When a Java application is accessing remote endpoints over HTTPS, it can fail due to an SSL handshake error in Tanzu Application Service for VMs (TAS for VMs).

The applications can throw the following exception during start up, javax.net.ssl.SSLException:

2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT Caused by: java.lang.NullPointerException: null
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) ~      [bcprov-ext-jdk15on-1.61.jar:1.61.0.0]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi.engineSign(Unknown Source) ~[bcprov-ext-jdk15on-1.61.jar:1.61.0.0]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at java.security.Signature$Delegate.engineSign(Signature.java:1382) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at java.security.Signature.sign(Signature.java:698) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.CertificateVerify$T12CertificateVerifyMessage.<init>(CertificateVerify.java:608) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:760) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[na:1.8.0_312]
2021-12-14T10:13:50.37+0000 [APP/PROC/WEB/9] OUT     ... 34 common frames omitted

This exception is thrown at a Bouncy Castle (BC) component, which is not part of the Java Development Kit (JDK).

Java invokes the verification of the signature of the certificate. The implementation that covers the best algorithm appears to be from the Bouncy Castle implementation, which throws the following exception after receiving a null value from a randomizer NullPointerException.

This is a bug identified in a past versions of the Bouncy Castle library (v1.64 and below), which causes a incompatibility with the newer versions of Java Buildpack (eg. v4.44). For more information, refer to Handle null random values in PSSSignatureSpi #632.

The fix for this NPE was provided in BC v1.65. To resolve this issue, upgrade the Bouncy Castle dependency used by the applications to BC v1.65. For more information on this fix, refer to Merge branch 'b144279168' of https://github.com/brandonweeks/bc-java.