'org.bouncycastle.asn1.DERInteger cannot be cast to org.bouncycastle.asn1.ASN1Sequence' When Configuring Trusted Communication
Symptoms
When configuring trusted communication between Confluence and other products (e.g. JIRA), the following stack trace is returned:
java.lang.RuntimeException: java.security.spec.InvalidKeySpecException: java.lang.ClassCastException: org.bouncycastle.asn1.DERInteger cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at com.atlassian.security.auth.trustedapps.ListApplicationRetriever.getApplicationProtocolV0(ListApplicationRetriever.java:90)
caused by: java.security.spec.InvalidKeySpecException: java.lang.ClassCastException: org.bouncycastle.asn1.DERInteger cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at org.bouncycastle.jce.provider.JDKKeyFactory$RSA.engineGeneratePublic(Unknown Source)
Cause
Single sign on tools like CAS might be enabled for both of the applications and aren't correctly configured. In one known cause, the request for the certificate (located at https://hostname/jira/admin/appTrustCertificate) is intercepted and redirected to CAS rather than the application attempting to link to it (for example JIRA). If JIRA is unable to locate that certificate due to this redirection, the above exception will be thrown.
Diagnosis
Apply this patch (compatible with Confluence 2.10.x) to print the content of certificate retrieved to the log file:
- Download and unzip the ListApplicationRetriever.zip.
- Place ListApplicationRetriever.class under <confluence>/WEB-INF/classes/com/atlassian/security/auth/trustedapps directory.
Modify <confluence>/WEB-INF/classes/log4j.propertiesfile to include:
log4j.logger.com.atlassian.security.auth.trustedapps=DEBUG- Restart confluence.
Sample results found in the log:
2009-05-27 10:21:09,418 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
...
2009-05-27 10:21:09,439 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues <div class="row">
2009-05-27 10:21:09,439 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues <label for="username"><span class="accesskey">N</span>etID:</label>
2009-05-27 10:21:09,440 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues <input id="username" name="username" class="required" tabindex="1" accesskey="n" type="text" value="" size="25" autocomplete="false"/>
2009-05-27 10:21:09,441 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues </div>
2009-05-27 10:21:09,441 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues <div class="row">
2009-05-27 10:21:09,442 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues <label for="password"><span class="accesskey">P</span>assword:</label>
2009-05-27 10:21:09,443 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues <input id="password" name="password" class="required" tabindex="2" accesskey="p" type="password" value="" size="25" autocomplete="off"/>
2009-05-27 10:21:09,443 DEBUG TP-Processor6 security.auth.trustedapps.ListApplicationRetriever logReceivedValues </div>Resolution
Configure CAS or the custom SSO authenticator to either bypass the URL pattern "/admin/" or avoid using any wildcards that will cause improper redirection to that URL. For example, on CAS, the below will cause problems:
<filter-mapping>
<filter-name>CasAuthenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>As in the Configuring Confluence with JASIG CAS Client for Java 3.1 documentation, this should be:
<filter-mapping>
<filter-name>CasAuthenticationFilter</filter-name>
<url-pattern>/login.action</url-pattern>
</filter-mapping>
Please refer to those documentation for further information on configuring CAS. If additional support is required, see the support page of their website or raise a question on Atlassian Answers.