Skip to main content

SecurityException with Bouncy Castle

I am using BouncyCastle library to encrypt the data transfer with Kakfa.
While my program run fine from IntelliJ, but when I package a fat JAR and run, it throws following exception:

java.lang.SecurityException: JCE cannot authenticate the provider BC
    at javax.crypto.Cipher.getInstance(Cipher.java:657)
    at javax.crypto.Cipher.getInstance(Cipher.java:596)
    at com.xyz.abc.fusioncell.utils.CryptoService$class.decrypt(CryptoService.scala:63)
    at com.xyz.abc.fusioncell.Boot$.decrypt(Boot.scala:13)
    at com.xyz.abc.fusioncell.conf.Config$$anonfun$userId$1.apply(Config.scala:28)
    at com.xyz.abc.fusioncell.conf.Config$$anonfun$userId$1.apply(Config.scala:28)
    at scala.util.Try$.apply(Try.scala:192)
    at com.xyz.abc.fusioncell.conf.Config$class.userId(Config.scala:28)
    at com.xyz.abc.fusioncell.Boot$.userId$lzycompute(Boot.scala:13)
    at com.xyz.abc.fusioncell.Boot$.userId(Boot.scala:13)
    at com.xyz.abc.fusioncell.Boot$.main(Boot.scala:24)
    at com.xyz.abc.fusioncell.Boot.main(Boot.scala)
Caused by: java.util.jar.JarException: file:/work/data_extractor/src/main/sh/data_extractor.jar has unsigned entries - scala/Array$$anonfun$apply$3.class
    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:464)
    at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
    at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
    at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:160)
    at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:186)
    at javax.crypto.Cipher.getInstance(Cipher.java:653)
    ... 11 more

First part of solution is to register the cryptographic service provider at runtime to ensure the configuration will work for everyone. You can use either of the Security.addProvider() or Security.insertProviderAt() methods:

if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
    Security.addProvider(new BouncyCastleProvider)

Next, you need to add BouncyCastle provider to security providers in your java platform in two steps:
1. Copy BouncyCastle library (currently bcprov-jdk16-146.jar) to directory $JAVA_HOME/jre/lib/ext/
2. Register BouncyCastle provider: edit file $JAVA_HOME/jre/lib/security/java.security and add following line in list of providers:

security.provider.11=org.bouncycastle.jce.provider.BouncyCastleProvider
Final list looks like:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=apple.security.AppleProvider
security.provider.11=org.bouncycastle.jce.provider.BouncyCastleProvider
Recompile and package the fat jar.
Labels:

Comments

Post a Comment

Popular posts from this blog

MPlayer subtitle font problem in Windows

While playing a video with subtitles in mplayer, I was getting the following problem: New_Face failed. Maybe the font path is wrong. Please supply the text font file (~/.mplayer/subfont.ttf). Solution is as follows: Right click on "My Computer". Select "Properties". Go to "Advanced" tab. Click on "Environment Variables". Delete "HOME" variable from User / System variables.
4 comments
Read more

wget and curl behind corporate proxy throws certificate is not trusted or certificate doesn't have a known issuer

If you try to run wget or curl in Ununtu/Debian behind corporate proxy, you might receive errors like: ERROR: The certificate of 'apertium.projectjj.com' is not trusted. ERROR: The certificate of 'apertium.projectjj.com' doesn't have a known issuer. wget https://apertium.projectjj.com/apt/apertium-packaging.public.gpg ERROR: cannot verify apertium.projectjj.com's certificate, issued by 'emailAddress=proxyteam@corporate.proxy.com,CN=diassl.corporate.proxy.com,OU=Division UK,O=Group name,L=Company,ST=GB,C=UK': Unable to locally verify the issuer's authority. To connect to apertium.projectjj.com insecurely, use `--no-check-certificate'. To solution is to install your company's CA certificate in Ubuntu. In Windows, open the first part of URL in your web browser. e.g. open https://apertium.projectjj.com in web browser. If you inspect the certifcate, you will see the same CN (diassl.corporate.proxy.com), as reported by the error above ...
Post a Comment
Read more

Kafka performance tuning

Performance Tuning of Kafka is critical when your cluster grow in size. Below are few points to consider to improve Kafka performance: Consumer group ID : Never use same exact consumer group ID for dozens of machines consuming from different topics. All of those commits will end up on the same exact partition of __consumer_offsets , hence the same broker, and this might in turn cause performance problems. Choose the consumer group ID to group_id+topic_name . Skewed : A broker is skewed if its number of partitions is greater that the average of partitions per broker on the given topic. Example: 2 brokers share 4 partitions, if one of them has 3 partitions, it is skewed (3 > 2). Try to make sure that none of the brokers is skewed. Spread : Brokers spread is the percentage of brokers in the cluster that has partitions for the given topic. Example: 3 brokers share a topic that has 2 partitions, so 66% of the brokers have partitions for this topic. Try to achieve 100% broker spread...
1 comment
Read more