2

I have been developing a software that uses AES-256 encryption to write a file. I am using Eclipse 64 bits and JDK7. The thing is that when I compile and execute the code, it works perfectly, both encrypt and decrypt algorythms. When I pack a Runnable JAR and run it, it works fine too...but when I pack the Runnable JAR to a Windows Executable (.exe) with Advanced Installer 9.4, install it (both W7 32 bits and 64 bits)...a NoSuchProviderException pops-up and anything gets encrypted/decrypted.

I need to distribute this software to many users and cannot find a way to run the .exe

public static String AES_Encode(String str, String key) throws Exception {

    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");  

    SecretKeySpec secretKey = new SecretKeySpec(key.getBytes("UTF-8"), "AES");

    cipher.init(Cipher.ENCRYPT_MODE, secretKey);

    String encryptedString = Base64.encodeBase64String(cipher.doFinal(str.getBytes("UTF-8")));

    return encryptedString;


}

public static String AES_Decode(String str, String key) throws Exception {

    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");

    SecretKeySpec secretKey = new SecretKeySpec(key.getBytes("UTF-8"), "AES");

    cipher.init(Cipher.DECRYPT_MODE, secretKey);

    String decryptedString = new String(cipher.doFinal(Base64.decodeBase64(str)),"UTF-8");

    return decryptedString;

}

I have tried to show the providers available and SunJCE or JCE are not available when I run the software once installed in Windows; although they are when I run the JAR or the compiled code. Is there anything I can do? May I switch to Bouncy Castle? How (what JAR or similar do I need to integrate in my project?)

Thanks for your time and help!

xaviburruezo
  • 55
  • 7
  • You can try to install the provider in execution time `import org.bouncycastle.jce.provider.BouncyCastleProvider;` and don't forget to change `Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding", "BC");` – Snox Apr 23 '14 at 16:37
  • I would also need to add the external .jar of Bouncy Castle to the project and add it as a provider right? How do you add it as a provider? – xaviburruezo Apr 24 '14 at 07:45
  • Create in your project a directory named "lib", copy the JAR file in it and then select from the JAR file's context menu "Build Path" -> "Add to Build Path – Snox Apr 24 '14 at 08:00
  • 2
    Could you send us a zipped sample over at support at advancedinstaller dot com so we can try to reproduce this. We wrote two very small apps using the code samples you provided but they work fine for us (Advanced Installer team), i.e. no exceptions arise. – Bogdan Mitrache Apr 24 '14 at 10:44
  • As for: `key.getBytes("UTF-8")`: a key is not and should not be a `String`. AES keys should contain bits that are indistinguishable from random to an attacker, and not every byte value can be generated by `getBytes()`, especially not for UTF-8. – Maarten Bodewes Apr 24 '14 at 14:23

1 Answers1

1

The problem was that the project in Advanced Installer was configured to compress the JARs included with Pack200, and this was breaking the digital signature of a part of those JARs.

The solution is to either disable completely Pack200 compression or to go to "main application menu -> Options -> External Tools" in Advanced Installer and in the dialog that appears specify the installation path of the JDK you are targeting from your application. (This last method will allow Advanced Installer to check the digital signature of the compressed JARs, detect which signature is broken and automatically skip those JARs from compression, BUT still compress the other contents of your package).

Bogdan Mitrache
  • 10,536
  • 19
  • 34