1 2 Previous Next 17 Replies Latest reply on May 28, 2018 10:03 AM by aarijsiddiqui

    JCE cannot authenticate the provider BC

      Hi everybody!

      I'm trying to add support for JBoss AS 5.0.0.GA (JDK6 version) for a project that currently works fine on several platforms including JBoss AS 4.2.3.GA.

      The problem seems to be that the JCE provider from BouncyCastle cannot be verified any longer when I try to use it from a SSB.

      java.io.IOException: exception encrypting data - java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
       at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.wrapKey(Unknown Source)
       at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineStore(Unknown Source)
       at java.security.KeyStore.store(KeyStore.java:1117)
       ...
       (No "casued by")


      The library is packaged like this:
      app.ear/lib/bcprov-jdk15.jar
      app.ear/app-ejb.jar/.../SSBean.


      app-ejb.jar/META-INF/MANIFEST.MF contains:
      Class-Path: lib/bcprov-jdk15.jar ...


      1. Is there any behind-the-scenes manipulation of JAR-libraries that could prohibit the signature from being correctly verified?
      2. Is there anything else in the new JBoss AS that is related to how JCE providers work?

      Best Regards,
      Johan




        • 1. Re: JCE cannot authenticate the provider BC
          tomasg

          I did some more testing.
          - Using OpenJDK 1.6.0 on Ubuntu 8.10 with JBoss 5.0.0 it works fine.
          - Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 5.0.0 it does not work
          - Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 4.2.3 it does work

          So the combination of Suns JDK with JBoss 5 makes it not work.

          What has been done in JBoss 5 to make this possible?

          • 2. Re: JCE cannot authenticate the provider BC
            jaikiran

            Please post the entire exception stacktrace.

            • 3. Re: JCE cannot authenticate the provider BC
              tomasg

              For EJBCA I made this documentation workaround:
              -----
              Added this note with a workaround to the installation instructions:

              JBoss 5.0.0 have a bug causing issues with the BC JCE provider. To work around this you can copy the files EJBCA_HOME/lib/bc*.jar to JBOSS_HOME/server/default/lib/. Remember this when it's time for upgrades!
              -----

              Seems like a bug in the classloading? Does it unpack the jars somewhere so it looses the signature?

              • 4. Re: JCE cannot authenticate the provider BC
                alesj

                 

                "tomasg" wrote:
                Does it unpack the jars somewhere so it looses the signature?

                We by default unpack/temp nested jars and
                explicitly marked jars (via jboss-structure.xml).

                • 5. Re: JCE cannot authenticate the provider BC
                  tomasg

                  Here's the stacktrace. Is there any configuration possible in order to work around it?

                  -----
                  13:06:23,253 ERROR [LogInterceptor] TransactionRolledbackLocalException in method: public abstract void org.ejbca.core.ejb.ca.caadmin.CADataLocal.upgradeCA() throws java.io.UnsupportedEncodingException,org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException, causedBy:
                  org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
                  at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:123)
                  at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAService(CA.java:730)
                  at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAServiceInfo(CA.java:617)
                  at org.ejbca.core.model.ca.caadmin.X509CA.(X509CA.java:185)
                  at org.ejbca.core.ejb.ca.caadmin.CADataBean.readAndUpgradeCAInternal(CADataBean.java:270)
                  at org.ejbca.core.ejb.ca.caadmin.CADataBean.upgradeCA(CADataBean.java:219)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.invocation.Invocation.performCall(Invocation.java:386)
                  at org.jboss.ejb.EntityContainer$ContainerInterceptor.invoke(EntityContainer.java:1200)
                  at org.jboss.ejb.plugins.cmp.jdbc.JDBCRelationInterceptor.invoke(JDBCRelationInterceptor.java:87)
                  at org.jboss.ejb.plugins.EntitySynchronizationInterceptor.invoke(EntitySynchronizationInterceptor.java:284)
                  at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:156)
                  at org.jboss.ejb.plugins.EntityReentranceInterceptor.invoke(EntityReentranceInterceptor.java:126)
                  at org.jboss.ejb.plugins.EntityInstanceInterceptor.invoke(EntityInstanceInterceptor.java:279)
                  at org.jboss.ejb.plugins.EntityLockInterceptor.invoke(EntityLockInterceptor.java:104)
                  at org.jboss.ejb.plugins.EntityCreationInterceptor.invoke(EntityCreationInterceptor.java:76)
                  at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
                  at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
                  at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
                  at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
                  at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:228)
                  at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:211)
                  at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:97)
                  at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invoke(PreSecurityInterceptor.java:81)



                  Caused by: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
                  at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
                  at java.security.KeyStore.load(KeyStore.java:1185)
                  at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:107)
                  -----

                  The operations are pretty basic KeyStore operations with the BC security provider installed with:

                  Security.addProvider(new BouncyCastleProvider())

                  Cheers,
                  Tomas

                  • 6. Re: JCE cannot authenticate the provider BC
                    tomasg

                    Any action on this? Should I create a Jira issue?

                    • 7. Re: JCE cannot authenticate the provider BC


                      I'm having the same problems, using JBoss AS 5.1.0. Does anyone have a solution for that?

                      Thanks!

                      • 8. Re: JCE cannot authenticate the provider BC


                        Yeah! I've found a solution.

                        The Bouncy Castle library (the .jar file) must not be in the final Web Application file (.war file). The Bouncy Castle library must be installed only in the JBOSS_HOME/server/default/lib/ folder (or in whatever JBoss instance you are using).

                        So remember, if you are using Eclipse, don't copy the Bouncy Castle library into the WebContent/WEB-INF/lib folder of your project. Of course, you have to put the library in the CLASSPATH at compilation time.

                        Regards.
                        Ernesto.

                        • 9. Re: JCE cannot authenticate the provider BC
                          tomasg1

                          Yes that is a workaround. It a hack workaround though, as this is obviously a bug.

                          I found an issue for it in Jira. https://jira.jboss.org/jira/browse/JBAS-7882

                          • 10. Re: JCE cannot authenticate the provider BC
                            tomasg1

                            Though the issue/bug is somewhat diminished by the fact that openjdk does not require signature on the jce. So it works fine using OpenJDK, and that's of course what we use on our favorite platform :-)

                             

                            Nowadays I only use sun/Oracle JDK when I am forced to work on windows.

                            • 11. Re: JCE cannot authenticate the provider BC
                              tomasg1

                              Hmm, JBoss 6 seems to be even worse, i doesn't help putting the jars in JBOSS_HOME/server/default/lib even.

                              • 12. JCE cannot authenticate the provider BC
                                jaikiran

                                Please provide more details including exception stacktrace, if you are seeing some problem in AS6.

                                • 13. JCE cannot authenticate the provider BC
                                  tomasg1

                                  There is an issue for it already since a long time, JBAS-7882.

                                  https://issues.jboss.org/browse/JBAS-7882

                                   

                                  Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...

                                   

                                  The stacktrace mostly shows our code, and aop/ejb call stack.

                                   

                                  -----

                                  2011-01-11 11:01:00,639 ERROR [errorpage.jsp] (http-0.0.0.0-8443-2) java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

                                  javax.ejb.EJBException: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

                                          at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:266)

                                          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                                          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                                          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                                  <snip>

                                  Caused by: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

                                          at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.wrapKey(Unknown Source)

                                          at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineStore(Unknown Source)

                                          at java.security.KeyStore.store(KeyStore.java:1117)

                                          at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.storeSoftKeyStore(CATokenContainerImpl.java:604)

                                          at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.generateKeys(CATokenContainerImpl.java:499)

                                          at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:262)

                                          ... 91 more

                                  ---

                                   

                                  In this case it's any call to create a PKCS12 using the BouncyCastle JCE provider. JBAS-7882 provides other info of the same issue.

                                   

                                  Only affects Oracle JDK, OpenJDK works fine since it does not verify signatures on the JCE providers.

                                   

                                  Cheers,

                                  Tomas

                                  • 14. JCE cannot authenticate the provider BC
                                    jaikiran

                                    Tomas Gustavsson wrote:

                                     


                                    Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...

                                     

                                    jboss.org was down for scheduled maintainance for a hour today. Try now.

                                    1 2 Previous Next