1 2 Previous Next 16 Replies Latest reply on Sep 20, 2011 10:22 AM by Peter Rader

    JCE cannot authenticate the provider BC

    Johan Eklund Newbie

      Hi everybody!

      I'm trying to add support for JBoss AS 5.0.0.GA (JDK6 version) for a project that currently works fine on several platforms including JBoss AS 4.2.3.GA.

      The problem seems to be that the JCE provider from BouncyCastle cannot be verified any longer when I try to use it from a SSB.

      java.io.IOException: exception encrypting data - java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
       at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.wrapKey(Unknown Source)
       at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineStore(Unknown Source)
       at java.security.KeyStore.store(KeyStore.java:1117)
       ...
       (No "casued by")


      The library is packaged like this:
      app.ear/lib/bcprov-jdk15.jar
      app.ear/app-ejb.jar/.../SSBean.


      app-ejb.jar/META-INF/MANIFEST.MF contains:
      Class-Path: lib/bcprov-jdk15.jar ...


      1. Is there any behind-the-scenes manipulation of JAR-libraries that could prohibit the signature from being correctly verified?
      2. Is there anything else in the new JBoss AS that is related to how JCE providers work?

      Best Regards,
      Johan




        • 1. Re: JCE cannot authenticate the provider BC
          Tomas Gustavsson Newbie

          I did some more testing.
          - Using OpenJDK 1.6.0 on Ubuntu 8.10 with JBoss 5.0.0 it works fine.
          - Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 5.0.0 it does not work
          - Using Sun JDK 1.6.0_u12 om Ubuntu 8.10 with JBoss 4.2.3 it does work

          So the combination of Suns JDK with JBoss 5 makes it not work.

          What has been done in JBoss 5 to make this possible?

          • 2. Re: JCE cannot authenticate the provider BC
            jaikiran pai Master

            Please post the entire exception stacktrace.

            • 3. Re: JCE cannot authenticate the provider BC
              Tomas Gustavsson Newbie

              For EJBCA I made this documentation workaround:
              -----
              Added this note with a workaround to the installation instructions:

              JBoss 5.0.0 have a bug causing issues with the BC JCE provider. To work around this you can copy the files EJBCA_HOME/lib/bc*.jar to JBOSS_HOME/server/default/lib/. Remember this when it's time for upgrades!
              -----

              Seems like a bug in the classloading? Does it unpack the jars somewhere so it looses the signature?

              • 4. Re: JCE cannot authenticate the provider BC
                Ales Justin Master

                 

                "tomasg" wrote:
                Does it unpack the jars somewhere so it looses the signature?

                We by default unpack/temp nested jars and
                explicitly marked jars (via jboss-structure.xml).

                • 5. Re: JCE cannot authenticate the provider BC
                  Tomas Gustavsson Newbie

                  Here's the stacktrace. Is there any configuration possible in order to work around it?

                  -----
                  13:06:23,253 ERROR [LogInterceptor] TransactionRolledbackLocalException in method: public abstract void org.ejbca.core.ejb.ca.caadmin.CADataLocal.upgradeCA() throws java.io.UnsupportedEncodingException,org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException, causedBy:
                  org.ejbca.core.model.ca.caadmin.IllegalKeyStoreException: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
                  at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:123)
                  at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAService(CA.java:730)
                  at org.ejbca.core.model.ca.caadmin.CA.getExtendedCAServiceInfo(CA.java:617)
                  at org.ejbca.core.model.ca.caadmin.X509CA.(X509CA.java:185)
                  at org.ejbca.core.ejb.ca.caadmin.CADataBean.readAndUpgradeCAInternal(CADataBean.java:270)
                  at org.ejbca.core.ejb.ca.caadmin.CADataBean.upgradeCA(CADataBean.java:219)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.invocation.Invocation.performCall(Invocation.java:386)
                  at org.jboss.ejb.EntityContainer$ContainerInterceptor.invoke(EntityContainer.java:1200)
                  at org.jboss.ejb.plugins.cmp.jdbc.JDBCRelationInterceptor.invoke(JDBCRelationInterceptor.java:87)
                  at org.jboss.ejb.plugins.EntitySynchronizationInterceptor.invoke(EntitySynchronizationInterceptor.java:284)
                  at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:156)
                  at org.jboss.ejb.plugins.EntityReentranceInterceptor.invoke(EntityReentranceInterceptor.java:126)
                  at org.jboss.ejb.plugins.EntityInstanceInterceptor.invoke(EntityInstanceInterceptor.java:279)
                  at org.jboss.ejb.plugins.EntityLockInterceptor.invoke(EntityLockInterceptor.java:104)
                  at org.jboss.ejb.plugins.EntityCreationInterceptor.invoke(EntityCreationInterceptor.java:76)
                  at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
                  at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
                  at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
                  at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
                  at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:228)
                  at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:211)
                  at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:97)
                  at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invoke(PreSecurityInterceptor.java:81)



                  Caused by: java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
                  at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
                  at java.security.KeyStore.load(KeyStore.java:1185)
                  at org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAService.(OCSPCAService.java:107)
                  -----

                  The operations are pretty basic KeyStore operations with the BC security provider installed with:

                  Security.addProvider(new BouncyCastleProvider())

                  Cheers,
                  Tomas

                  • 6. Re: JCE cannot authenticate the provider BC
                    Tomas Gustavsson Newbie

                    Any action on this? Should I create a Jira issue?

                    • 7. Re: JCE cannot authenticate the provider BC
                      Ernesto J. Perez Newbie


                      I'm having the same problems, using JBoss AS 5.1.0. Does anyone have a solution for that?

                      Thanks!

                      • 8. Re: JCE cannot authenticate the provider BC
                        Ernesto J. Perez Newbie


                        Yeah! I've found a solution.

                        The Bouncy Castle library (the .jar file) must not be in the final Web Application file (.war file). The Bouncy Castle library must be installed only in the JBOSS_HOME/server/default/lib/ folder (or in whatever JBoss instance you are using).

                        So remember, if you are using Eclipse, don't copy the Bouncy Castle library into the WebContent/WEB-INF/lib folder of your project. Of course, you have to put the library in the CLASSPATH at compilation time.

                        Regards.
                        Ernesto.

                        • 9. Re: JCE cannot authenticate the provider BC
                          Tomas Gustavsson Newbie

                          Yes that is a workaround. It a hack workaround though, as this is obviously a bug.

                          I found an issue for it in Jira. https://jira.jboss.org/jira/browse/JBAS-7882

                          • 10. Re: JCE cannot authenticate the provider BC
                            Tomas Gustavsson Newbie

                            Though the issue/bug is somewhat diminished by the fact that openjdk does not require signature on the jce. So it works fine using OpenJDK, and that's of course what we use on our favorite platform :-)

                             

                            Nowadays I only use sun/Oracle JDK when I am forced to work on windows.

                            • 11. Re: JCE cannot authenticate the provider BC
                              Tomas Gustavsson Newbie

                              Hmm, JBoss 6 seems to be even worse, i doesn't help putting the jars in JBOSS_HOME/server/default/lib even.

                              • 12. JCE cannot authenticate the provider BC
                                jaikiran pai Master

                                Please provide more details including exception stacktrace, if you are seeing some problem in AS6.

                                • 13. JCE cannot authenticate the provider BC
                                  Tomas Gustavsson Newbie

                                  There is an issue for it already since a long time, JBAS-7882.

                                  https://issues.jboss.org/browse/JBAS-7882

                                   

                                  Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...

                                   

                                  The stacktrace mostly shows our code, and aop/ejb call stack.

                                   

                                  -----

                                  2011-01-11 11:01:00,639 ERROR [errorpage.jsp] (http-0.0.0.0-8443-2) java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

                                  javax.ejb.EJBException: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

                                          at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:266)

                                          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                                          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                                          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                                  <snip>

                                  Caused by: java.io.IOException: exception encrypting data - java.lang.SecurityException: JCE cannot authenticate the provider BC

                                          at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.wrapKey(Unknown Source)

                                          at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineStore(Unknown Source)

                                          at java.security.KeyStore.store(KeyStore.java:1117)

                                          at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.storeSoftKeyStore(CATokenContainerImpl.java:604)

                                          at org.ejbca.core.model.ca.catoken.CATokenContainerImpl.generateKeys(CATokenContainerImpl.java:499)

                                          at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.createCA(CAAdminSessionBean.java:262)

                                          ... 91 more

                                  ---

                                   

                                  In this case it's any call to create a PKCS12 using the BouncyCastle JCE provider. JBAS-7882 provides other info of the same issue.

                                   

                                  Only affects Oracle JDK, OpenJDK works fine since it does not verify signatures on the JCE providers.

                                   

                                  Cheers,

                                  Tomas

                                  • 14. JCE cannot authenticate the provider BC
                                    jaikiran pai Master

                                    Tomas Gustavsson wrote:

                                     


                                    Unfortunately I can't access Jira anymore to update the issue because the JBoss.org account systems seems to be messed up...

                                     

                                    jboss.org was down for scheduled maintainance for a hour today. Try now.

                                    1 2 Previous Next