I did some more testing.
- Using OpenJDK 1.6.0 on Ubuntu 8.10 with JBoss 5.0.0 it works fine.
- Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 5.0.0 it does not work
- Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 4.2.3 it does work

So the combination of Suns JDK with JBoss 5 makes it not work.

What has been done in JBoss 5 to make this possible?

Please post the entire exception stacktrace.

For EJBCA I made this documentation workaround:
-----
Added this note with a workaround to the installation instructions:

JBoss 5.0.0 have a bug causing issues with the BC JCE provider. To work around this you can copy the files EJBCA_HOME/lib/bc*.jar to JBOSS_HOME/server/default/lib/. Remember this when it's time for upgrades!
-----

Seems like a bug in the classloading? Does it unpack the jars somewhere so it looses the signature?

"tomasg" wrote:
Does it unpack the jars somewhere so it looses the signature?

Here's the stacktrace. Is there any configuration possible in order to work around it?

-----
13:06:23,253 ERROR [LogInterceptor] TransactionRolledbackLocalException in method: public abstract void org.ejbca.core.ejb.ca.caadmin.CADataLocal.upgradeCA() throws java.io.UnsupportedEncodingException,org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException, causedBy:
org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:123)
at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAService(CA.java:730)
at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAServiceInfo(CA.java:617)
at org.ejbca.core.model.ca.caadmin.X509CA.(X509CA.java:185)
at org.ejbca.core.ejb.ca.caadmin.CADataBean.readAndUpgradeCAInternal(CADataBean.java:270)
at org.ejbca.core.ejb.ca.caadmin.CADataBean.upgradeCA(CADataBean.java:219)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.invocation.Invocation.performCall(Invocation.java:386)
at org.jboss.ejb.EntityContainer$ContainerInterceptor.invoke(EntityContainer.java:1200)
at org.jboss.ejb.plugins.cmp.jdbc.JDBCRelationInterceptor.invoke(JDBCRelationInterceptor.java:87)
at org.jboss.ejb.plugins.EntitySynchronizationInterceptor.invoke(EntitySynchronizationInterceptor.java:284)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:156)
at org.jboss.ejb.plugins.EntityReentranceInterceptor.invoke(EntityReentranceInterceptor.java:126)
at org.jboss.ejb.plugins.EntityInstanceInterceptor.invoke(EntityInstanceInterceptor.java:279)
at org.jboss.ejb.plugins.EntityLockInterceptor.invoke(EntityLockInterceptor.java:104)
at org.jboss.ejb.plugins.EntityCreationInterceptor.invoke(EntityCreationInterceptor.java:76)
at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:228)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:211)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:97)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invoke(PreSecurityInterceptor.java:81)



Caused by: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:107)
-----

The operations are pretty basic KeyStore operations with the BC security provider installed with:

Security.addProvider(new BouncyCastleProvider())

Cheers,
Tomas

Any action on this? Should I create a Jira issue?

I'm having the same problems, using JBoss AS 5.1.0. Does anyone have a solution for that?

Thanks!

Yeah! I've found a solution.

The Bouncy Castle library (the .jar file) must not be in the final Web Application file (.war file). The Bouncy Castle library must be installed only in the JBOSS_HOME/server/default/lib/ folder (or in whatever JBoss instance you are using).

So remember, if you are using Eclipse, don't copy the Bouncy Castle library into the WebContent/WEB-INF/lib folder of your project. Of course, you have to put the library in the CLASSPATH at compilation time.

Regards.
Ernesto.

Yes that is a workaround. It a hack workaround though, as this is obviously a bug.

I found an issue for it in Jira. https://jira.jboss.org/jira/browse/JBAS-7882

Though the issue/bug is somewhat diminished by the fact that openjdk does not require signature on the jce. So it works fine using OpenJDK, and that's of course what we use on our favorite platform :-)

Nowadays I only use sun/Oracle JDK when I am forced to work on windows.

Hmm, JBoss 6 seems to be even worse, i doesn't help putting the jars in JBOSS_HOME/server/default/lib even.

Please provide more details including exception stacktrace, if you are seeing some problem in AS6.

There is an issue for it already since a long time, JBAS-7882.

https://issues.jboss.org/browse/JBAS-7882

Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...

The stacktrace mostly shows our code, and aop/ejb call stack.

-----

2011-01-11 11:01:00,639 ERROR [errorpage.jsp] (http-0.0.0.0-8443-2) java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

javax.ejb.EJBException: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

        at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:266)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

<snip>

Caused by: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

        at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.wrapKey(Unknown Source)

        at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineStore(Unknown Source)

        at java.security.KeyStore.store(KeyStore.java:1117)

        at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.storeSoftKeyStore(CATokenContainerImpl.java:604)

        at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.generateKeys(CATokenContainerImpl.java:499)

        at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:262)

        ... 91 more

---

In this case it's any call to create a PKCS12 using the BouncyCastle JCE provider. JBAS-7882 provides other info of the same issue.

Only affects Oracle JDK, OpenJDK works fine since it does not verify signatures on the JCE providers.

Cheers,

Tomas

Tomas Gustavsson wrote:

 

Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...

 

jboss.org was down for scheduled maintainance for a hour today. Try now.