[kepler-dev] Bouncy Castle issue within Kepler

Michal Owsiak michalo at man.poznan.pl
Wed Sep 3 04:01:54 PDT 2008


I am trying to develop an actor which will be able to use grid proxy. To 
manipulate the proxy I am using bouncy castle library - and here come 
the troubles.

When I try to use jce-jdk13-117.jar library (which is distributed along 
with Kepler)  I get an error while accessing the private key:

Following code (org.globus.gsi.bc.BouncyCastleOpenSSLKey is located 
inside cog-jglobus.jar)

--- CUT ---
OpenSSLKey key = new 

if (key.isEncrypted()) {
--- CUT ---

throws an exception:

Exception in thread "main" java.lang.SecurityException: JCE cannot 
authenticate the provider BC
	at javax.crypto.Cipher.getInstance(DashoA12275)
	at javax.crypto.Cipher.getInstance(DashoA12275)
	at org.globus.gsi.OpenSSLKey.getCipher(OpenSSLKey.java:341)
	at org.globus.gsi.OpenSSLKey.decrypt(OpenSSLKey.java:208)
	at org.globus.gsi.OpenSSLKey.decrypt(OpenSSLKey.java:187)
	at example.tutorial.ProxyHelper.createUserPrivateKey(ProxyHelper.java:134)
	at example.tutorial.ProxyHelper.createProxy(ProxyHelper.java:60)
	at example.tutorial.ProxyHelper.main(ProxyHelper.java:167)
Caused by: java.util.jar.JarException: 
file:/home/michalo/Kepler-1.0.0/lib/jar/jce-jdk13-117.jar is not signed.

When I replace jce-jdk13-117.jar with jce-jdk13-120.jar everything works 
just fine (jce-jdk13-120.jar is signed).

shell>jarsigner -verify -certs -verbose jce-jdk13-120.jar~ | more

        98759 Thu Dec 29 16:23:56 CET 2005 META-INF/MANIFEST.MF
        98552 Thu Dec 29 16:23:56 CET 2005 META-INF/BCKEY.SF
         2213 Thu Dec 29 16:23:56 CET 2005 META-INF/BCKEY.DSA
            0 Thu Dec 29 16:16:38 CET 2005 META-INF/
            0 Thu Dec 29 16:16:36 CET 2005 javax/
            0 Thu Dec 29 16:16:36 CET 2005 javax/crypto/
sm       235 Thu Dec 29 16:16:36 CET 2005 

       X.509, CN=The Legion of the Bouncy Castle, OU=Java Software Code 
O=Sun Microsystems Inc
       [certificate will expire on 9/28/08 2:16 AM]
       X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, 
O=Sun Micros
ystems Inc, L=Palo Alto, ST=CA, C=US
       [certificate is valid from 4/25/01 9:00 AM to 4/25/20 9:00 AM]
       [NetscapeCertType extension does not support code signing]

shell>jarsigner -verify jce-jdk13-117.jar
no manifest.
jar is unsigned. (signatures missing or not parsable)

Does anyone know how can I overcome this issue? What I do now is 
replacing jce-jdk13-117.jar with jce-jdk13-120.jar (but this is not a 
solution because jce-jdk13-117.jar comes with default Kepler 
installation). Is it possible to upgrade jce-jdk13-117.jar to 
jce-jdk13-120.jar within Kepler installation?


Michal Owsiak <michalo at man.poznan.pl>
Poznan Supercomputing and Networking Center
ul. Noskowskiego 10, 61-704 Poznan, POLAND

More information about the Kepler-dev mailing list