bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC

java security jboss bouncycastle jce
31,663

Solution 1

Do not deploy the bouncy-castle jar as a part of your your webapp (WEB-INF/lib). You need this file in compiliation time of course, but on JBOSS it should be here: 

$JBOSS_HOME/server/default/lib/

instead of 

yourapp/WEB-INF/lib

Solution 2

For JBoss AS7 bouncy castle needs to be deployed as a server module. This replaces the server/default/lib mechanism of earlier versions (as mentioned in Gergely Bacso's answer).

JBoss AS7 uses jdk1.6+. When using JBoss AS7 with jdk1.6 we need to make sure we are using bcprov-jdk16.

Create a Jboss module (a folder $JBOSS_HOME/modules/org/bouncycastle/main). Put the bouncy castle jars that you want to be globally available in it, along with a module.xml file that looks like this: 

<module xmlns="urn:jboss:module:1.1" name="org.bouncycastle">
    <resources>
        <resource-root path="bcprov-jdk16-1.46.jar"/>
    </resources>
    <dependencies>
        <module name="javax.api" slot="main" export="true"/>
    </dependencies>
</module>

Once you have setup the module you need to make it available to your deployments. There are two ways:

1. Globally via standalone.xml

In $JBOSS_HOME/standalone/configuration/standalone.xml replace

<subsystem xmlns="urn:jboss:domain:ee:1.0"/>

with 

<subsystem xmlns="urn:jboss:domain:ee:1.0">
    <global-modules>
        <module name="org.bouncycastle" slot="main"/>
    </global-modules>
</subsystem>

The jar libraries will now be available across all applications (and this will "emulate" adding to the classpath as was possible in jboss 4,5,6 etc)

2. For a specific deployment (preferred)

Add a module dependency entry to the ear's META-INF/jboss-deployment-structure.xml file, under the section, eg:

<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1">
    <deployment>
        <dependencies>
            <module name="org.bouncycastle" slot="main" export="true" />
        </dependencies>
    </deployment>
</jboss-deployment-structure>

Solution 3

But if You change server from JBoss to other (for example Glassfish) You have the same problem.
The better solition for me are changes in jdk.
You shoud add Bouncy Castle to security providers on Your java platform in two steps:
1. Copy BC librarys (currently bcpkix-jdk15on-149.jar, bcprov-jdk15on-149.jar) to directory $JAVA_HOME/jre/lib/ext/
2. Register BC provider: edit file $JAVA_HOME/jre/lib/security/java.security and under line

security.provider.1=sun.security.provider.Sun

add Your BC provider

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

Change numbers of rest providers. The whole block of providers should be similar to:

security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC

And now You must just restart the java server.

Share:
31,663

Related videos on Youtube

mrzasa
Author by

mrzasa

Updated on July 13, 2020

Comments

  • mrzasa
    mrzasa almost 4 years

    I use BouncyCastle for encryption in my application. When I run it standalone, everything works fine. However, if I put it in the webapp and deploy on JBoss server, I get a following error:

    javax.servlet.ServletException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
(...)
root cause
java.lang.Exception: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
(...)
root cause
java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
    org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
    java.security.KeyStore.load(Unknown Source)

    Here is a part of the code that causes this error:

        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
    {
        Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    }

    // Read the Private Key
    KeyStore ks = KeyStore.getInstance("PKCS12", BouncyCastleProvider.PROVIDER_NAME);
    ks.load(new FileInputStream(certificatePath), privateKeyPassword.toCharArray());

    And maven dependency:

    <dependency>
    <groupId>bouncycastle</groupId>
    <artifactId>bcmail-jdk16</artifactId>
    <version>140</version>
</dependency>

    Do you know how could I deploy it?

  • Jens
    Jens almost 12 years
    What is the reason behind this? Why does it work if it is run standalone and needs to be a module when run in JBoss? Are modules not verified but a jar inside of WEB-INF/lib is?
  • Krzysztof Szewczyk
    Krzysztof Szewczyk almost 11 years
    Sorry, You don't need change providers. Just add under SunPCSC provider next number of providers such as: security.provider.10=org.bouncycastle.jce.provider.BouncyCas‌​tleProvider BC provider does not have to be the second. Might be the last.
  • Dungeon Hunter
    Dungeon Hunter over 9 years
    seriously, you saved me :) i was getting the same error with RSA JSAFE provider but able to get rid of it now with this workaround. Thanks a lot
  • Roy Truelove
    Roy Truelove over 8 years
    Why is that the case?
  • Hosein Aqajani
    Hosein Aqajani about 8 years
    I am using jboss-eap-6.4 in JDK 1.8 and I have not server directory
  • frewper
    frewper almost 8 years
    @KrzysztofSzewczyk But doesnt bounty castle provider need the highest provider here i.e 1. Since here priority will be given from 1 to 10.
  • Pino
    Pino almost 8 years
    In wildfly-9.0.2.Final the module folder for BouncyCastle already exists at <HOME>/modules/system/layers/base/org/bouncycastle/main/ so you only need to make it available to your deployments (globally or for a single app). Also note that in standalone.xml the subsystem "urn:jboss:domain:ee" already exists so you have only to add the tag <global-modules> to its content.
  • forresthopkinsa
    forresthopkinsa over 7 years
    This was all I needed, I'm actually glad this is the accepted answer. +1
  • Awanish Kumar
    Awanish Kumar almost 7 years
    @Pino can you please provide more detail with example for beginner.
  • Pino
    Pino almost 7 years
    @Awanish My comment is a little update to the main answer. Refer to the answer for a description of the changes you have to make to Wildfly's xml.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

BouncyCastle in Java
Using BouncyCastle for a simple HTTPS query
What is the correct JBoss EAP 6.0.1 cipher-suite configuration for mitigation of Logjam / weakdh.org?
Generating 128-bit keys with keytool
Decode/Read a CSR (Certificate Signing Request) Using Java or BouncyCastle
Generate certificate chain in java
Bouncy Castle vs Java default RSA with OAEP
BouncyCastle does not find algorithms that it provides?
Is RSA PKCS1-OAEP padding supported in bouncycastle?
How to set TLS1.2 version in Java