1

Getting the above exception with error log after registering BC provider dynamically and statically via 

Security.addProvider(new BouncyCastleProvider());

However, on 

Cipher.getInstance("AES/CTS/NoPadding", "BC")

I get the following error

 Failure to decrypt: bad encryption: 
 java.lang.SecurityException: JCE cannot authenticate the provider BC
 Caused by: java.util.jar.JarException: 
 file:/space/uploads/unittest/jars/myjar.jar has unsigned entries - <some-location>/README.txt
 at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:500)
 at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:361)
 at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
 at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
 at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
 at javax.crypto.Cipher.getInstance(Cipher.java:653)
 at javax.crypto.Cipher.getInstance(Cipher.java:596)
BenhurCD
  • 81
  • 1
  • 12
  • Possible duplicate of http://stackoverflow.com/questions/13721579/jce-cannot-authenticate-the-provider-bc-in-java-swing-application – fireandfuel Apr 27 '17 at 16:22

2 Answers2

1

I believe that any JCE provider JARs must be signed before they will be trusted by your Java runtime. It appears that the jar you have has content in it which is unsigned.

If this is content that you have added to the jar or a jar that you have made then check out this answer which tells you how to sign it: How to sign a custom JCE security provider

Mr Chow
  • 365
  • 6
  • 10
1

With JDK 8u351 (and other corresponding updates to future versions) additional SHA1 restrictions are enabled by default. See https://www.oracle.com/java/technologies/javase/8u351-relnotes.html

To fix this remove SHA1 denyAfter 2019-01-01 from two keys in the java.security config file (example path /usr/java/jdk/jre/lib/security/java.security in Linux) , essential going back to the previous values. Note that a long term fix is to upgrade to a newer signed jar instead of changing this.

updated keys in the java.security file:

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
    include jdk.disabled.namedCurves

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
      DSA keySize < 1024, include jdk.disabled.namedCurves
user3657964
  • 41
  • 1
  • 6