Problem using bcprov-jdk15on-162 on JRE 1.6

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem using bcprov-jdk15on-162 on JRE 1.6

Juan Carlos Buitrago
I'm creating a project using bcprov-jdk15on-162, but it must run in
java 1.6 (I know). But when trying to register the provider, I get the
following message:

java.lang.SecurityException: JCE cannot authenticate the provider BC

Researching the problem, I found that previous versions of the
provider are signed by:

CN=JCE Code Signing CA,OU=Java Software Code Signing,O=Sun
Microsystems Inc,L=Palo Alto,ST=CA,C=US

Meanwhile, this new version is signed by both the previous one and:

CN=JCE Code Signing CA,OU=Java Software Code Signing,O=Oracle Corporation

I've already included the provider line in java.security and added the
new jar to java lib/ext but the issue persists.

I've also tried registering the provider dynamically like:

Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

But no luck.

How do I solve this problem for JRE 1.6?

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Problem using bcprov-jdk15on-162 on JRE 1.6

cryptearth
Hey Juan,

have a look at
http://bouncy-castle.1462172.n4.nabble.com/JCE-cannot-authenticate-the-provider-BC-KeyStore-td4659669.html
The issue may be the different signature hash algo: SHA-1 vs SHA-256
Although SHA-256 was published in 2001 (source: wikipedia) most crypto
stuff kept using SHA-1 for signatures all through mid of 2010s and
didn't bothered to even implement a signature validation. So anything as
old as still using SHA-1 preferred to SHA-256 mostly only can/does SHA-1
signature verify - if it encounters a SHA-256 it just can't verify it.

As also in the linked topic - just for personal interest: What's the
reason for you still rely on Java6? I know about old XP systems still in
use in industrial environments like controllers for heavy CNC machinery
- but crypto stuff mostly means the system has at least some connection
to the internet - in wich such old versions shouldn't be used for
security reasons. On the other hand: if you using such an old
environment - why you want to update to latest bouncycastle instead of
using one or two older wich works?

Matt

Am 01.08.2019 um 18:18 schrieb Juan Carlos Buitrago:

> I'm creating a project using bcprov-jdk15on-162, but it must run in
> java 1.6 (I know). But when trying to register the provider, I get the
> following message:
>
> java.lang.SecurityException: JCE cannot authenticate the provider BC
>
> Researching the problem, I found that previous versions of the
> provider are signed by:
>
> CN=JCE Code Signing CA,OU=Java Software Code Signing,O=Sun
> Microsystems Inc,L=Palo Alto,ST=CA,C=US
>
> Meanwhile, this new version is signed by both the previous one and:
>
> CN=JCE Code Signing CA,OU=Java Software Code Signing,O=Oracle Corporation
>
> I've already included the provider line in java.security and added the
> new jar to java lib/ext but the issue persists.
>
> I've also tried registering the provider dynamically like:
>
> Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>
> But no luck.
>
> How do I solve this problem for JRE 1.6?
>
> Thanks.
>