Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log security provider registration failures #374

Merged
merged 2 commits into from
Oct 11, 2017
Merged

Log security provider registration failures #374

merged 2 commits into from
Oct 11, 2017

Conversation

charego
Copy link
Contributor

@charego charego commented Oct 10, 2017

On my servers, BouncyCastle was failing to register because the java.security file listed DSA as a disabled algorithm (no matter the keysize). It wasn't clear from the logs that the problem was that the BouncyCastle jar was signed using DSA.

INFO [net.schmizz.sshj.common.SecurityUtils] Registration of Security Provider 'org.bouncycastle.jce.provider.BouncyCastleProvider' unexpectedly failed
INFO [net.schmizz.sshj.common.SecurityUtils] BouncyCastle not registered, using the default JCE provider

By logging the root cause, it's much easier to identify and fix the problem.

INFO [net.schmizz.sshj.common.SecurityUtils] Registration of Security Provider 'org.bouncycastle.jce.provider.BouncyCastleProvider' unexpectedly failed
java.lang.SecurityException: JCE cannot authenticate the provider BC
	at javax.crypto.JceSecurity.getInstance(JceSecurity.java:113)
	at javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:270)
	at net.schmizz.sshj.common.SecurityUtils.registerSecurityProvider(SecurityUtils.java:73)
	at net.schmizz.sshj.common.SecurityUtils.register(SecurityUtils.java:250)
	at net.schmizz.sshj.common.SecurityUtils.isBouncyCastleRegistered(SecurityUtils.java:228)
	at net.schmizz.sshj.DefaultConfig.<init>(DefaultConfig.java:78)
	at net.schmizz.sshj.SSHClient.<init>(SSHClient.java:134)
	...
Caused by: java.util.jar.JarException: file:/path/to/org.bouncycastle.bcprov-jdk15on-1.56.jar is not signed by a trusted signer.
	at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:538)
	at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:361)
	at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
	at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
	at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
	at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109)
	... 37 common frames omitted
INFO [net.schmizz.sshj.common.SecurityUtils] BouncyCastle not registered, using the default JCE provider
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting CAST5/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting CAST5/CTR/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting IDEA/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting IDEA/CTR/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Serpent/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Serpent/CTR/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Serpent/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Serpent/CTR/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Serpent/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Serpent/CTR/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Twofish/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Twofish/CTR/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Twofish/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Twofish/CTR/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Twofish/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Twofish/CTR/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Cannot find any provider supporting Twofish/CBC/NoPadding
WARN [net.schmizz.sshj.DefaultConfig       ] Disabling high-strength ciphers: cipher strengths apparently limited by JCE policy

FWIW, I fixed my problem by changing

jdk.certpath.disabledAlgorithms=DSA, ... (other disabled algorithms)

to

jdk.certpath.disabledAlgorithms=DSA keySize < 1024, ... (other disabled algorithms)

@hierynomus hierynomus merged commit 823f1e5 into hierynomus:master Oct 11, 2017
@charego charego deleted the bouncycastle-registration branch October 12, 2017 01:21
CCLiu added a commit to CCLiu/sshj that referenced this pull request Jan 11, 2018
@CCLiu
merge (#1)
b265cfd 
* Check whether filename is a child of the current file (Fixes hierynomus#341)

* Fixed codacy

* Updated README release notes

* Removed oraclejdk7 as that is no longer supported on trusty, added openjdk

* Added gradle caching to travis config

* Removed use of DataTypeConverter as that is no longer in default JDK9

* Removed build of broken openJDK7 in favour of using animal-sniffer to detect java 1.6 compatibility

* Improved test stability

* Correctly determine KeyType for ECDSA public key (Fixes hierynomus#356)

* fixed build

* Fixed Java9 build?

* Disambiguated signature initialization

* Removed deprecated method

* Organised imports

* Added 'out/' to gitignore

* Added support for new-style fingerprints (hierynomus#365)

* Added support for new-style fingerprints

* Fixed codacy warnings

* Fix decoding signature bytes (Fixes hierynomus#355, hierynomus#354) (hierynomus#361)

* Fix for signature verify in DSA

* Cleaned up signature verification

* Fixed import

* Ignored erroneous pmd warnings

* Updated JavaDoc

* Extracted ASN.1/DER encoding to method (hierynomus#368)

* Update net.i2p.crypto:eddsa to 0.2.0 (hierynomus#372)

* Update net.i2p.crypto:eddsa to 0.2.0

* Update net.i2p.crypto.eddsa to 0.2.0

* Update net.i2p.crypto.eddsa to 0.2.0

* Update net.i2p.crypto.eddsa to 0.2.0

* Log security provider registration failures (hierynomus#374)

* Migrate remaining block ciphers

* Updated README for v0.23.0 release

* Using new release plugin

* Updated build plugins

* Fix escaping in WildcardHostMatcher (hierynomus#382)

* Escape '[' and ']' in WildcardHostMatcher

* Anchoring regex to match entire string (Fixes hierynomus#381)

* Updated builds to include CodeCov

* - Experimenting with travis

* - fix ip for online testing

* - account for different working dir

* - yaml-yaml

* - double before_install

* - still -d

* - try common format

* - Fixed server keys
- Use sshj branding

* - grr, ip

* - minor improvements

* - eh?

* - switch username back

* - orly?

* - desperation

* - One more time

* Upgraded gradle to cope with java9

* Separated out integration tests

* Fixed length bug in putString (Fixes hierynomus#187)

* Removed docker from travis yml as it is included in gradle build now

* Added integration test to travis

* Update AndroidConfig (hierynomus#389)

* Add EdDSA signature for AndroidConfig.

* Initialize KeyExchange- and FileKeyProviderFactories with registered "bouncyCastle" (in fact, SpongyCastle is registered).

See hierynomus#308 for discussion.

* Added integration test for append scenario (Fixes hierynomus#390)

* Fixed headers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hierynomus hierynomus hierynomus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@charego @hierynomus