bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC

I use BouncyCastle for encryption in my application. When I run it standalone, everything works fine. However, if I put it in the webapp and deploy on JBoss server, I get a following error:

javax.servlet.ServletException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
(...)
root cause
java.lang.Exception: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
(...)
root cause
java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
    org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
    java.security.KeyStore.load(Unknown Source)

Here is a part of the code that causes this error:

    if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
    {
        Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    }

    // Read the Private Key
    KeyStore ks = KeyStore.getInstance("PKCS12", BouncyCastleProvider.PROVIDER_NAME);
    ks.load(new FileInputStream(certificatePath), privateKeyPassword.toCharArray());

And maven dependency:

<dependency>
    <groupId>bouncycastle</groupId>
    <artifactId>bcmail-jdk16</artifactId>
    <version>140</version>
</dependency>

Do you know how could I deploy it?

Do not deploy the bouncy-castle jar as a part of your your webapp (WEB-INF/lib). You need this file in compiliation time of course, but on JBOSS it should be here:

$JBOSS_HOME/server/default/lib/

instead of

yourapp/WEB-INF/lib

JCE cannot authenticate the provider BC |JBoss.org Content Archive , I am migrating a webapp from JBoss 4.0.5.GA to JBoss AS7. SecurityException​: JCE cannot authenticate the provider BC In the end, we tried different versions of bouncycastle and found a less recent version who's  The problem seems to be that the JCE provider from BouncyCastle cannot be verified any longer when I try to use it from a SSB. lib/bc*.jar to JBOSS_HOME/server

For JBoss AS7 bouncy castle needs to be deployed as a server module. This replaces the server/default/lib mechanism of earlier versions (as mentioned in Gergely Bacso's answer).

JBoss AS7 uses jdk1.6+. When using JBoss AS7 with jdk1.6 we need to make sure we are using bcprov-jdk16.

Create a Jboss module (a folder $JBOSS_HOME/modules/org/bouncycastle/main). Put the bouncy castle jars that you want to be globally available in it, along with a module.xml file that looks like this:

<module xmlns="urn:jboss:module:1.1" name="org.bouncycastle">
    <resources>
        <resource-root path="bcprov-jdk16-1.46.jar"/>
    </resources>
    <dependencies>
        <module name="javax.api" slot="main" export="true"/>
    </dependencies>
</module>

Once you have setup the module you need to make it available to your deployments. There are two ways:

1. Globally via standalone.xml

In $JBOSS_HOME/standalone/configuration/standalone.xml replace

<subsystem xmlns="urn:jboss:domain:ee:1.0"/>

with

<subsystem xmlns="urn:jboss:domain:ee:1.0">
    <global-modules>
        <module name="org.bouncycastle" slot="main"/>
    </global-modules>
</subsystem>

The jar libraries will now be available across all applications (and this will "emulate" adding to the classpath as was possible in jboss 4,5,6 etc)

2. For a specific deployment (preferred)

Add a module dependency entry to the ear's META-INF/jboss-deployment-structure.xml file, under the section, eg:

<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1">
    <deployment>
        <dependencies>
            <module name="org.bouncycastle" slot="main" export="true" />
        </dependencies>
    </deployment>
</jboss-deployment-structure>

JCE cannot authenticate the provider BC – Huang Shiyang, java bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC? $​JBOSS_HOME/server/default/lib/ yourapp/WEB-INF/lib. Do not deploy the  I also but this provider in the java.security file like this: security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider I have install JBoss 7.1.1 as a standalone application. JBoss is running well. If i start it with ./bin/standalone.sh i JBoss is starting.

But if You change server from JBoss to other (for example Glassfish) You have the same problem. The better solition for me are changes in jdk. You shoud add Bouncy Castle to security providers on Your java platform in two steps: 1. Copy BC librarys (currently bcpkix-jdk15on-149.jar, bcprov-jdk15on-149.jar) to directory $JAVA_HOME/jre/lib/ext/ 2. Register BC provider: edit file $JAVA_HOME/jre/lib/security/java.security and under line

security.provider.1=sun.security.provider.Sun

add Your BC provider

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

Change numbers of rest providers. The whole block of providers should be similar to:

security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC

And now You must just restart the java server.

java bouncycastle + JBoss AS7: JCE cannot authenticate the , java.io.IOException: error constructing MAC: java.security.​NoSuchProviderException: JCE cannot authenticate the provider BC. See one of the  1. Add bouncycastle jar to JBoss classpath 2. Add 'org.bouncycastle.jce.provider.BouncyCastleProvider' to 'java.security' providers 3. Mark bouncycastle in your WAR as a 'provided' dependency Once we had a version of the .jar on our classpath and were sure that our WAR was not packaging it in we were golden.

As I put in some other thread it can be also added programmatically by putting the line:

Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

Source: jce cannot authenticate the provider bc

Installing / Registering the Bouncy Castle JCE provider or JBoss , SecurityException: JCE cannot authenticate the provider BC. OR. Caused by: JarException: Cannot parse vfs: /path/to/your/bouncycastle.jar  bouncycastle + JBoss AS7: JCE ne peut pas authentifier le fournisseur BC j'utilise BouncyCastle pour le cryptage dans mon application. Quand je l'exécute seul, tout fonctionne très bien.

For those who don't want to change server level config,

<jboss-deployment-structure>  
   <deployment>  
      <resources>  
         <resource-root path="WEB-INF/lib/bcprov-jdk16-1.46.jar" use-physical-code-source="true"/>  
      </resources>  
   </deployment>  
</jboss-deployment-structure>  

adding the bouncy castle jars with use-physical-code-source worked for me

JBoss and BouncyCastleProvider – SecurityException : “cannot , NoSuchProviderException: JCE cannot authenticate the provider BC () root cause java.lang.Exception: error constructing MAC: java.security. bouncycastle + JBoss AS7: JCE no puede autenticar el proveedor de BC Yo uso BouncyCastle para la codificación en mi aplicación. Cuando se ejecuta de forma independiente, todo funciona bien.

java.lang.SecurityException: JCE cannot authenticate the provider BC, SecurityException: JCE cannot authenticate the provider BC 오류가 JarException: Cannot parse jar:file:/Users/himajumdar/Work/jboss/jboss-5.1.0. /​1/bouncycastle-jboss-as7-jce-cannot-authenticate-the-provider-bc You shoud add Bouncy Castle to security providers on Your java platform in two steps  Recommend:java - jce cannot authenticate the provider bc. tyCastle.jar. I also had a line Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); Everything works fine when I execute the program from Netbeans But when I packaging the application in an executable jar which i

JCE cannot authenticate the provider BC` when running a JAR with , In my scala project I use "org.bouncycastle" % "bcprov-jdk14" % "1.51" for cryptography. If it test my project in Scala IDE it works fine. But once I  java.security.NoSuchAlgorithmException: ***** SecretKeyFactory not available "java.lang.SecurityException: JCE cannot authenticate the provider BC" Environment. Red Hat JBoss Enterprise Application Platform (EAP) 6; 7; Java Cryptography Extensions (JCE) Bouncy Castle as JCE provider library or Application library

Side-project friendly pricing. Easiest authentication for your serverless site

Comments
  • Why is that the case?
  • I am using jboss-eap-6.4 in JDK 1.8 and I have not server directory
  • This was all I needed, I'm actually glad this is the accepted answer. +1
  • What is the reason behind this? Why does it work if it is run standalone and needs to be a module when run in JBoss? Are modules not verified but a jar inside of WEB-INF/lib is?
  • seriously, you saved me :) i was getting the same error with RSA JSAFE provider but able to get rid of it now with this workaround. Thanks a lot
  • In wildfly-9.0.2.Final the module folder for BouncyCastle already exists at <HOME>/modules/system/layers/base/org/bouncycastle/main/ so you only need to make it available to your deployments (globally or for a single app). Also note that in standalone.xml the subsystem "urn:jboss:domain:ee" already exists so you have only to add the tag <global-modules> to its content.
  • @Pino can you please provide more detail with example for beginner.
  • @Awanish My comment is a little update to the main answer. Refer to the answer for a description of the changes you have to make to Wildfly's xml.
  • Sorry, You don't need change providers. Just add under SunPCSC provider next number of providers such as: security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider BC provider does not have to be the second. Might be the last.
  • @KrzysztofSzewczyk But doesnt bounty castle provider need the highest provider here i.e 1. Since here priority will be given from 1 to 10.