-
1. Re: JCE cannot authenticate the provider BC
tomasg Feb 20, 2009 5:09 AM (in response to jeklund)I did some more testing.
- Using OpenJDK 1.6.0 on Ubuntu 8.10 with JBoss 5.0.0 it works fine.
- Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 5.0.0 it does not work
- Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 4.2.3 it does work
So the combination of Suns JDK with JBoss 5 makes it not work.
What has been done in JBoss 5 to make this possible? -
2. Re: JCE cannot authenticate the provider BC
jaikiran Feb 20, 2009 5:16 AM (in response to jeklund)Please post the entire exception stacktrace.
-
3. Re: JCE cannot authenticate the provider BC
tomasg Feb 20, 2009 5:39 AM (in response to jeklund)For EJBCA I made this documentation workaround:
-----
Added this note with a workaround to the installation instructions:
JBoss 5.0.0 have a bug causing issues with the BC JCE provider. To work around this you can copy the files EJBCA_HOME/lib/bc*.jar to JBOSS_HOME/server/default/lib/. Remember this when it's time for upgrades!
-----
Seems like a bug in the classloading? Does it unpack the jars somewhere so it looses the signature? -
4. Re: JCE cannot authenticate the provider BC
alesj Feb 20, 2009 5:57 AM (in response to jeklund)"tomasg" wrote:
Does it unpack the jars somewhere so it looses the signature?
We by default unpack/temp nested jars and
explicitly marked jars (via jboss-structure.xml). -
5. Re: JCE cannot authenticate the provider BC
tomasg Feb 20, 2009 7:09 AM (in response to jeklund)Here's the stacktrace. Is there any configuration possible in order to work around it?
-----
13:06:23,253 ERROR [LogInterceptor] TransactionRolledbackLocalException in method: public abstract void org.ejbca.core.ejb.ca.caadmin.CADataLocal.upgradeCA() throws java.io.UnsupportedEncodingException,org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException, causedBy:
org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:123)
at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAService(CA.java:730)
at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAServiceInfo(CA.java:617)
at org.ejbca.core.model.ca.caadmin.X509CA.(X509CA.java:185)
at org.ejbca.core.ejb.ca.caadmin.CADataBean.readAndUpgradeCAInternal(CADataBean.java:270)
at org.ejbca.core.ejb.ca.caadmin.CADataBean.upgradeCA(CADataBean.java:219)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.invocation.Invocation.performCall(Invocation.java:386)
at org.jboss.ejb.EntityContainer$ContainerInterceptor.invoke(EntityContainer.java:1200)
at org.jboss.ejb.plugins.cmp.jdbc.JDBCRelationInterceptor.invoke(JDBCRelationInterceptor.java:87)
at org.jboss.ejb.plugins.EntitySynchronizationInterceptor.invoke(EntitySynchronizationInterceptor.java:284)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:156)
at org.jboss.ejb.plugins.EntityReentranceInterceptor.invoke(EntityReentranceInterceptor.java:126)
at org.jboss.ejb.plugins.EntityInstanceInterceptor.invoke(EntityInstanceInterceptor.java:279)
at org.jboss.ejb.plugins.EntityLockInterceptor.invoke(EntityLockInterceptor.java:104)
at org.jboss.ejb.plugins.EntityCreationInterceptor.invoke(EntityCreationInterceptor.java:76)
at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:228)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:211)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:97)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invoke(PreSecurityInterceptor.java:81)
Caused by: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:107)
-----
The operations are pretty basic KeyStore operations with the BC security provider installed with:
Security.addProvider(new BouncyCastleProvider())
Cheers,
Tomas -
6. Re: JCE cannot authenticate the provider BC
tomasg Apr 6, 2009 9:48 AM (in response to jeklund)Any action on this? Should I create a Jira issue?
-
7. Re: JCE cannot authenticate the provider BC
ernestojpg Sep 30, 2009 1:07 PM (in response to jeklund)
I'm having the same problems, using JBoss AS 5.1.0. Does anyone have a solution for that?
Thanks! -
8. Re: JCE cannot authenticate the provider BC
ernestojpg Oct 11, 2009 4:10 AM (in response to jeklund)
Yeah! I've found a solution.
The Bouncy Castle library (the .jar file) must not be in the final Web Application file (.war file). The Bouncy Castle library must be installed only in the JBOSS_HOME/server/default/lib/ folder (or in whatever JBoss instance you are using).
So remember, if you are using Eclipse, don't copy the Bouncy Castle library into the WebContent/WEB-INF/lib folder of your project. Of course, you have to put the library in the CLASSPATH at compilation time.
Regards.
Ernesto. -
9. Re: JCE cannot authenticate the provider BC
tomasg1 May 6, 2010 3:44 AM (in response to ernestojpg)Yes that is a workaround. It a hack workaround though, as this is obviously a bug.
I found an issue for it in Jira. https://jira.jboss.org/jira/browse/JBAS-7882
-
10. Re: JCE cannot authenticate the provider BC
tomasg1 May 6, 2010 3:51 AM (in response to tomasg1)Though the issue/bug is somewhat diminished by the fact that openjdk does not require signature on the jce. So it works fine using OpenJDK, and that's of course what we use on our favorite platform :-)
Nowadays I only use sun/Oracle JDK when I am forced to work on windows.
-
11. Re: JCE cannot authenticate the provider BC
tomasg1 Jan 10, 2011 10:02 AM (in response to jeklund)Hmm, JBoss 6 seems to be even worse, i doesn't help putting the jars in JBOSS_HOME/server/default/lib even.
-
12. JCE cannot authenticate the provider BC
jaikiran Jan 11, 2011 2:55 AM (in response to tomasg1)Please provide more details including exception stacktrace, if you are seeing some problem in AS6.
-
13. JCE cannot authenticate the provider BC
tomasg1 Jan 11, 2011 5:04 AM (in response to jaikiran)There is an issue for it already since a long time, JBAS-7882.
https://issues.jboss.org/browse/JBAS-7882
Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...
The stacktrace mostly shows our code, and aop/ejb call stack.
-----
2011-01-11 11:01:00,639 ERROR [errorpage.jsp] (http-0.0.0.0-8443-2) java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC
javax.ejb.EJBException: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC
at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:266)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
<snip>
Caused by: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.wrapKey(Unknown Source)
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineStore(Unknown Source)
at java.security.KeyStore.store(KeyStore.java:1117)
at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.storeSoftKeyStore(CATokenContainerImpl.java:604)
at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.generateKeys(CATokenContainerImpl.java:499)
at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:262)
... 91 more
---
In this case it's any call to create a PKCS12 using the BouncyCastle JCE provider. JBAS-7882 provides other info of the same issue.
Only affects Oracle JDK, OpenJDK works fine since it does not verify signatures on the JCE providers.
Cheers,
Tomas
-
14. JCE cannot authenticate the provider BC
jaikiran Jan 11, 2011 9:21 AM (in response to tomasg1)Tomas Gustavsson wrote:
Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...
jboss.org was down for scheduled maintainance for a hour today. Try now.