JCE cannot authenticate the provider BC - KeyStore

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

JCE cannot authenticate the provider BC - KeyStore

luizurias
Hello,

After i updated BC from 1.60 to 1.61 (occurs in 1.62 too) i am getting this
error. It only occurs with KeyStore, when i use the BC provider for others
operations (such as Cipher, etc..) i dont get this error. And in version
1.60 works fine.

I already tried to add the bc-*.jar in the jre/lib/ext but the error
continues

Of course this dont happen when i use OpenJDK. I am using Oracle JDK 1.6_45.

Has anyone ever had anything like it or know what is going on?

Caused by: java.io.IOException: error constructing MAC:
java.lang.SecurityException: JCE cannot authenticate the provider BC
        at
org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown
Source)
        at java.security.KeyStore.load(Unknown Source)



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

Reply | Threaded
Open this post in threaded view
|

Re: JCE cannot authenticate the provider BC - KeyStore

cryptearth
Hi,

security providers have to be signed by a trusted key. As you say this
issue occur after update from 1.60 to 1.61 it's most likely the signing
key changed wich isn't trusted by a key that's in 6_45. I use 1.62 with
Oracle 8_144 and 8_212 - works fine. Btw: It's June 2019 - why you still
use Java 6? Only reason would be a very old and most likely out-dated OS
- wich also hints very old hardware - so I guess you either have some
embedded industry system - or someone up the chain doesn't allow upgrade
to recent hardware/software. So, instead of blame a lib for obvious
reason (way out-dated runtime don't have master-key to verify current
sign key) consider why you use 10 year old stuff and why you not upgrade it.

Matt

Am 15.07.2019 um 21:57 schrieb luizurias:

> Hello,
>
> After i updated BC from 1.60 to 1.61 (occurs in 1.62 too) i am getting this
> error. It only occurs with KeyStore, when i use the BC provider for others
> operations (such as Cipher, etc..) i dont get this error. And in version
> 1.60 works fine.
>
> I already tried to add the bc-*.jar in the jre/lib/ext but the error
> continues
>
> Of course this dont happen when i use OpenJDK. I am using Oracle JDK 1.6_45.
>
> Has anyone ever had anything like it or know what is going on?
>
> Caused by: java.io.IOException: error constructing MAC:
> java.lang.SecurityException: JCE cannot authenticate the provider BC
> at
> org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown
> Source)
> at java.security.KeyStore.load(Unknown Source)
>
>
>
> --
> Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html
>


Reply | Threaded
Open this post in threaded view
|

Re: JCE cannot authenticate the provider BC - KeyStore

David Hook-3
In reply to this post by luizurias

It's due to the native signature support in 1.6/1.7

See https://github.com/bcgit/bc-java/issues/557

For instructions - it was for Oracle 1.7 but I suspect it's the same issue.

This should allow you to upgrade to 1.62. Please note the comments about
what is needed to be able to keep upgrading.

Regards,

David

On 16/7/19 5:57 am, luizurias wrote:

> Hello,
>
> After i updated BC from 1.60 to 1.61 (occurs in 1.62 too) i am getting this
> error. It only occurs with KeyStore, when i use the BC provider for others
> operations (such as Cipher, etc..) i dont get this error. And in version
> 1.60 works fine.
>
> I already tried to add the bc-*.jar in the jre/lib/ext but the error
> continues
>
> Of course this dont happen when i use OpenJDK. I am using Oracle JDK 1.6_45.
>
> Has anyone ever had anything like it or know what is going on?
>
> Caused by: java.io.IOException: error constructing MAC:
> java.lang.SecurityException: JCE cannot authenticate the provider BC
> at
> org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown
> Source)
> at java.security.KeyStore.load(Unknown Source)
>
>
>
> --
> Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html
>
>


Reply | Threaded
Open this post in threaded view
|

Re: JCE cannot authenticate the provider BC - KeyStore

luizurias
It worked! Thanks.

But i still dont undestand why it is only occurring with KeyStore
operations, i mean if i initialize a Cipher with BC provider and realize
some operations the error does not occur. Do you know why?




--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

Reply | Threaded
Open this post in threaded view
|

Re: JCE cannot authenticate the provider BC - KeyStore

luizurias
In reply to this post by cryptearth
Yes, i know i am using outdaded java. I really want to update but for now i
cant.

Anyways, thanks for you reply!



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

Reply | Threaded
Open this post in threaded view
|

Re: JCE cannot authenticate the provider BC - KeyStore

cryptearth
Hi,

I remerged the answers to keep the list in-sync - nvm.

I given up to even try to ask people why they keep at such old versions
- I made my guesses and unless it's one of them the most obvious reason:
someone higher the payment list not know about upgrade and just refuse
needed resources to do it although it mostly saves more money to invest
once in the upgrade in the long term - nvm.

About the "random" issue: my wild guess is that it's maybe only some of
the signatures' corrupted. I don't know if a security jar has to verify
completly or just the classes in use - but if the whole jar fail due to
one issue none of it would work at all - so as it works at least
somewhat only the per-class-in-use signature lasts as a possible option.
As I discovered a wired crypto bug in j9 and j10 I guess the whole
security card house is so briddle we're lucky if it at least sometimes
works like RFCs say so.

Matt

Am 16.07.2019 um 21:29 schrieb luizurias:

> Yes, i know i am using outdaded java. I really want to update but for now i
> cant.
>
> Anyways, thanks for you reply!
>
> It worked! Thanks.
>
> But i still dont undestand why it is only occurring with KeyStore
> operations, i mean if i initialize a Cipher with BC provider and realize
> some operations the error does not occur. Do you know why?
>
> --
> Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html
>


Reply | Threaded
Open this post in threaded view
|

Re: JCE cannot authenticate the provider BC - KeyStore

David Hook-3

JCE policy files don't ban all algorithms and key sizes, so sometimes
things will work even if the JCE isn't properly configured. Having said
that, in this case I would have expected the Cipher not to work as the
JCE provider jar would not have validated (the signature is over the all
the classes in the jar). You might want to check that you're actually
getting the cipher from the provider you think you are.

Regards,

David

On 17/7/19 5:41 am, cryptearth wrote:

> Hi,
>
> I remerged the answers to keep the list in-sync - nvm.
>
> I given up to even try to ask people why they keep at such old
> versions - I made my guesses and unless it's one of them the most
> obvious reason: someone higher the payment list not know about upgrade
> and just refuse needed resources to do it although it mostly saves
> more money to invest once in the upgrade in the long term - nvm.
>
> About the "random" issue: my wild guess is that it's maybe only some
> of the signatures' corrupted. I don't know if a security jar has to
> verify completly or just the classes in use - but if the whole jar
> fail due to one issue none of it would work at all - so as it works at
> least somewhat only the per-class-in-use signature lasts as a possible
> option. As I discovered a wired crypto bug in j9 and j10 I guess the
> whole security card house is so briddle we're lucky if it at least
> sometimes works like RFCs say so.
>
> Matt
>
> Am 16.07.2019 um 21:29 schrieb luizurias:
>> Yes, i know i am using outdaded java. I really want to update but for
>> now i
>> cant.
>>
>> Anyways, thanks for you reply!
>>
>> It worked! Thanks.
>>
>> But i still dont undestand why it is only occurring with KeyStore
>> operations, i mean if i initialize a Cipher with BC provider and realize
>> some operations the error does not occur. Do you know why?
>>
>> --
>> Sent from:
>> http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html
>>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: JCE cannot authenticate the provider BC - KeyStore

luizurias
Hi,

sorry, i made a mistake about the Cipher. It returns the same error when i
try getInstance with BC provider.

But, i tried with KeyPairGenerator and CertificateFactory and i dont get the
error. Maybe because of this that you said about JCE policy..

Btw, the only difference from this jar
https://downloads.bouncycastle.org/misc/bcprov-jdk15on-1.62.jar from the
official is that the jar signature was made using SHA1 and offical with
SHA256?





--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

Reply | Threaded
Open this post in threaded view
|

Re: JCE cannot authenticate the provider BC - KeyStore

cryptearth
Hi,

about Signature SHA-1 vs. SHA-256: It's known that older software used
SHA-1 cause SHA-256 just wasn't implemented. So, if you have recent
stuff hashed with todays normal SHA-256/-384/-512 can't verified on
older software cause they just implement SHA-2 algos.
Same issue caused recent Windows-Update to fail as M$ changed from SHA-1
+ SHA-2 to SHA-2 only sign on update packages - but missed to previously
update M$-update itself to use SHA-2. So, even SHA-2 is used for long
time M$-update kept rely on SHA-1 as noone ever changed it after SHA-2
was added.

Simple answer: Update to current OS/JVM.

Matt

Am 17.07.2019 um 16:07 schrieb luizurias:

> Hi,
>
> sorry, i made a mistake about the Cipher. It returns the same error when i
> try getInstance with BC provider.
>
> But, i tried with KeyPairGenerator and CertificateFactory and i dont get the
> error. Maybe because of this that you said about JCE policy..
>
> Btw, the only difference from this jar
> https://downloads.bouncycastle.org/misc/bcprov-jdk15on-1.62.jar from the
> official is that the jar signature was made using SHA1 and offical with
> SHA256?
>
>
>
>
>
> --
> Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html
>