JDK11 build 17, JCE cannot authenticate the provider BC

[pethers]

JDK11 build 17, dropped VeriSign Trust Network cert used for signing
http://jdk.java.net/11/release-notes

Any test using the latest JDK11 build 17(worked well with build16), will fail with below.

Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
at java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:143)
at java.base/javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:252)
at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.initialize(StandardPBEByteEncryptor.java:694)
... 72 common frames omitted
Caused by: java.util.jar.JarException: file:/var/lib/jenkins/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar has unsigned entries - org/bouncycastle/LICENSE.class
at java.base/javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:459)
at java.base/javax.crypto.JarVerifier.verifyJars(JarVerifier.java:314)
at java.base/javax.crypto.JarVerifier.verify(JarVerifier.java:257)
at java.base/javax.crypto.ProviderVerifier.verify(ProviderVerifier.java:129)
at java.base/javax.crypto.JceSecurity.verifyProvider(JceSecurity.java:189)
at java.base/javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:215)
at java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:139)

something is not right here. We don't use a VeriSign certificate for signing. The latest JCE signing certificate is issued by Oracle.

I've checked this with build 17, it appears our existing signing certificates still work. You might be facing a class loader issue instead.

[pethers]

The think the problem is the trust-chain Legion of the Bouncy Castle Inc -> JCE Code Signing CA ->
VeriSign Universal Root Certification Authority.

But can be wrong so will test again, maybe I used OpenJDK instead of Oracle build or something with the class loader as you suggest.

Used 'openssl asn1parse -inform der -in BC2048KE.DSA | grep PRINTABLESTRING'
3121:d=17 hl=2 l= 2 prim: PRINTABLESTRING :US
3134:d=17 hl=2 l= 14 prim: PRINTABLESTRING :VeriSign, Inc.
3159:d=17 hl=2 l= 22 prim: PRINTABLESTRING :VeriSign Trust Network
3192:d=17 hl=2 l= 49 prim: PRINTABLESTRING :(c) 2008 VeriSign, Inc. - For authorized use only
3252:d=17 hl=2 l= 47 prim: PRINTABLESTRING :VeriSign Universal Root Certification Authority
3344:d=17 hl=2 l= 2 prim: PRINTABLESTRING :US
3357:d=17 hl=2 l= 20 prim: PRINTABLESTRING :Symantec Corporation
3388:d=17 hl=2 l= 22 prim: PRINTABLESTRING :Symantec Trust Network
3421:d=17 hl=2 l= 31 prim: PRINTABLESTRING :Symantec SHA256 TimeStamping CA
4460:d=17 hl=2 l= 2 prim: PRINTABLESTRING :US
4473:d=17 hl=2 l= 20 prim: PRINTABLESTRING :Symantec Corporation
4504:d=17 hl=2 l= 22 prim: PRINTABLESTRING :Symantec Trust Network
4537:d=17 hl=2 l= 31 prim: PRINTABLESTRING :Symantec SHA256 TimeStamping CA
4614:d=17 hl=2 l= 2 prim: PRINTABLESTRING :US
4627:d=17 hl=2 l= 20 prim: PRINTABLESTRING :Symantec Corporation
4658:d=17 hl=2 l= 22 prim: PRINTABLESTRING :Symantec Trust Network
4691:d=17 hl=2 l= 40 prim: PRINTABLESTRING :Symantec SHA256 TimeStamping Signer - G2
5787:d=17 hl=2 l= 2 prim: PRINTABLESTRING :US
5800:d=17 hl=2 l= 20 prim: PRINTABLESTRING :Symantec Corporation
5831:d=17 hl=2 l= 22 prim: PRINTABLESTRING :Symantec Trust Network
5864:d=17 hl=2 l= 31 prim: PRINTABLESTRING :Symantec SHA256 TimeStamping CA

The cert above is for the timestamp on the signature, not the actual JCE signing certificate. I'm not sure why they would be checking the timestamp server if the certificate is still valid.

By class loader issue, I meant the provider might be getting loaded by a class loader that is now regarded as insecure by the JCE, or there might, somehow, be two versions of BC on the class path. It's hard to see what else it would be as our local Java 11 build is still working. I've seen signing errors like this show up in similar situations (basically things seem to get horribly confused).

[pethers]

Tested to verify with jarsigner

JDK11-b17 ./jarsigner -verify bcprov-jdk15on-1.59.jar -J-Djava.security.debug=jar
jar: beginEntry META-INF/MANIFEST.MF
jar: beginEntry META-INF/BC1024KE.SF
jar: processEntry: processing block
jar: beginEntry META-INF/BC1024KE.DSA
jar: processEntry: processing block
jar: processEntry caught: java.io.IOException: invalid manifest format
jar: beginEntry META-INF/BC2048KE.SF
jar: processEntry: processing block
jar: beginEntry META-INF/BC2048KE.DSA
jar: processEntry: processing block
jar: processEntry caught: java.io.IOException: invalid manifest format
jar: done with meta!
jar: nothing to verify!
jar: Unsupported signer attribute: 1.2.840.113549.1.9.16.2.47

Java8
jarsigner -verify bcprov-jdk15on-1.59.jar

jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2020-04-25) or after any future revocation date.

[pethers]

Not sure but think that if the build server contains ca-certificates-java package, that are old and still contain deprecated certificates it might work because of that.

I also see the jarsigner error - that's got to be a bug. I don't see any failure if I try to use the jar directly though (no build server)... I think we may need to wait for b18, it looks an awful lot like someone had a bright idea that wasn't.

[pethers]

Latest jdk11b19 works, so probably safe to close this one.

./jarsigner -verify bcprov-jdk15on-1.59.jar

jar verified.

Warning:
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Phew!