[Newbie] Issue with SecureRandom when trying to use BC JSSE provider

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Newbie] Issue with SecureRandom when trying to use BC JSSE provider

jsane
We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for JCE.

I did some reading and it appeared it should be mostly drop in and not require any code changes.

My updated java.security file (relevant sections) looks like this:
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=sun.security.ec.SunEC
security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.7=com.sun.crypto.provider.SunJCE
security.provider.8=sun.security.jgss.SunProvider
security.provider.9=com.sun.security.sasl.Provider
security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.11=sun.security.smartcardio.SunPCSC

...
securerandom.source=file:/dev/random

# securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value that I changed below
securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

I dropped following jar files in my .. /java/jre/lib/ext folder:
  - bctls-jdk15on-157.jar
  - bcprov-jdk15on-157.jar


However I get the following error:
java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT SecureRandom not available
        at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown Source)
        at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
        at javax.net.ssl.SSLContext.init(SSLContext.java:282)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
       ......

The error remains same even when the securerandom.strongAlgorithms entry in java.security is not changed from its original value of NativePRNGBlocking:SUN

In my code I have this call:
    SSLContext context = SSLContext.getInstance("SSL");

At some place (think this mailing list itself) I had read one needs to invoke the SSLContext.getInstance with "TLS". But not sure if that is causing this error.

thanks for any help.
Jay
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

Uri Blumenthal
Among other things, please refrain from using /dev/random. The current wisdom for Linux is to stay with /dev/urandom (for details see the recent exchange on the IETF TLS WG mailing list).

 
On Jul 26, 2017, at 19:04 , jsane <[hidden email]> wrote:

We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
JCE.

I did some reading and it appeared it should be mostly drop in and not
require any code changes.

My updated java.security file (relevant sections) looks like this:
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=sun.security.ec.SunEC
security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.7=com.sun.crypto.provider.SunJCE
security.provider.8=sun.security.jgss.SunProvider
security.provider.9=com.sun.security.sasl.Provider
security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.11=sun.security.smartcardio.SunPCSC

...
securerandom.source=file:/dev/random

# securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
that I changed below
securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

I dropped following jar files in my .. /java/jre/lib/ext folder:
 - bctls-jdk15on-157.jar
 - bcprov-jdk15on-157.jar


However I get the following error:
java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
SecureRandom not available
       at
org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
Source)
       at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
       at javax.net.ssl.SSLContext.init(SSLContext.java:282)
       at
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
       at
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
      ......

The error remains same even when the securerandom.strongAlgorithms entry in
java.security is not changed from its original value of
NativePRNGBlocking:SUN

In my code I have this call:
   SSLContext context = SSLContext.getInstance("SSL");

At some place (think this mailing list itself) I had read one needs to
invoke the SSLContext.getInstance with "TLS". But not sure if that is
causing this error.

thanks for any help.
Jay



--
View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.


--
Uri Blumenthal


smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

David Hook-3
In reply to this post by jsane

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:

> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

jsane

I changed the securerandom.source to use /dev/urandom and re-ordered the providers as suggested. 
So the provider list looks like this: 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC 

But get the same error as before. I wonder if the securerandom.strongAlgorithms is wrong (admittedly I just guess picked one class from bcprov-jdk15on-157.jar):

securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

Where can I find a working sample java.security using BC JSS and JCE providers  

thanks for your help
Jayant

On Wed, Jul 26, 2017 at 11:08 PM, David Hook <[hidden email]> wrote:

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:
> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

Eckenfels. Bernd
Hello,

I don't think the error is related to strong algorithm, but it sounds like Jetty or BCTLS request the SecureRandom algorithm DEFAUlT which is IMHO the FIPS variant of BC and not BCProv. Not sure what makes it do that...

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Jay Sane [[hidden email]]
Sent: Thursday, July 27, 2017 19:12
To: [hidden email]
Cc: [hidden email]
Subject: Re: [dev-crypto] [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

I changed the securerandom.source to use /dev/urandom and re-ordered the providers as suggested.
So the provider list looks like this:

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC

But get the same error as before. I wonder if the securerandom.strongAlgorithms is wrong (admittedly I just guess picked one class from bcprov-jdk15on-157.jar):

securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

Where can I find a working sample java.security using BC JSS and JCE providers

thanks for your help
Jayant

On Wed, Jul 26, 2017 at 11:08 PM, David Hook <[hidden email]<mailto:[hidden email]>> wrote:

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:

> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>











SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

David Hook-3
In reply to this post by jsane

You'll need to change securerandom.strongAlgorithms back to what it was originally, I don't think use of /dev/urandom will have anything to do with this issue (controversy aside).

Regards,

David

On 28/07/17 03:12, Jay Sane wrote:

I changed the securerandom.source to use /dev/urandom and re-ordered the providers as suggested. 
So the provider list looks like this: 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC 

But get the same error as before. I wonder if the securerandom.strongAlgorithms is wrong (admittedly I just guess picked one class from bcprov-jdk15on-157.jar):

securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

Where can I find a working sample java.security using BC JSS and JCE providers  

thanks for your help
Jayant

On Wed, Jul 26, 2017 at 11:08 PM, David Hook <[hidden email]> wrote:

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:
> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

jsane
I restored the securerandom.strongAlgorithms to its original value of "NativePRNGBlocking:SUN". But still get the same error: 

java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT SecureRandom not available

        at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown Source)

        at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)

        at javax.net.ssl.SSLContext.init(SSLContext.java:282)

        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)

        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)


Thanks all for your suggestions & help till. 


Let me know if anyone has gone down this path of migrating from Sun JSSE/JCE to Bouncy Castle counterparts and your experience.


reds

Jay


On Thu, Jul 27, 2017 at 2:21 PM, David Hook-3 [via Bouncy Castle] <[hidden email]> wrote:

You'll need to change securerandom.strongAlgorithms back to what it was originally, I don't think use of /dev/urandom will have anything to do with this issue (controversy aside).

Regards,

David

On 28/07/17 03:12, Jay Sane wrote:

I changed the securerandom.source to use /dev/urandom and re-ordered the providers as suggested. 
So the provider list looks like this: 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC 

But get the same error as before. I wonder if the securerandom.strongAlgorithms is wrong (admittedly I just guess picked one class from bcprov-jdk15on-157.jar):

securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

Where can I find a working sample java.security using BC JSS and JCE providers  

thanks for your help
Jayant

On Wed, Jul 26, 2017 at 11:08 PM, David Hook <[hidden email]> wrote:

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:
> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>







To unsubscribe from [Newbie] Issue with SecureRandom when trying to use BC JSSE provider, click here.
NAML

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

Neil Corbet
Jay,

Did you try calling 
context.init(keyManagers, trustManagers, SecureRandom.getInstance(“DEFAULT”, “BC”));

After SSLContext context = SSLContext.getInstance("SSL”);?

I used the above to make sure that BC is used as the security provider for the secure random generation.

Neil

From: jsane <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Friday, July 28, 2017 at 2:06 PM
To: "[hidden email]" <[hidden email]>
Subject: [dev-crypto] Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

I restored the securerandom.strongAlgorithms to its original value of "NativePRNGBlocking:SUN". But still get the same error: 

java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT SecureRandom not available

        at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown Source)

        at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)

        at javax.net.ssl.SSLContext.init(SSLContext.java:282)

        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)

        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)


Thanks all for your suggestions & help till. 


Let me know if anyone has gone down this path of migrating from Sun JSSE/JCE to Bouncy Castle counterparts and your experience.


reds

Jay


On Thu, Jul 27, 2017 at 2:21 PM, David Hook-3 [via Bouncy Castle] <[hidden email]> wrote:

You'll need to change securerandom.strongAlgorithms back to what it was originally, I don't think use of /dev/urandom will have anything to do with this issue (controversy aside).

Regards,

David

On 28/07/17 03:12, Jay Sane wrote:

I changed the securerandom.source to use /dev/urandom and re-ordered the providers as suggested. 
So the provider list looks like this: 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC 

But get the same error as before. I wonder if the securerandom.strongAlgorithms is wrong (admittedly I just guess picked one class from bcprov-jdk15on-157.jar):

securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

Where can I find a working sample java.security using BC JSS and JCE providers  

thanks for your help
Jayant

On Wed, Jul 26, 2017 at 11:08 PM, David Hook <[hidden email]> wrote:

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:
> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>







To unsubscribe from [Newbie] Issue with SecureRandom when trying to use BC JSSE provider, click here.
NAML



View this message in context: Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

jsane
Pardon the delay in getting back although I don't have an update yet as I am trying to change the source per your suggestion but for reasons I cannot get into (embarrassing) we are running into some difficulty with it besides I was pulled out temporarily from this activity. 
But I intend to write a simple app from scratch and try it out. Just wanted to give a heads up. Will provide an update once I have a resolution. 

thanks
Jay

On Fri, Jul 28, 2017 at 11:34 AM, Neil Corbet [via Bouncy Castle] <[hidden email]> wrote:
Jay,

Did you try calling 
context.init(keyManagers, trustManagers, SecureRandom.getInstance(“DEFAULT”, “BC”));

After SSLContext context = SSLContext.getInstance("SSL”);?

I used the above to make sure that BC is used as the security provider for the secure random generation.

Neil

From: jsane <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Friday, July 28, 2017 at 2:06 PM
To: "[hidden email]" <[hidden email]>
Subject: [dev-crypto] Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

I restored the securerandom.strongAlgorithms to its original value of "NativePRNGBlocking:SUN". But still get the same error: 

java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT SecureRandom not available

        at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown Source)

        at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)

        at javax.net.ssl.SSLContext.init(SSLContext.java:282)

        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)

        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)


Thanks all for your suggestions & help till. 


Let me know if anyone has gone down this path of migrating from Sun JSSE/JCE to Bouncy Castle counterparts and your experience.


reds

Jay


On Thu, Jul 27, 2017 at 2:21 PM, David Hook-3 [via Bouncy Castle] <[hidden email]> wrote:

You'll need to change securerandom.strongAlgorithms back to what it was originally, I don't think use of /dev/urandom will have anything to do with this issue (controversy aside).

Regards,

David

On 28/07/17 03:12, Jay Sane wrote:

I changed the securerandom.source to use /dev/urandom and re-ordered the providers as suggested. 
So the provider list looks like this: 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC 

But get the same error as before. I wonder if the securerandom.strongAlgorithms is wrong (admittedly I just guess picked one class from bcprov-jdk15on-157.jar):

securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

Where can I find a working sample java.security using BC JSS and JCE providers  

thanks for your help
Jayant

On Wed, Jul 26, 2017 at 11:08 PM, David Hook <[hidden email]> wrote:

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:
> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>







To unsubscribe from [Newbie] Issue with SecureRandom when trying to use BC JSSE provider, click here.
NAML



View this message in context: Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.



To unsubscribe from [Newbie] Issue with SecureRandom when trying to use BC JSSE provider, click here.
NAML

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

jsane
ok I was able to write a simple java app that initializes the SSLContext while explicitly specifying to use BC when getting SecureRandom instance. It works!!

One thing I learned, that most may be already aware, is the secure random.source in java.security must be set to /dev/urandom (else the SecureRandom call will just hang). Uri had pointed it out earlier (recommended) but what I did not know was it is actually required else it hangs; I waited a couple of minutes in case it was taking long but would not return even after 10-15 minutes which led me to think it hung.

thanks all. 
Jay

On Sun, Aug 6, 2017 at 9:28 PM, jsane <[hidden email]> wrote:
Pardon the delay in getting back although I don't have an update yet as I am trying to change the source per your suggestion but for reasons I cannot get into (embarrassing) we are running into some difficulty with it besides I was pulled out temporarily from this activity. 
But I intend to write a simple app from scratch and try it out. Just wanted to give a heads up. Will provide an update once I have a resolution. 

thanks
Jay

On Fri, Jul 28, 2017 at 11:34 AM, Neil Corbet [via Bouncy Castle] <[hidden email]> wrote:
Jay,

Did you try calling 
context.init(keyManagers, trustManagers, SecureRandom.getInstance(“DEFAULT”, “BC”));

After SSLContext context = SSLContext.getInstance("SSL”);?

I used the above to make sure that BC is used as the security provider for the secure random generation.

Neil

From: jsane <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>

Date: Friday, July 28, 2017 at 2:06 PM
To: "[hidden email]" <[hidden email]>

Subject: [dev-crypto] Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

I restored the securerandom.strongAlgorithms to its original value of "NativePRNGBlocking:SUN". But still get the same error: 

java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT SecureRandom not available

        at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown Source)

        at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)

        at javax.net.ssl.SSLContext.init(SSLContext.java:282)

        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)

        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)


Thanks all for your suggestions & help till. 


Let me know if anyone has gone down this path of migrating from Sun JSSE/JCE to Bouncy Castle counterparts and your experience.


reds

Jay


On Thu, Jul 27, 2017 at 2:21 PM, David Hook-3 [via Bouncy Castle] <[hidden email]> wrote:

You'll need to change securerandom.strongAlgorithms back to what it was originally, I don't think use of /dev/urandom will have anything to do with this issue (controversy aside).

Regards,

David

On 28/07/17 03:12, Jay Sane wrote:

I changed the securerandom.source to use /dev/urandom and re-ordered the providers as suggested. 
So the provider list looks like this: 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC 

But get the same error as before. I wonder if the securerandom.strongAlgorithms is wrong (admittedly I just guess picked one class from bcprov-jdk15on-157.jar):

securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

Where can I find a working sample java.security using BC JSS and JCE providers  

thanks for your help
Jayant

On Wed, Jul 26, 2017 at 11:08 PM, David Hook <[hidden email]> wrote:

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:
> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>







To unsubscribe from [Newbie] Issue with SecureRandom when trying to use BC JSSE provider, click here.
NAML



View this message in context: Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.



To unsubscribe from [Newbie] Issue with SecureRandom when trying to use BC JSSE provider, click here.
NAML


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

David Hook-3

If this is the case you should also look at enabling hardware RNG for your platform. As Uri mentioned, /dev/urandom is much improved (although there is still some controversy, at least in FIPS circles) but it sounds like there really isn't any entropy available to your O/S. It never hurts to have some more.

Regards,

David

On 09/08/17 03:43, Jay Sane wrote:
ok I was able to write a simple java app that initializes the SSLContext while explicitly specifying to use BC when getting SecureRandom instance. It works!!

One thing I learned, that most may be already aware, is the secure random.source in java.security must be set to /dev/urandom (else the SecureRandom call will just hang). Uri had pointed it out earlier (recommended) but what I did not know was it is actually required else it hangs; I waited a couple of minutes in case it was taking long but would not return even after 10-15 minutes which led me to think it hung.

thanks all. 
Jay

On Sun, Aug 6, 2017 at 9:28 PM, jsane <[hidden email]> wrote:
Pardon the delay in getting back although I don't have an update yet as I am trying to change the source per your suggestion but for reasons I cannot get into (embarrassing) we are running into some difficulty with it besides I was pulled out temporarily from this activity. 
But I intend to write a simple app from scratch and try it out. Just wanted to give a heads up. Will provide an update once I have a resolution. 

thanks
Jay

On Fri, Jul 28, 2017 at 11:34 AM, Neil Corbet [via Bouncy Castle] <[hidden email]> wrote:
Jay,

Did you try calling 
context.init(keyManagers, trustManagers, SecureRandom.getInstance(“DEFAULT”, “BC”));

After SSLContext context = SSLContext.getInstance("SSL”);?

I used the above to make sure that BC is used as the security provider for the secure random generation.

Neil

From: jsane <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>

Date: Friday, July 28, 2017 at 2:06 PM
To: "[hidden email]" <[hidden email]>

Subject: [dev-crypto] Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider

I restored the securerandom.strongAlgorithms to its original value of "NativePRNGBlocking:SUN". But still get the same error: 

java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT SecureRandom not available

        at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown Source)

        at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)

        at javax.net.ssl.SSLContext.init(SSLContext.java:282)

        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)

        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)


Thanks all for your suggestions & help till. 


Let me know if anyone has gone down this path of migrating from Sun JSSE/JCE to Bouncy Castle counterparts and your experience.


reds

Jay


On Thu, Jul 27, 2017 at 2:21 PM, David Hook-3 [via Bouncy Castle] <[hidden email]> wrote:

You'll need to change securerandom.strongAlgorithms back to what it was originally, I don't think use of /dev/urandom will have anything to do with this issue (controversy aside).

Regards,

David

On 28/07/17 03:12, Jay Sane wrote:

I changed the securerandom.source to use /dev/urandom and re-ordered the providers as suggested. 
So the provider list looks like this: 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC 

But get the same error as before. I wonder if the securerandom.strongAlgorithms is wrong (admittedly I just guess picked one class from bcprov-jdk15on-157.jar):

securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC

Where can I find a working sample java.security using BC JSS and JCE providers  

thanks for your help
Jayant

On Wed, Jul 26, 2017 at 11:08 PM, David Hook <[hidden email]> wrote:

Try swapping 2 and 3.

Regards,

David

On 27/07/17 09:04, jsane wrote:
> We are trying to switch from Sun JSSE to Bouncy Castle JSSE & likewise for
> JCE.
>
> I did some reading and it appeared it should be mostly drop in and not
> require any code changes.
>
> My updated java.security file (relevant sections) looks like this:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
> security.provider.4=sun.security.rsa.SunRsaSign
> security.provider.5=sun.security.ec.SunEC
> security.provider.6=com.sun.net.ssl.internal.ssl.Provider
> security.provider.7=com.sun.crypto.provider.SunJCE
> security.provider.8=sun.security.jgss.SunProvider
> security.provider.9=com.sun.security.sasl.Provider
> security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> security.provider.11=sun.security.smartcardio.SunPCSC
>
> ...
> securerandom.source=file:/dev/random
>
> # securerandom.strongAlgorithms=NativePRNGBlocking:SUN    # Original value
> that I changed below
> securerandom.strongAlgorithms=DRBGCoreSecureRandom:BC
>
> I dropped following jar files in my .. /java/jre/lib/ext folder:
>   - bctls-jdk15on-157.jar
>   - bcprov-jdk15on-157.jar
>
>
> However I get the following error:
> java.lang.IllegalStateException: unable to create TlsCrypto: DEFAULT
> SecureRandom not available
>         at
> org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider.create(Unknown
> Source)
>         at
> org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(Unknown Source)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:306)
>         at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)
>        ......
>
> The error remains same even when the securerandom.strongAlgorithms entry in
> java.security is not changed from its original value of
> NativePRNGBlocking:SUN
>
> In my code I have this call:
>     SSLContext context = SSLContext.getInstance("SSL");
>
> At some place (think this mailing list itself) I had read one needs to
> invoke the SSLContext.getInstance with "TLS". But not sure if that is
> causing this error.
>
> thanks for any help.
> Jay
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/Newbie-Issue-with-SecureRandom-when-trying-to-use-BC-JSSE-provider-tp4658923.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>







To unsubscribe from [Newbie] Issue with SecureRandom when trying to use BC JSSE provider, click here.
NAML



View this message in context: Re: [Newbie] Issue with SecureRandom when trying to use BC JSSE provider
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.



To unsubscribe from [Newbie] Issue with SecureRandom when trying to use BC JSSE provider, click here.
NAML



Loading...