Reputation: 18218
I am getting the following exception when I try to open JCEKS type key store with with Oracle Java 8 JRE 172 on Windows. This worked fine with earlier versions of the JRE:
INFO: ObjectInputFilter REJECTED: null, array length: -1, nRefs: 1, depth: 1, bytes: 70, ex: n/a
[ stacks omitted to protect the innocent...]
Caused by: Invalid secret key format
at com.sun.crypto.provider.JceKeyStore.engineLoad(
at Source)
This looks very much like JDK-8202506 but I use Java 8 and I get null
in the initial INFO message.
Is this the same issue?
It seems to me the JDK-8202506 issue is currently not fixed in any public JRE release. Am I right?
This looks similar and they also have no solution: ATLAS-2642
For some reason, Equinox fails to see the com.sun.crypto.provider.SealedObjectForKeyProtector
class after the upgrade, even though it is clearly in the JRE that comes with the new JDK:
BundleClassLoader[].loadClass(com.sun.crypto.provider.SealedObjectForKeyProtector) failed.
java.lang.ClassNotFoundException: com.sun.crypto.provider.SealedObjectForKeyProtector
at org.eclipse.osgi.framework.internal.core.BundleLoader.findClassInternal(
at org.eclipse.osgi.framework.internal.core.BundleLoader.findClass(
at org.eclipse.osgi.framework.internal.core.BundleLoader.findClass(
at org.eclipse.osgi.internal.baseadaptor.DefaultClassLoader.loadClass(
at java.lang.ClassLoader.loadClass(
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(
at com.sun.crypto.provider.JceKeyStore.engineLoad(
The class SealedObjectForKeyProtector.class
is somehow different from the rest of the classes in the sunjce_provider.jar
. When we try to decompile it with JD-GUI, it fails with internal error, unlike the rest of the classes:
Upvotes: 6
Views: 11803
Reputation: 21
I have done a complete analysis about the issue and debugged through the code part that involves in JCEKS keystore. Whenever the application uses custom class loader then you will face the issue for sure, if using JCEKS keystore from older java versions than JDK 8 Update 151.
private static class DeserializationChecker implements ObjectInputFilter {
private static final int MAX_NESTED_DEPTH = 2;
public ObjectInputFilter.Status
checkInput(ObjectInputFilter.FilterInfo info) {
// First run a custom filter
long nestedDepth = info.depth();
if ((nestedDepth == 1 &&
info.serialClass() != SealedObjectForKeyProtector.class) ||
(nestedDepth > MAX_NESTED_DEPTH &&
info.serialClass() != null &&
info.serialClass() != Object.class)) {
return Status.REJECTED;
// Next run the default filter, if available
ObjectInputFilter defaultFilter =
if (defaultFilter != null) {
return defaultFilter.checkInput(info);
return Status.UNDECIDED;
In the above code from JceKeyStore.class, the filter info will always be null, so info.serialClass() != SealedObjectForKeyProtector.class check will fail. The class loading delegation doesnot happening as expected in case of custom class loader like Equinox - Eclipse plugin.
There is a two step solution
Upvotes: 2
Reputation: 51
I meet this issue these days. And per my troubleshooting, it is caused by the different return value of this method:
Previously (before 8u171), this method returns sun.misc.Launcher$ExtClassLoader
, while it returns application's classloader after upgrade. In ObjectInputStream, both class loader can load com.sun.crypto.provider.SealedObjectForKeyProtector
successfully, that's simply because ExtClassLoader is the parent of application's class loader (or, parent's parent). However, once SealedObjectForKeyProtector is loaded by application's class loader, it's class loader no longer equals to ExtClassLoader.
On the other hand, within com.sun.crypto.provider.JceKeyStore
, unlike ObjectInputStream
, SealedObjectForKeyProtector
is always loaded by ExtClassLoader. Thus below check in will fail due to class doesn't equal:
932 if (info.serialClass() != SealedObjectForKeyProtector.class))
934 return Status.REJECTED;
Then, we will get below log and an IOException eventually:
REJECTED: class com.sun.crypto.provider.SealedObjectForKeyProtector
Solution: make sure class com.sun.crypto.provider.SealedObjectForKeyProtector
is not loaded by ContextClassLoader by certain configuration. Details depend on the ContextClassLoader. For example, for org.powermock.core.classloader.MockClassLoader
, the concrete solution is adding below annotation to involved test classes:
Upvotes: 4
Reputation: 31
I am currently working with Oracle JRE Support on this and have a private bug opened. Information I got so far:
A workaround is to add the following line into the OSGi bundle MANIFEST.MF.
Eclipse-BuddyPolicy: ext
I personally verified this workaround with JRE 1.8_181 and it seems working.
I was also told that for Java 9, a JVM parameter -Dosgi.compatibility.bootdelegation=true can do the job (w/o the need to update MANIFEST.MF) but I don't have a Java 9 environment to verify it. Appreciate if someone can try it and let us know the result.
Upvotes: 1