
2. Build the application from the source as a maven project to get "mobileclient.jar"
3. Ensure Firebird server is up and running
4. Run the jar from a command prompt using "java -jar mobileclient.jar" and watch for the informational logs

Observation
-------------------------------------------------------------------
1. The exception logs in the attached file are visible

In contrary if project is built with 3.0.3, exceptions are not thrown

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Mark Rotteveel added a comment - 22/Aug/18 11:17 AM
I can't reproduce the problem. Could you send me a copy of the mobileclient.jar built on your machine so that I can check what the difference is?

How did you install the snapshot into your local repository and what is your Maven version? I do run into the "No suitable driver found" issue if I install using
mvn install:install-file -Dfile=jaybird-jdk17-3.0.5-SNAPSHOT.jar -DgroupId=org.firebirdsql.jdbc -DartifactId=jaybird-jdk17 -Dversion=3.0.5-SNAPSHOT -Dpackaging=jar

This will generate a POM without dependencies, which means that the required connector-api dependencies is missing.

Instead, extract the META-INF/maven/org.firebirdsql.jdbc/jaybird-jdk17.jar/pom.xml from the archive and use

mvn install:install-file -Dfile=jaybird-jdk17-3.0.5-SNAPSHOT.jar -DpomFile=pom.xml

Alternatively, add an explicit dependency on connector-api:

        <dependency>
            <groupId>javax.resource</groupId>
            <artifactId>connector-api</artifactId>
            <version>1.5</version>
        </dependency>

VENKATESH DODDATHIMMAIAH added a comment - 22/Aug/18 12:38 PM
First I had tried to have the jar deployed in a local maven repository. This approach resulted in the exception. Below is the command used
Next, I cleaned all references to local maven versions and just updated the version in the original project pom file to pull from maven central directly. Even this approach is resulting in same exception.

I have attached the sample "mobileclient.jar" which throws exceptions. It points to Firebird example Employee.fdb with SYSDBA/masterkey.

Command used
------------------------------------------
mvn deploy:deploy-file -Dfile="<PATH_TO>\Jaybird-3.0.5-SNAPSHOT-JDK_1.7\jaybird-3.0.5-SNAPSHOT.jar" -DgroupId=org.firebirdsql.jdbc -DartifactId=jaybird-jdk17 -Dversion=3.0.5-SNAPSHOT -Dpackaging=jar -Durl=file:./maven-repository

Will try out both the above approaches and update.

Mark Rotteveel added a comment - 22/Aug/18 01:08 PM
The mobileclient.jar you attached was built with Jaybird 3.0.4, which for me exhibits the exact same behavior as I can reproduce with 3.0.3 (that is, the problem you reported in JDBC-542). Which is what I expect with that version.

The only problem I observe when using 3.0.5-SNAPSHOT is when installing Jaybird into the local repository like you did, because then it fails because of the missing dependency information in the pom that maven generates when it installs like that.

You will need to install the dependency with an explicit POM, as detailed in my previous comment, or otherwise try removing the 3.0.5-SNAPSHOT from your local repository, and instead add https://oss.sonatype.org/content/repositories/snapshots as a snapshot repository in your maven config. I have uploaded the 3.0.5-SNAPSHOT versions there.

VENKATESH DODDATHIMMAIAH added a comment - 22/Aug/18 01:46 PM
I removed all firebird jdbc driver references from local maven and then configured maven to pull only from sonatype.

I have attached the build log which captures downloading logs of 3.0.5-SNAPSHOT from sonatype repository.

When we run the final built jar, results in same exception.

Mark Rotteveel added a comment - 22/Aug/18 02:30 PM
Can you upload the mobileclient.jar you built that way? And the exception you see now is still that "Encryption key did not meet algorithm requirements of Symmetric/Arc4"?

The only other option I can think of that you are using a security policy that disallows RC4 (which is used by the Firebird 3 wire encryption which was introduced in Jaybird 3.04). Could you show the output of :

java -Djava.security.debug=jca -jar mobileclient.jar

Mark Rotteveel added a comment - 22/Aug/18 02:57 PM
With some experimentation, I managed to reproduce the problem. Your Java version is probably applying the limited Cryptographic Jurisdiction Policy (this is the default for Java 8 Update 152 and earlier), and given the implementation we use RC4 with a keysize of 160, while the limited policy only allows key sizes of 128 or smaller.

For some reason I had assumed that this policy did not influence RC4, and my Java installs have been using unlimited for years.

You have the following options:

* Change your policy to unlimited, see https://stackoverflow.com/a/3864276/466862
* Upgrade to Java 8 update 161 or higher (those versions default to the unlimited policy)
* Disable WireCrypt in Firebird (not advisable)
* Disable wireCrypt in Jaybird (see https://www.firebirdsql.org/file/documentation/drivers_documentation/java/3.0.x/release_notes.html#wire-encryption-support), unfortunately this is not possible for FBEventManager yet (I just noticed I didn't add support for this property there).

Mark Rotteveel added a comment - 22/Aug/18 03:06 PM
I just noticed you are already using Java 8 update 161 which should default to the unlimited policy. In that case it would still be helpful to have the output of

java -Djava.security.debug=jca -jar mobileclient.jar

Or is it possible that your Java install has explicitly set the policy to limited?

VENKATESH DODDATHIMMAIAH added a comment - 22/Aug/18 05:06 PM
Awesome! I think you nailed it.

I could see below in the logs
----------------------------------------------------
:
Cipher: Crypto Permission check failed
Cipher: granted: (CryptoPermission * 128)
Cipher: requesting: (CryptoPermission ARCFOUR 160)
:
----------------------------------------------------

Full log attached as "Crypto_Permission_Check_Failed.txt"

Will follow the link - "https://stackoverflow.com/questions/3862800/invalidkeyexception-illegal-key-size/3864276#3864276" to increase the limit. Hopefully it should resolve.

Mark Rotteveel added a comment - 22/Aug/18 06:03 PM
Yes, that debug logging is the same as what I saw when I changed my configuration to the limited policy. Switching to unlimited should then solve it.

I have created a number of follow up tickets to address this further: JDBC-544 (allow wireCrypt to be disabled for FBEventManagr), JDBC-545 (document this problem and solutions) and JDBC-546 (let Jaybird default to wireCrypt DISABLED if the cipher + key size is disallowed by the policy).

Thanks for taking the time of reporting this and helping me in finding the underlying problem.

Mark Rotteveel added a comment - 22/Aug/18 06:20 PM
To be clear, even with the limited policy the connection (and event manager) will work, it will just log this as warning and the connection will not be encrypted, unless the wireCrypt is set to REQUIRED, in which case this will be a connection error.

As part of JDBC-546, I will see if I can make the logging in this case less intrusive (eg maybe log the full stacktrace only once on warn and for the rest on debug) if checking the permission is too involved.

VENKATESH DODDATHIMMAIAH added a comment - 22/Aug/18 06:46 PM
Options to manage crypto policy limitations

Option 1:
To download the packages as in - http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Reference
- https://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters?noredirect=1&lq=1
- https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html

Option 2:
In u151 and u152 version of Java 8, we can directly handle in code as
"Security.setProperty("crypto.policy", "unlimited");"

Option 3:
Set the unlimited policy in the <jre_home>/lib/security/java.security file by uncommenting line #crypto.policy=unlimited
We didn't have an entry itself in the file. So we couldn't try on Option 3. Perhaps this is for even older versions.

Our production servers are at Java "1.8 161" and our dev at "1.8 144", but lot has changed between these multiple versions.
For our dev - we had to go with Option 1, which worked. Also, we prefer & intend to keep it in sync with prod java version i.e. 1.8 161.
For our prod - we didn't have to do anything and it worked. But if any prod server java versions falling between 151 and 152, might need Option 2 as a better approach over Option 1. Even this approach worked.

The sample was verified for both issues, this and especially the original JDBC-542
1. No Encryption related exceptions observed
2. When Firebird was killed, only one entry of IOException was logged and CPU remained stable

Log attached "Java_1.8_161 - Jaybird JDK18 - 3.0.5-SNAPSHOT.txt"

I greatly appreciate all the time and support in resolving these issues and clearing the way for production roll outs. Thank you once again.