OpenSSL: no such provider: BC


#1

I am trying to use openssl cryptography. The program works fine in MRI
but fails under jruby. I think I am doing everything right, but it still
doesn;t work.

The application includes a file called bouncycastle.rb and then tries
to use the encryption.

The require

 if RUBY_PLATFORM =~ /java/ then
    require 'bouncycastle'
end

the bouncycastle.rb

require 'java'

java.security.Security.addProvider(org.bouncycastle.jce.provider.BouncyCastleProvider().new)

providers = java.security.Security.getProviders()

providers.each do |p|
    puts(p.getName())
end

Program output

SUN
SunRsaSign
SunJSSE
SunJCE
SunJGSS
SunSASL
XMLDSig
SunPCSC
SunMSCAPI
BC
java.lang.RuntimeException: java.security.NoSuchProviderException: no 
such provider: BC
        at 
org.bouncycastle.jce.provider.JCEBlockCipher.engineGetParameters(Unknown 
Source)
        at javax.crypto.Cipher.a(DashoA13*..)
        at javax.crypto.Cipher.init(DashoA13*..)
        at javax.crypto.Cipher.init(DashoA13*..)
        at org.jruby.ext.openssl.Cipher.doInitialize(Cipher.java:531)
        at org.jruby.ext.openssl.Cipher._final(Cipher.java:608)
        at 
org.jruby.ext.openssl.Cipher$i_method_0_0$RUBYINVOKER$_final.call(org/jruby/ext/openssl/Cipher$i_method_0_0$RUBYINVOKER$_final.gen)
        at 
org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:260)
        at 
org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:75)
        at org.jruby.ast.CallNoArgNode.interpret(CallNoArgNode.java:61)
        at 
org.jruby.ast.CallOneArgNode.interpret(CallOneArgNode.java:57)
        at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:101)
        at org.jruby.ast.BlockNode.interpret(BlockNode.java:68)
        at 
org.jruby.internal.runtime.methods.DefaultMethod.interpretedCall(DefaultMethod.java:165)
        at 
org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:142)
        at 
org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:297)
        at 
org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:300)
        at 
org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:157)
        at 
org.jruby.ast.FCallTwoArgNode.interpret(FCallTwoArgNode.java:38)
        at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:101)
        at org.jruby.ast.BlockNode.interpret(BlockNode.java:68)
        at 
org.jruby.internal.runtime.methods.DefaultMethod.interpretedCall(DefaultMethod.java:165)
        at 
org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:142)
        at 
org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:255)
        at 
org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:280)
        at 
org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:116)
        at init.__file__(init.rb:10)
        at init.__file__(init.rb)
        at init.load(init.rb)
        at org.jruby.Ruby.runScript(Ruby.java:560)
        at org.jruby.Ruby.runNormally(Ruby.java:463)
        at org.jruby.Ruby.runFromMain(Ruby.java:337)
        at org.jruby.Main.run(Main.java:214)
        at org.jruby.Main.run(Main.java:100)
        at org.jruby.Main.main(Main.java:84)
crypto.rb:63:in `aes': No message available 
(OpenSSL::Cipher::CipherError)
        from crypto.rb:24:in `decrypt_aes'
        from init.rb:10

My classpath is : CLASSPATH=.;C:\Program
Files\Java\jre1.5.0_05\lib\ext\QTJava.zip;C:\Code\jruby\jruby-1.1.5\lib\jruby.jar;C:\Code\jruby\jruby-1.1.5\lib\bcprov-jdk14-141.jar;

the application fails in this function

def aes(mode,str)
        crypt = OpenSSL::Cipher::Cipher.new('aes-128-cbc')
        crypt.iv = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
        crypt.send(mode)
        crypt.key = key_hash(key, 16)
        crypt.update(str) << crypt.final
    end

the key_hash function returns a fixed 16 character key string, nothing
complicated. mode is :encrypt or :decrypt

Any idea what I might be doing wrong?


To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

#2

Simon S. wrote:

[/code]

the key_hash function returns a fixed 16 character key string, nothing complicated. mode is :encrypt or :decrypt

Which line does it fail on? We would want to look at that method in
JRuby-OpenSSL and see if we’re not properly registering BC.

The tricky bit of jossl + bc is that we tend to be registering and
unregistering BC a lot before and after certain operations. The reasons
for this are complex, but basically having a deployed application in a
server register its own security provider led to it being difficult or
impossible to deploy. So my guess is that there’s a method used by your
script where we’re not properly registering BC before performing some
action.

Can you narrow it down to a simple case and post a bug please?


To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

#3

I’m unsure how to go about posting a bug, but I am attaching the whole
test program (with a dummy key) and the results from my machine which
should make it easily repeatable.

A second thing I forgot to mention is that I tried adding the security
provider to the java.security file instead of using the addProvider and
I get exactly the same results.

security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

The preferred method is to not have to change the security file though
as not all of our users/admins will have this access.

Thanks,

Simon

----- Original Message ----
From: Charles Oliver N. removed_email_address@domain.invalid
To: removed_email_address@domain.invalid
Sent: Tuesday, 27 January, 2009 8:56:39
Subject: Re: [jruby-user] OpenSSL: no such provider: BC

Simon S. wrote:

the key_hash function returns a fixed 16 character key string, nothing complicated. mode is :encrypt or :decrypt

Which line does it fail on? We would want to look at that method in
JRuby-OpenSSL and see if we’re not properly registering BC.

The tricky bit of jossl + bc is that we tend to be registering and
unregistering BC a lot before and after certain operations. The reasons
for this are complex, but basically having a deployed application in a
server register its own security provider led to it being difficult or
impossible to deploy. So my guess is that there’s a method used by your
script where we’re not properly registering BC before performing some
action.

Can you narrow it down to a simple case and post a bug please?


To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email


#4

You can file bugs here: http://jira.codehaus.org/browse/JRUBY. Just
create an account if you don’t already have one.

I agree we should’t have to modify the policy file. The unfortunate
situation is that Java’s crypto stuff in some cases only works with
registered providers, which is why we try to selectively register and
unregister BC. It’s a stupid, stupid design flaw in Java crypto, and if
we had an army of hackers we would probably try to get it fixed.

Go ahead and file the bug and do any exploration/research you can. We
have no real crypto experts on hand at the moment, but I think together
we can figure it out.

  • Charlie

Simon S. wrote:

the application fails in this function
the key_hash function returns a fixed 16 character key string, nothing complicated. mode is :encrypt or :decrypt
http://xircles.codehaus.org/manage_email
http://xircles.codehaus.org/manage_email


To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

#5

Thanks, bug report has been added. I have attached the script to
demonstrate the issue.


To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email