Login/Register
BouncyCastle Cryptography provider library used with applet on Java 7u40
Asked Answered
Solved appletcode-signingbouncycastlejarsigner
H

2

19

The case: I am maintaining a Java applet which uses the BouncyCastle libraries bcpkix-jdk15on-149.jar, and bcprov-jdk15on-149.jar.

Problem is when the applet is run on a JRE version 7_u40 enabled browser.
The behavior has changed from version 7_u25 in a way that it always prompts a modal window like "Security prompt for an app using a self-signed certificate" (which cannot be permanently hidden anymore), just to trust bcprov.

https://www.java.com/en/download/help/appsecuritydialogs.xml

As far as I know, this is because BC libraries are signed with the BouncyCastle certificate, issued by the "JCE Code Signing CA". Because of that, the lib can perform and act as a cryptography provider.

BUT: the JRE can not build the certificate chain to trust the signature. It shows "provider : UNKNOWN"

I know i can remove that signature and sign by myself (I own a Thawte code sign certificate):

  • it works with bcpkix lib
  • it does not work with bcprov because it won't be considered as a valid cryptography provider (it won't be trusted by the JRE).

Am I right? What can I do?
PS: I googled a lot to find the JCA root cert (to put it into the JRE truststore), without success... Is there a way to grab that root CA?

Happening answered 26/9, 2013 at 13:24 Comment(1)
Some people told me to sign the bcprov library (already signed by BC) a second time with my own certificate. The problem is that the result fails on verification with "jarsigner". So, if anyone knows howto put another signature on a JAR file, please let me knowHappening
H
23

After a lot of search and some post in BC mailing list.... I found the solution, so I drop it here for others who may face that issue:

The solution is basically to sign the BC library a second time with my own certificate.
The JAR needs the JCA signature in order to be trusted as a cryptography provider, so do not remove it.
The JAR also needs (in addition) a code signature in order to be able to be run in the JVM (trusted by the JRE).

One last thing, some incompatibility happened on the signature technology:

  • BC lib is signed using SHA1 digest algorythm
  • jarsigner (on my computer) is doing the signature with SHA256 digest algorythm by default, which leads to a verification failure.
  • So I had to ask jarsigner to do it the SHA1 way. (for some reason both signatures have to be consistent from that point of view)

Here is the magic parameter of jarsigner command to add and make it happen: -digestalg SHA1

Sample command:

jarsigner -keystore ./mykeystore.jks -storepass myPass -digestalg SHA1 bcprov-jdk15on-149.jar myAlias

... and you're done!

The following post gave me the tip: What prevents Java from verifying signed jars with multiple signature algorithms

Happening answered 27/9, 2013 at 11:54 Comment(5)
you are a god among menEnameling
my applet is one jar file, which includes classes from all other jars including bounty castle, I am getting this exception Caused by: java.io.IOException: error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider BC ,please advice how to use jarsigner when bc classes are in side my applet jar?Schnell
Just a comment, on my system (Ubuntu 14.04 64 bits, OpenJDK 7) with bcprov-jdk15on v1.56, I had to sign it with -digestalg SHA-256 for the verification to succeed.Xanthe
@Xanthe : thank you for the info! That is probably because because newer versions of bcprov library are now signed with SHA-256. That post is related to (now pretty) old version 1.49 of bcprovHappening
I can confirm it still works in Java 8u151. Thank you, saved my day!Tripalmitin
F
0

We can also include the other stackoverflow post and the answer that helped me:

Putting the line: Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

Helped me getting rid of the exception.

Source: jce cannot authenticate the provider bc

Furan answered 3/12, 2015 at 16:53 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.