-
1. Re: JCE cannot authenticate the provider BC
Tomas Gustavsson Feb 20, 2009 5:09 AM (in response to jeklund)I did some more testing.
- Using OpenJDK 1.6.0 on Ubuntu 8.10 with JBoss 5.0.0 it works fine.
- Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 5.0.0 it does not work
- Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 4.2.3 it does work
So the combination of Suns JDK with JBoss 5 makes it not work.
What has been done in JBoss 5 to make this possible? -
2. Re: JCE cannot authenticate the provider BC
Jaikiran Pai Feb 20, 2009 5:16 AM (in response to jeklund)Please post the entire exception stacktrace.
-
3. Re: JCE cannot authenticate the provider BC
Tomas Gustavsson Feb 20, 2009 5:39 AM (in response to jeklund)For EJBCA I made this documentation workaround:
-----
Added this note with a workaround to the installation instructions:
JBoss 5.0.0 have a bug causing issues with the BC JCE provider. To work around this you can copy the files EJBCA_HOME/lib/bc*.jar to JBOSS_HOME/server/default/lib/. Remember this when it's time for upgrades!
-----
Seems like a bug in the classloading? Does it unpack the jars somewhere so it looses the signature? -
4. Re: JCE cannot authenticate the provider BC
Ales Justin Feb 20, 2009 5:57 AM (in response to jeklund)"tomasg" wrote:
Does it unpack the jars somewhere so it looses the signature?
We by default unpack/temp nested jars and
explicitly marked jars (via jboss-structure.xml). -
5. Re: JCE cannot authenticate the provider BC
Tomas Gustavsson Feb 20, 2009 7:09 AM (in response to jeklund)Here's the stacktrace. Is there any configuration possible in order to work around it?
-----
13:06:23,253 ERROR [LogInterceptor] TransactionRolledbackLocalException in method: public abstract void org.ejbca.core.ejb.ca.caadmin.CADataLocal.upgradeCA() throws java.io.UnsupportedEncodingException,org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException, causedBy:
org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:123)
at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAService(CA.java:730)
at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAServiceInfo(CA.java:617)
at org.ejbca.core.model.ca.caadmin.X509CA.(X509CA.java:185)
at org.ejbca.core.ejb.ca.caadmin.CADataBean.readAndUpgradeCAInternal(CADataBean.java:270)
at org.ejbca.core.ejb.ca.caadmin.CADataBean.upgradeCA(CADataBean.java:219)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.invocation.Invocation.performCall(Invocation.java:386)
at org.jboss.ejb.EntityContainer$ContainerInterceptor.invoke(EntityContainer.java:1200)
at org.jboss.ejb.plugins.cmp.jdbc.JDBCRelationInterceptor.invoke(JDBCRelationInterceptor.java:87)
at org.jboss.ejb.plugins.EntitySynchronizationInterceptor.invoke(EntitySynchronizationInterceptor.java:284)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:156)
at org.jboss.ejb.plugins.EntityReentranceInterceptor.invoke(EntityReentranceInterceptor.java:126)
at org.jboss.ejb.plugins.EntityInstanceInterceptor.invoke(EntityInstanceInterceptor.java:279)
at org.jboss.ejb.plugins.EntityLockInterceptor.invoke(EntityLockInterceptor.java:104)
at org.jboss.ejb.plugins.EntityCreationInterceptor.invoke(EntityCreationInterceptor.java:76)
at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:228)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:211)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:97)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invoke(PreSecurityInterceptor.java:81)
Caused by: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:107)
-----
The operations are pretty basic KeyStore operations with the BC security provider installed with:
Security.addProvider(new BouncyCastleProvider())
Cheers,
Tomas -
6. Re: JCE cannot authenticate the provider BC
Tomas Gustavsson Apr 6, 2009 9:48 AM (in response to jeklund)Any action on this? Should I create a Jira issue?
-
7. Re: JCE cannot authenticate the provider BC
Ernesto J. Perez Sep 30, 2009 1:07 PM (in response to jeklund)
I'm having the same problems, using JBoss AS 5.1.0. Does anyone have a solution for that?
Thanks! -
8. Re: JCE cannot authenticate the provider BC
Ernesto J. Perez Oct 11, 2009 4:10 AM (in response to jeklund)
Yeah! I've found a solution.
The Bouncy Castle library (the .jar file) must not be in the final Web Application file (.war file). The Bouncy Castle library must be installed only in the JBOSS_HOME/server/default/lib/ folder (or in whatever JBoss instance you are using).
So remember, if you are using Eclipse, don't copy the Bouncy Castle library into the WebContent/WEB-INF/lib folder of your project. Of course, you have to put the library in the CLASSPATH at compilation time.
Regards.
Ernesto. -
9. Re: JCE cannot authenticate the provider BC
Tomas Gustavsson May 6, 2010 3:44 AM (in response to Ernesto J. Perez)Yes that is a workaround. It a hack workaround though, as this is obviously a bug.
I found an issue for it in Jira. https://jira.jboss.org/jira/browse/JBAS-7882
-
10. Re: JCE cannot authenticate the provider BC
Tomas Gustavsson May 6, 2010 3:51 AM (in response to Tomas Gustavsson)Though the issue/bug is somewhat diminished by the fact that openjdk does not require signature on the jce. So it works fine using OpenJDK, and that's of course what we use on our favorite platform :-)
Nowadays I only use sun/Oracle JDK when I am forced to work on windows.
-
11. Re: JCE cannot authenticate the provider BC
Tomas Gustavsson Jan 10, 2011 10:02 AM (in response to jeklund)Hmm, JBoss 6 seems to be even worse, i doesn't help putting the jars in JBOSS_HOME/server/default/lib even.
-
12. JCE cannot authenticate the provider BC
Jaikiran Pai Jan 11, 2011 2:55 AM (in response to Tomas Gustavsson)Please provide more details including exception stacktrace, if you are seeing some problem in AS6.
-
13. JCE cannot authenticate the provider BC
Tomas Gustavsson Jan 11, 2011 5:04 AM (in response to Jaikiran Pai)There is an issue for it already since a long time, JBAS-7882.
https://issues.jboss.org/browse/JBAS-7882
Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...
The stacktrace mostly shows our code, and aop/ejb call stack.
-----
2011-01-11 11:01:00,639 ERROR [errorpage.jsp] (http-0.0.0.0-8443-2) java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC
javax.ejb.EJBException: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC
at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:266)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
<snip>
Caused by: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.wrapKey(Unknown Source)
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineStore(Unknown Source)
at java.security.KeyStore.store(KeyStore.java:1117)
at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.storeSoftKeyStore(CATokenContainerImpl.java:604)
at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.generateKeys(CATokenContainerImpl.java:499)
at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:262)
... 91 more
---
In this case it's any call to create a PKCS12 using the BouncyCastle JCE provider. JBAS-7882 provides other info of the same issue.
Only affects Oracle JDK, OpenJDK works fine since it does not verify signatures on the JCE providers.
Cheers,
Tomas
-
14. JCE cannot authenticate the provider BC
Jaikiran Pai Jan 11, 2011 9:21 AM (in response to Tomas Gustavsson)Tomas Gustavsson wrote:
Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...
jboss.org was down for scheduled maintainance for a hour today. Try now.