cdoc20-cli java.lang.SecurityException: JCE cannot authenticate the provider BC

[lauri-aloauri]

Hello !

I used maven:
mvn --version
Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae)
Maven home: /home/administrator/apache-maven-3.9.6
Java version: 21.0.2, vendor: Oracle Corporation, runtime: /usr/lib/jvm/jdk-21-oracle-x64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "6.1.0-18-amd64", arch: "amd64", family: "unix"

Oracle java jdk java version:
java --version
java 21.0.2 2024-01-16 LTS
Java(TM) SE Runtime Environment (build 21.0.2+13-LTS-58)
Java HotSpot(TM) 64-Bit Server VM (build 21.0.2+13-LTS-58, mixed mode, sharing)

To build cdoc2 i wanted to use one of the component cdoc2-cli . Build showd success on building cdoc2-cli .

[DEBUG] incrementalBuildHelper#beforeRebuildExecution
[INFO] Compiling 2 source files with javac [debug target 17] to target/classes
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for cdoc20 0.6.0-SNAPSHOT:
[INFO]
[INFO] cdoc20 ............................................. SUCCESS [ 0.119 s]
[INFO] cdoc20-schema ...................................... SUCCESS [ 2.685 s]
[INFO] cdoc20-client ...................................... SUCCESS [ 1.765 s]
[INFO] cdoc20-lib ......................................... SUCCESS [ 4.476 s]
[INFO] cdoc20-cli ......................................... SUCCESS [ 3.731 s]

But the i trier to run i got following error then tried encrypting for ID-card owner id code.

java -jar cdoc2-java-ref-impl-main/cdoc20-cli/target/cdoc20-cli-0.6.0-SNAPSHOT.jar create --file ./test.cdoc -r test.txt
2024-03-01 14:59:57.455 [main] DEBUG ee.cyber.cdoc20.cli.commands.CDocCreateCmd - create --file ./test.cdoc --pubkey null --cert null [test.txt]
2024-03-01 14:59:57.818 [main] DEBUG ee.cyber.cdoc20.util.SkLdapUtil - Found cert for , name:cn=-,ou=Authentication,o=Identity card of Estonian citizen
2024-03-01 14:59:57.820 [main] DEBUG ee.cyber.cdoc20.util.SkLdapUtil - Adding key label (id-card)
2024-03-01 14:59:57.833 [main] DEBUG ee.cyber.cdoc20.crypto.Crypto - Initializing SecureRandom
2024-03-01 14:59:57.835 [main] INFO ee.cyber.cdoc20.crypto.Crypto - Initialized SecureRandom.
2024-03-01 14:59:57.854 [main] TRACE ee.cyber.cdoc20.container.Envelope - encrypt
2024-03-01 14:59:58.091 [main] INFO ee.cyber.cdoc20.CDocBuilder - Failed to create ./test.cdoc. Exception: JCE cannot authenticate the provider BC
2024-03-01 14:59:58.091 [main] INFO ee.cyber.cdoc20.CDocBuilder - Deleted ./test.cdoc
java.lang.SecurityException: JCE cannot authenticate the provider BC
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:727)
at ee.cyber.cdoc20.crypto.ChaChaCipher.initCipher(ChaChaCipher.java:50)
at ee.cyber.cdoc20.crypto.ChaChaCipher.initChaChaOutputStream(ChaChaCipher.java:140)
at ee.cyber.cdoc20.container.Envelope.encrypt(Envelope.java:229)
at ee.cyber.cdoc20.CDocBuilder.buildToOutputStream(CDocBuilder.java:100)
at ee.cyber.cdoc20.CDocBuilder.buildToFile(CDocBuilder.java:72)
at ee.cyber.cdoc20.cli.commands.CDocCreateCmd.call(CDocCreateCmd.java:128)
at ee.cyber.cdoc20.cli.commands.CDocCreateCmd.call(CDocCreateCmd.java:30)
at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2358)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2314)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine$RunLast.execute(CommandLine.java:2316)
at picocli.CommandLine.execute(CommandLine.java:2078)
at ee.cyber.cdoc20.cli.CDocCli.main(CDocCli.java:44)
Caused by: java.util.jar.JarException: The JCE Provider file:/home/administrator/cdoc2-java-ref-impl-main/cdoc20-cli/target/cdoc20-cli-0.6.0-SNAPSHOT.jar is not signed.
at java.base/javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:440)
at java.base/javax.crypto.JarVerifier.verifyJars(JarVerifier.java:319)
at java.base/javax.crypto.JarVerifier.verify(JarVerifier.java:263)
at java.base/javax.crypto.ProviderVerifier.verify(ProviderVerifier.java:130)
at java.base/javax.crypto.JceSecurity.verifyProvider(JceSecurity.java:196)
at java.base/javax.crypto.JceSecurity$2.apply(JceSecurity.java:222)
at java.base/javax.crypto.JceSecurity$2.apply(JceSecurity.java:211)
at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
at java.base/javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:211)
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:723)

Is possible some how to resolve this error and what is causing this error

Lauri-Alo Adamson

[OlesjaAarma]

The problem has only manual solution. Here are three options:

1. The easiest and preferable: use OpenJDK i.o. Oracle. Oracle Java requires cryptoproviders for some functions (including MAC) be signed with a cert issued by Sun-now-Oracle, while OpenJDK does not.

2. Add signed BouncyCastle jar file into Oracle-JDK as per instruction https://docs.oracle.com/cd/E19830-01/819-4712/ablsc/index.html:

• Modify $JAVA_HOME/conf/security/java.security file. Add new property security.provider.n=BouncyCastleProvider, where n is one increment above the last number in the list.
  

• Download appropriate signed bcprov-jdk*.jar file from https://www.bouncycastle.org/latest_releases.html.
  

• Place signed bcprov-jdk*.jar file into $JAVA_HOME/lib/security directory.
  

3. Add signed bcprov-jdk*.jar file into the project classpath.

Note, that the 2nd solution is a fairly specific hackery. Then is needed to remember to copy the external jars into the upgraded JRE or while setting up the application on a new system.