Reputation: 81
java.lang.SecurityException: JCE cannot authenticate the provider BC
Getting the above exception with error log after registering BC provider dynamically and statically via
Security.addProvider(new BouncyCastleProvider());
However, on
Cipher.getInstance("AES/CTS/NoPadding", "BC")
I get the following error
Failure to decrypt: bad encryption:
java.lang.SecurityException: JCE cannot authenticate the provider BC
Caused by: java.util.jar.JarException:
file:/space/uploads/unittest/jars/myjar.jar has unsigned entries - <some-location>/README.txt
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:500)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:361)
at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
at javax.crypto.Cipher.getInstance(Cipher.java:653)
at javax.crypto.Cipher.getInstance(Cipher.java:596)
Upvotes: 1
Views: 4810
Answers (2)
Reputation: 41
With JDK 8u351 (and other corresponding updates to future versions) additional SHA1 restrictions are enabled by default. See https://www.oracle.com/java/technologies/javase/8u351-relnotes.html
To fix this remove SHA1 denyAfter 2019-01-01 from two keys in the java.security config file (example path /usr/java/jdk/jre/lib/security/java.security in Linux) , essential going back to the previous values. Note that a long term fix is to upgrade to a newer signed jar instead of changing this.
updated keys in the java.security file:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, include jdk.disabled.namedCurves
Upvotes: 1
Reputation: 372
I believe that any JCE provider JARs must be signed before they will be trusted by your Java runtime. It appears that the jar you have has content in it which is unsigned.
If this is content that you have added to the jar or a jar that you have made then check out this answer which tells you how to sign it: How to sign a custom JCE security provider
Upvotes: 1
Related Questions
- "JCE cannot authenticate the provider BC" when using sshj
- bouncycastle error "JCE cannot authenticate the provider BC" with "jar-with-dependencies"
- bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC
- I've put security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider but it isn't being used during SSL handshake
- java.security.NoSuchProviderException: no such provider: BC
- jce cannot authenticate the provider bc
- Bouncycastle provider and Java SUN provider interopability issue
- JCE cannot authenticate the provider BC in Webapp deployed in Jboss. Why?
- Why do I get AccessControlException: access denied when I add BouncyCastleProvider to Security in Tomcat servlet
- No such a provider exception for BouncyCastle