How to implement bouncycastle into one-jar?

1
votes

I'm using SSHJ-library in a project. SSHJ library utilized the bouncycastle crypto.

In eclipse all is good but after I use one-jar to package all in single jar package, I'm facing issues with the bouncycastle lib. The bcprov-jdk15on-1.51.jar is included in the JAR package in /lib, where is all the other libraries, as well as eg. sshj.jar.

On log I have these:

Security Provider class 'org.bouncycastle.jce.provider.BouncyCastleProvider' not found

and this

WARNING: Disabling high-strength ciphers: cipher strengths apparently limited by JCE policy

And with the functionality the SFTP connection is resulting into:

net.schmizz.sshj.transport.TransportException: Unable to reach a settlement: [diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1] and [diffie-hellman-group-exchange-sha256]

What I have tried:

  • Installed the Java JCE into /lib/security
    • Not sure why the above message still pops up about the disabled high-strengt ciphers?
  • Tried "Security.addProvider(new BouncyCastleProvider());" in code

This is how all work "as expected":

  • By putting the "bcprov-jdk15on-1.51.jar" in to JAVA_HOME\lib\ext\
    • unfortunately this is the LAST option for me. I will have huge headache to maintain the libraries in Java version update situations.

So, clearly there is some classpath issue with the BC libary? Somewhere I read something about signed security provider library having an issues implementing, did not quite understand that one... Maybe that is the reason here too?

Any ideas how this issue is solved? Any help on this issue is appreciated, thanks!

EDIT: My build.xml with suggested code-signing implemented:

    <target name="package_x" depends="package_y">
    <!-- Create manifest file for x -->
    <delete file="MANIFEST.MF"/>
    <manifest file="MANIFEST.MF">
        <attribute name="Main-Class" value="com.simontuffs.onejar.Boot"/>
        <attribute name="One-Jar-Main-Class" value="com.some.main.class.name"/>
        <attribute name="Class-Path" value="some_other_libs lib/bcprov-jdk15on.jar ." />
    </manifest>

    <!-- Copy properties file -->
    <copy todir="${module.dist.dir}">
        <fileset dir="${module.x.build.dir}/classes">
            <include name="**/*.properties"/>
        </fileset>
    </copy>

        <signjar destDir="${basedir}/distribute/lib/" 
                alias="server" keystore="${module.x.src.dir}/keystore/myCSC.jks"
                storepass="pass"
                preservelastmodified="true">
            <path>
                <fileset dir="${basedir}/distribute/lib/" includes="bcprov-jdk15on.jar" />
            </path>
            <flattenmapper />
        </signjar>

    <!-- Construct the One-JAR file -->
    <echo message="Creating a ONE-jar package of the x files..." />

    <one-jar destfile="${module.dist.dir}/${module.x.package}" manifest="MANIFEST.MF">
        <main>
            <fileset dir="${module.x.build.dir}/classes/">
                <exclude name="x-config.properties"/>
            </fileset>
        </main>

        <lib>               
            <fileset dir="${basedir}/distribute/lib/" />
            <fileset dir="${module.common.dist.dir}" />

        </lib>
    </one-jar>

        <signjar destDir="${module.dist.dir}" 
                alias="server" keystore="${module.agent.src.dir}/keystore/myCSC.jks"
                storepass="pass"
                preservelastmodified="true">
            <path>
                <fileset dir="${module.dist.dir}" includes="**/*.jar" />
            </path>
            <flattenmapper />
        </signjar>

</target>
2
javajarbouncycastlesshj

2 Answers

1
votes

To implement a cryptographic provider is needed that the jar is signed

If your provider is supplying encryption algorithms through the Cipher KeyAgreement, KeyGenerator, Mac, or SecretKeyFactory classes, you will need to sign your JAR file so that the JCA can authenticate the code at runtime.

Bouncycastle jars are signed. You have repackaged all classes into a single jar, but you have not said that you have signed it, so I guess you did not do it. SSHJ is probably using some encryption algorithm and could not initialize bouncycastle

Options:

  • Sign your code with a code signing certificate

  • Deploy also bcprov-jdk15on-1.51.jar with your app

1
votes

Answering my own guestion:

Two solutions:

  1. Add library to Java's lib/ext
    • this really was not a solution for me but might work for someone else.
  2. Use JDotSoft JarClassLoader
    • Simple to use and seems to provide support for adding JCE providers such as Bouncycastle.
    • added the BC-jar into main JAR by Ant build: <zipfileset dir="/build/libsToInclude/" includes="*.jar" prefix="lib/"/> and the classloader did the rest.