• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1465
  • Last Modified:

Coldfusion 8 RSA problems

We have a java class that we consume which is throwing an error in Coldfusion 8. This class works fine in Coldfusion 7. I understand that the RSA libraries were updated in Coldfusion 8, but cannot gather enough information about it to come to any logical conclusions about what is going wrong. Anyone that can provide useful information would be appreciated.

500
ROOT CAUSE:
java.lang.NoSuchMethodError: com.rsa.asn1.OIDContainer.<init>(IZILjava/lang/String;II)V
        at com.rsa.jsafe.JA_AlgID.berDecode(JA_AlgID.java:94)
        at com.rsa.jsafe.JA_AlgID.berDecodeAlgID(JA_AlgID.java:29)
        at com.rsa.jsafe.JSAFE_PublicKey.getInstance(JSAFE_PublicKey.java:64)
        at com.rsa.certj.cert.Certificate.setSubjectPublicKey(Unknown Source)
        at com.rsa.certj.cert.X509Certificate.setInnerDER(Unknown Source)
        at com.rsa.certj.cert.X509Certificate.a(Unknown Source)
        at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
        at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
0
KCCMacMan
Asked:
KCCMacMan
  • 8
  • 7
1 Solution
 
Scott BennettManager TechnologyCommented:
Can you post the code that is causing this error?
0
 
_agx_Commented:
I'm not familiar with that class so my comments are simply based on the error message

At a guess the error message _suggests_ to me a conflict between the java class(es) you're using and the RSA libraries in CF8.  The method "init()" is usually a call to a java class' constructor.  One possible reason for the error is the constructor you're trying to call no longer exists in the newer library or perhaps the newer libraries added some constructors and CF is having a difficult time determining which one to use.  

From what I can tell, these are the available constructors for the OIDContainer class in CF8

 public com.rsa.asn1.OIDContainer(int);
 public com.rsa.asn1.OIDContainer(int,int);
 public com.rsa.asn1.OIDContainer(int,boolean,int,java.lang.String);
 public com.rsa.asn1.OIDContainer(int,boolean,int,java.lang.String,int);
 public com.rsa.asn1.OIDContainer(int,boolean,int,byte[],int,int);
    throws com/rsa/asn1/ASN_Exception
 public com.rsa.asn1.OIDContainer(int,boolean,int,byte[],int,int,int);
    throws com/rsa/asn1/ASN_Exception

0
 
KCCMacManAuthor Commented:
Sure, I'm not sure if the code will be to terribly helpful for you, but maybe you'll be able to see something that I cannot.

Here is the Java class that is being called from coldfusion

package com.kencook.cybersource;

import com.cybersource.ics.base.exception.ICSException;
import com.cybersource.ics.base.message.ICSReply;
import com.cybersource.ics.client.ICSClient;
import com.cybersource.ics.client.message.ICSClientOffer;
import com.cybersource.ics.client.message.ICSClientRequest;
import java.net.MalformedURLException;
import java.util.Properties;
import java.io.*;

public class ICSTax
{

    public ICSTax()
    {
    }

    public String[] result(String order_id, String add1, String add2, String city, String state, String zip, String total,
            String country, String props)
        throws ICSException, MalformedURLException, FileNotFoundException, IOException
    {
          Properties settings = new Properties();
          
          settings.load(new FileInputStream(props));
          
        ICSClient client = new ICSClient(settings);
        ICSClientOffer offer = new ICSClientOffer();
        ICSClientRequest request = new ICSClientRequest();
       
        request.setField("ics_applications", "ics_tax");
        request.setField("merchant_ref_number", order_id);
        request.setField("bill_address1", add1);
        request.setField("bill_address2", add2);
        request.setField("bill_city", city);
        request.setField("bill_state", state);
        request.setField("bill_zip", zip);
        request.setField("bill_country", country);
        offer.setField("amount", total);
       
        //nexus should be a comma delimited list of two letter state abbreviations
        if (settings.getProperty("nexus") != null)
              request.setField("nexus", settings.getProperty("nexus"));
       
        request.addOffer(offer);
        ICSReply reply = client.send(request);
        String amount = offer.getField("amount");
        String tax_total_grand = reply.getField("tax_total_grand");
        String tax_total_tax = reply.getField("tax_total_tax");
        String tax_city_name = reply.getField("tax_city_name");
        String tax_county_name = reply.getField("tax_county_name");
        String tax_state_name = reply.getField("tax_state_name");
        String tax_zip = reply.getField("tax_zip");
        String tax_total_city_tax = reply.getField("tax_total_city_tax");
        String tax_total_county_tax = reply.getField("tax_total_county_tax");
        String tax_total_district_tax = reply.getField("tax_total_district_tax");
        String tax_total_state_tax = reply.getField("tax_total_state_tax");
        String orderID = request.getField("merchant_ref_number");
        String result[] = {
            orderID, amount, tax_county_name, tax_city_name, tax_state_name, tax_zip, tax_total_county_tax, tax_total_city_tax, tax_total_state_tax, tax_total_district_tax,
            tax_total_tax, tax_total_grand
        };
        return result;
    }

    public String result[];
}

Here is the Coldfusion Code the java instance is set into the cfc

      <cffunction name="setTaxCalculator" returntype="void" output="false">
            <cfargument name="taxCalculator" default="#createObject('java','ICSTax')#" />
            <cfset variables.instance.taxCalculator = arguments.taxCalculator />
      </cffunction>

Here is the line where it is called and fails

taxInfo = variables.instance.taxCalculator.result(arguments.order_sku,arguments.address1, arguments.address2, arguments.city, arguments.state, arguments.postal_code, numberformat(arguments.total, ".__"), arguments.country, arguments.propertiesPath);

It has worked without issue since 6.1 so I'm not sure what in cf8 is causing this issue. There is no cryptographic method explicitly defined in my code so I'm not sure what has chanced in the update.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
KCCMacManAuthor Commented:
_agx_

How did you locate the available constructors for the OIDContainer? Did you just invoke it? I'm getting hung up on this issue because that class is being called internally by coldfusion on the custom tag request. Here is a longer stack trace so that you might gather more insight.

ROOT CAUSE:
java.lang.NoSuchMethodError: com.rsa.asn1.OIDContainer.<init>(IZILjava/lang/String;II)V
        at com.rsa.jsafe.JA_AlgID.berDecode(JA_AlgID.java:94)
        at com.rsa.jsafe.JA_AlgID.berDecodeAlgID(JA_AlgID.java:29)
        at com.rsa.jsafe.JSAFE_PublicKey.getInstance(JSAFE_PublicKey.java:64)
        at com.rsa.certj.cert.Certificate.setSubjectPublicKey(Unknown Source)
        at com.rsa.certj.cert.X509Certificate.setInnerDER(Unknown Source)
        at com.rsa.certj.cert.X509Certificate.a(Unknown Source)
        at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
        at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
        at com.cybersource.security.identity.Identity.getSerialNumber(Identity.java:249)
        at com.cybersource.ics.client.IdentityLoader.getSenderIdentity(IdentityLoader.java:116)
        at com.cybersource.ics.client.ICSClientMessageManager.createSCMPContext(ICSClientMessageManager.java:390)
        at com.cybersource.ics.client.ICSClientMessageManager.getContext(ICSClientMessageManager.java:322)
        at com.cybersource.ics.client.ICSClientMessageManager.sendMessage(ICSClientMessageManager.java:223)
        at com.cybersource.ics.client.ICSClientMessageManager.send(ICSClientMessageManager.java:155)
        at com.cybersource.ics.client.ICSClient.send(ICSClient.java:318)
        at com.kencook.cybersource.ICSTax.result(ICSTax.java:46)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:87)
        at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2260)
        at cftaxes2ecfc881960508$funcGETTAXES.runFunction(C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\core\model\order\taxes.cfc:59)


0
 
_agx_Commented:
You can use a command line tool to view the byte code.  Its called javap.

I assume the custom tag comes bundled in a jar.  If you view the jar does it include the com/rsa/* classes?
0
 
KCCMacManAuthor Commented:
We built the class ourselves and it has never referenced rsa anything. That is what is causing my confusion. It's very odd because the unit tests on the class works outside of coldfusion on any version of Java.

That gives me an idea. The provider for rsa is different since cf8 includes jsafe now. I wonder if I add the rsa libraries explicitly to my jar (possibly what you are suggesting), if it will override the ones that are in coldfusion for this request. Do you know what the behavior would be there?
0
 
_agx_Commented:
> We built the class ourselves and it has never referenced rsa anything. That is what is
> causing my confusion.

Well it looks to me like the cybersource classes are referencing rsa. I can see it here in the stacktrace:

   at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
   at com.cybersource.security.identity.Identity.getSerialNumber(Identity.java:249)

So I'm wondering what classes are included in the cybersource jar.  Did you build the whole thing, or just the class that imports the cybersource classes?

> Do you know what the behavior would be there

Not positively, no.  If you have the older libraries, I suppose you could give it try.  Either it will work or you'll get the same error you're getting now.  

0
 
KCCMacManAuthor Commented:
sure enough the jar file I include with the cybersource files has rsa classes in it. From what I can tell it appears that Coldfusions classes get used instead of the ones that are included in the jar. I'll dig deeper and see if I can figure out how to fix that problem.
0
 
KCCMacManAuthor Commented:
Here's an update on my issue. I removed the RSA classes from the jar I received from Cybersource and it allows me to go further but now I get a different error. I'm investigating it and any input would be welcome.

Type java.lang.SecurityException
Message Unsupported algorithm, SHA1Random, selected for FIPS140 mode: FIPS140_MODE

Coldfusion should now be using it's own RSA classes. I suspect that something cybersource expects is not the same with the classes coldfusion uses.
0
 
KCCMacManAuthor Commented:
Also I should note that this error is coming straight out of Coldfusion. No more 500 errors! :)
0
 
_agx_Commented:
> From what I can tell it appears that Coldfusions classes get used instead of the ones that
> are included in the jar

Makes sense.  If you remove all of the older rsa classes from the jar, IIRC CF will search the classpath for com.rsa.* .  Since ColdFusion 8's classes are in the classpath I would expect it to use CF's rsa classes.

> Type java.lang.SecurityException
> Message Unsupported algorithm, SHA1Random, selected for FIPS140 mode: FIPS140_MODE

Well, it seems like you can't just swap out the rsa classes.  The error suggests that the newer classes are using something the cybersource classes are not expecting or equipped to handle. Just a guess though.

I'm in the dark here as I don't have access to the cybersource API.  But it seems to me that CF must have been using _some_ of the original rsa classes in the cybersource jar to begin with.  Otherwise, the error message wouldn't have changed when you removed the rsa classes from the cybersource jar.

Can the company that provided you with the jar give you an updated version that works with CF8?

0
 
_agx_Commented:
Copy paste correction:  My first comment was in response to :

> I removed the RSA classes from the jar I received from Cybersource and it allows me to go further

0
 
KCCMacManAuthor Commented:
Just a small update.

I'm evaluating my choices right now. The api that we use from cybersource is legacy so I can try to upgrade to the new api and possibly have better results or I can publish a java web service for coldfusion to consume which will bypass this problem entirely. I'll update with more once I've determined what I'm going to do.
0
 
_agx_Commented:
Okay. Keep us posted.  
0
 
KCCMacManAuthor Commented:
We're going the Java web service route. It is easiest to implement and solves the conflicts with running the code under Coldfusion. Thanks for your help!
0
 
_agx_Commented:
Thanks for the update.  Glad you found a workable solution.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now