Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34121

IBM Java doesn't support AES/CTR/PKCS5Padding, required for JNLP3

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Component/s: remoting
    • Labels:
      None
    • Similar Issues:

      Description

      It is not possible to run slaves anymore using IBM Java.

      This is due to the new encrypted communication introduced in Jenkins 1.653, where the handshake is done using "AES/CTR/PKCS5Padding".
      I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the default ones), but I created a quick test to check (see below).

      Would it be possible to switch to a cipher supported by IBM Java?

      Test:
      import java.security.NoSuchAlgorithmException;
      import javax.crypto.Cipher;
      import javax.crypto.NoSuchPaddingException;
      public class PaddingIssue {
      private static final String CIPHER = "AES/CTR/PKCS5Padding";
      public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException

      { Cipher encryptCipher = Cipher.getInstance(CIPHER); System.out.println("Fine!"); }

      }

      Executions:
      IBM JAVA 1.6
      /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.7
      /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.8
      /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      OpenJDK 7
      /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
      Fine!

      Full stacktrace:
      Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
      INFO: Trying protocol: JNLP3-connect
      Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
      SEVERE: Failed to create handshake ciphers
      java.lang.AssertionError: Failed to create handshake ciphers
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
      at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
      at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
      at hudson.remoting.Engine.run(Engine.java:308)
      Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
      ... 3 more
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
      126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a_.a(Unknown Source)
      ... 5 more

        Attachments

          Issue Links

            Activity

            gloparm Gabriel Lopez created issue -
            gloparm Gabriel Lopez made changes -
            Field Original Value New Value
            Description It is not possible to run slaves anymore using IBM Java.

            This is due to the new [encrypted communication|https://issues.jenkins-ci.org/browse/JENKINS-26580] introduced in Jenkins 1.653, where the handshake is done [using "AES/CTR/PKCS5Padding"|https://github.com/jenkinsci/remoting/blob/master/src/main/java/org/jenkinsci/remoting/engine/HandshakeCiphers.java#L109].

            I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the [default ones|https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.api.doc/jce/javax/crypto/Cipher.html]), but I created a quick test to check. See below.

            Would it be possible to switch to a cipher supported by IBM Java?

            Test:
            import java.security.NoSuchAlgorithmException;
            import javax.crypto.Cipher;
            import javax.crypto.NoSuchPaddingException;

            public class PaddingIssue {
            private static final String CIPHER = "AES/CTR/PKCS5Padding";

            public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException {
                    Cipher encryptCipher = Cipher.getInstance(CIPHER);
                    System.out.println("Fine!");
            }
            }

            Executions:
            IBM JAVA 1.6
            /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
            Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
            at javax.crypto.Cipher.getInstance(Unknown Source)
            at PaddingIssue.main(PaddingIssue.java:10)
            Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
            at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
            at javax.crypto.Cipher$a.a(Unknown Source)
            ... 2 more

            IBM JAVA 1.7
            /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
            Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
            at javax.crypto.Cipher.getInstance(Unknown Source)
            at PaddingIssue.main(PaddingIssue.java:10)
            Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
            at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
            at javax.crypto.Cipher$a.a(Unknown Source)
            ... 2 more

            IBM JAVA 1.8
            /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
            Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
            at javax.crypto.Cipher.getInstance(Unknown Source)
            at PaddingIssue.main(PaddingIssue.java:10)
            Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
            at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
            at javax.crypto.Cipher$a.a(Unknown Source)
            ... 2 more

            OpenJDK 7
            /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
            Fine!

            Full stacktrace:
            Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
            INFO: Trying protocol: JNLP3-connect
            Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
            SEVERE: Failed to create handshake ciphers
            java.lang.AssertionError: Failed to create handshake ciphers
                    at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
                    at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
                    at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
                    at hudson.remoting.Engine.run(Engine.java:308)
            Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
                    at javax.crypto.Cipher.getInstance(Unknown Source)
                    at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
                    ... 3 more
            Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
            126Padding or NoPadding
                    at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
                    at javax.crypto.Cipher$a_.a(Unknown Source)
                    ... 5 more
            It is not possible to run slaves anymore using IBM Java.

            This is due to the new [encrypted communication|https://issues.jenkins-ci.org/browse/JENKINS-26580] introduced in Jenkins 1.653, where the handshake is done [using "AES/CTR/PKCS5Padding"|https://github.com/jenkinsci/remoting/blob/master/src/main/java/org/jenkinsci/remoting/engine/HandshakeCiphers.java#L109].
            I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the [default ones|https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.api.doc/jce/javax/crypto/Cipher.html]), but I created a quick test to check (see below).

            Would it be possible to switch to a cipher supported by IBM Java?

            *Test:*
            import java.security.NoSuchAlgorithmException;
            import javax.crypto.Cipher;
            import javax.crypto.NoSuchPaddingException;
            public class PaddingIssue {
            private static final String CIPHER = "AES/CTR/PKCS5Padding";
            public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException {
                    Cipher encryptCipher = Cipher.getInstance(CIPHER);
                    System.out.println("Fine!");
            }
            }

            *Executions:*
            IBM JAVA 1.6
            /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
            Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
            at javax.crypto.Cipher.getInstance(Unknown Source)
            at PaddingIssue.main(PaddingIssue.java:10)
            Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
            at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
            at javax.crypto.Cipher$a.a(Unknown Source)
            ... 2 more

            IBM JAVA 1.7
            /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
            Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
            at javax.crypto.Cipher.getInstance(Unknown Source)
            at PaddingIssue.main(PaddingIssue.java:10)
            Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
            at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
            at javax.crypto.Cipher$a.a(Unknown Source)
            ... 2 more

            IBM JAVA 1.8
            /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
            Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
            at javax.crypto.Cipher.getInstance(Unknown Source)
            at PaddingIssue.main(PaddingIssue.java:10)
            Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
            at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
            at javax.crypto.Cipher$a.a(Unknown Source)
            ... 2 more

            OpenJDK 7
            /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
            Fine!

            *Full stacktrace:*
            Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
            INFO: Trying protocol: JNLP3-connect
            Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
            SEVERE: Failed to create handshake ciphers
            java.lang.AssertionError: Failed to create handshake ciphers
                    at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
                    at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
                    at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
                    at hudson.remoting.Engine.run(Engine.java:308)
            Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
                    at javax.crypto.Cipher.getInstance(Unknown Source)
                    at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
                    ... 3 more
            Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
            126Padding or NoPadding
                    at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
                    at javax.crypto.Cipher$a_.a(Unknown Source)
                    ... 5 more
            danielbeck Daniel Beck made changes -
            Component/s remoting [ 15489 ]
            Component/s core [ 15593 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-34819 [ JENKINS-34819 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 170155 ] JNJira + In-Review [ 183790 ]
            oleg_nenashev Oleg Nenashev made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Won't Fix [ 2 ]

              People

              • Assignee:
                Unassigned
                Reporter:
                gloparm Gabriel Lopez
              • Votes:
                2 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: