2

I have a strange problem. I wrote a Java application to do some cryptography things (encrypt with AES and digital signature with ECDSA). I decided to use the BouncyCastle API...I tried my application in Eclipse and everything went good. Then, I exported the application into a 'Runnable JAR File' with Eclipse Wizard, and I choosed the option 'Package required libraries into generated JAR'. Then I launch the JAR and the application throws the unluckily famous exception

java.security.NoSuchProviderException: JCE cannot authenticate the provider BC

So, I read something here and on other sites. Someone wrote that it necessary to modify the java.security file and add the BouncyCastleProvider. I also add the JAR of BouncyCastle into jre/lib/ext/, but the exception still throwing. Then I found that someone wrote that I need to change the library exporting order in my JAR. So, inspired by this, I re-exported the JAR with the option 'copy required libraries into a sub-folder next to the generated JAR'. I run the new JAR and everything went good. At the end of this big introduction (thanks for your patience) my question is: why now the SecurityException doesn't been thrwon? Why does put libraries out of the JAR work? EDIT: I have fixed the problem and I understand why the exception was thrown, but I can't understand why, exporting bcprov in an external sub-folder the problem disappear.

Nicola Bena
  • 98
  • 1
  • 1
  • 10
  • 2
    possible duplicate of [JCE cannot authenticate the provider BC in java swing application](http://stackoverflow.com/questions/13721579/jce-cannot-authenticate-the-provider-bc-in-java-swing-application) – Konstantin V. Salikhov Jun 01 '15 at 18:07

1 Answers1

4

I will speculate a bit, based on your description and without any experimentation, but I hope that it will help you satisfy your curiosity.

Java security providers that implement Cipher and some other services from javax.crypto must sign their code. If any of the signed BouncyCastle classes (or resources) were modified, the signature verification would fail, and the provider would not be available.

My guess is that in the process of re-bundling the content of the provider, Eclipse modified some files, invalidating the signature. The most likely culprit would be a change to a manifest. You could test this by computing the hash of every resource in the good and bad versions, and see if there are any discrepancies.

erickson
  • 265,237
  • 58
  • 395
  • 493
  • OP used the option '**Package** required libraries into generated JAR', not '**Extract**...'. This option does not modify the contents of the jars, but rather puts them as-is inside the jar and adds a custom classloader that knows how to load them. I think the problem could lurk somewhere in that generated classloader. – Forketyfork Jun 01 '15 at 18:09
  • @SergeyPetunin Yes, the code to verify signatures does rely somewhat on `URLClassLoader` and being able to read the content from the classpath, so a custom class loader may not work. – erickson Jun 01 '15 at 18:11
  • I'm sorry @SergeyPetunin but for my not-perfect English I'm not sure that I understand right what you have wrote. I exported my application with the Package option and I have that problem, but I when I export with 'Copy into subfolder' the problem disappear. You are telling to me that the problem can be caused by the fact that Eclipse, when I export everything into a single JAR could modify the *bcprov*? Do I understand right? – Nicola Bena Jun 01 '15 at 18:17
  • @NicolaBena Yes, I was suggesting that when you export to single JAR, the JAR (or its content) could be modified. But Sergey is suggesting that there is a custom classloader being used, which could break things. I didn't expect that; it seems like it would require some custom code to set up the class loader. If you examine the contents of the exported jar, created with "Package required libraries into generated JAR" option, does it contain the BC jar file, with .jar extension, or all of the .class files that were in the BC jar? – erickson Jun 01 '15 at 18:22
  • @erickson , yes into the generated jar there is the BC .jar file – Nicola Bena Jun 01 '15 at 18:24
  • @NicolaBena Then Sergey is probably right and the problem comes from using a custom class loader. – erickson Jun 01 '15 at 18:25
  • Thanks everybody. The solution is to put libraries into a folder, but now I can luckily understand why. – Nicola Bena Jun 01 '15 at 18:27