Installing / Registering the Bouncy Castle JCE provider or JBoss Module

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 6
- 7
Java 8
Java Cryptography Extensions (JCE)
Bouncy Castle as JCE provider library or Application library
Bouncy Castle deployed in ".war" or java_home/jre/lib/ext directory.

Issue

Install as JBoss Module
Register as JCE provider

Getting the below exception:

  java.lang.NoClassDefFoundError: Could not initialize class org.bouncycastle.jce.provider.BouncyCastleProvider

Getting following errors when using Bouncy Castle provider

  java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC

See one of the the following errors

  java.security.NoSuchAlgorithmException: ****** SecretKeyFactory not available

  "java.lang.SecurityException: JCE cannot authenticate the provider BC"

Resolution

Here are the steps:

Download the Bouncy Castle jar library. We used Content from www.bouncycastle.org is not included.bcprov-jdk15on-158.jar jar for this example. For JBoss EAP 7, there is a version included in modules/system/layers/base/org/bouncycastle/main/bcprov-jdk15on-VER.redhat-00001.jar, so you can copy that jar.

To fully integrate the Bouncy Castle JCE library you need to put the jar in the JRE 'ext' directory:

$JAVA_HOME/jre/lib/ext/bcprov-jdk15on-VER.jar

Register it by editing "$JAVA_HOME/jre/lib/security/java.security". Look for the list of providers, and re-order/add the BC class. Example:

#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider            <==

The above is enough if you simply want to use the standard JCE API.

If you want to replace the standard JCE library with the BC one, then make sure to add it "above" the one you want to replace by assigning it a lower number and renumber other classes as needed. Oracle suggests always leaving the Sun provider first.
```
security.provider.1=sun.security.provider.Sun
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider            <==
...
```

If you require access to the BC classes from within your own source code, then in JBoss EAP 6, you also need to register it as a module. Skip this for JBoss EAP 7 unless you are installing a different version from the one shipped with JBoss EAP.

You have two options to register it:

Create this directory structure under $JBOSS_HOME/modules:

Note we do not copy the actual jar file to this directory.

  org
  └── bouncycastle
      └── main
          └── module.xml

Write this to module.xml:

  <module xmlns="urn:jboss:module:1.1" name="org.bouncycastle">
      <dependencies>
          <system export="true">
              <paths>
                  <path name="org/bouncycastle"/>
                  <path name="org/bouncycastle/util/encoders"/>
              </paths>
          </system>
      </dependencies>
  </module>

The 'path' entries are an example only. You need to add all packages to which you need access to as additional 'path' entries.

Alternatively, if you do not want to use the JCE API, but need exclusive access to the BC classes only, you can skip the above step of adding the jar to the 'ext' directory and registering.

In this case, the module should look like:

  org
  └── bouncycastle
      └── main
          ├── bcprov-jdk15on-158.jar
          └── module.xml

and module.xml:

  <?xml version="1.0" encoding="UTF-8"?>
  <module xmlns="urn:jboss:module:1.1" name="org.bouncycastle">
  <resources>
      <resource-root path="bcprov-jdk15on-158.jar"/>
  </resources>
  <dependencies>
      <module name="javax.api" slot="main" export="true"/>
  </dependencies>
  </module>

Add a dependency to the module in the deployment using WEB-INF/jboss-deployment-structure.xml for .war or META-INF/jboss-deployment-structure.xml for .ear or .jar

Need to install/register the Bouncy Castle JCE library as a JBoss Module and It should be available in class-path. JCE libraries need to be registered with the JRE to allow their transparent usage with the standard JCE API.

The following errors are mostly seen when Bouncy Castle is packaged inside an application, because the

  JVM's verification code does not correctly validate the provider inside a deployment.We need to make sure that that Bouncy Castle isn't packaged anywhere else except for this module

  java.io.IOException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC

For JAVA 11 and JAVA 17, View this KCS Solution

Root Cause

JCE libraries need to be registered with the JRE to allow their transparent usage with the standard JCE API.

JBoss EAP versions before EAP 6.4 have an This content is not included.issue with the signed JCE jar file

The version of Bouncy Castle included in JBoss EAP 7 is only supported as an implementation detail for some libraries. It can be used directly, but any issues found will only be fixed they affect the ways it's used in JBoss EAP.

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.