Markus, all, in WSS4J 1.5.0 we removed the explicit "BC" provider when loading a Cipher or other crypto stuff. We try to load the BC and/or JuiCE provider dynamically:
- in WSConfig we try to load the BC provider and put it on the highest possible position (that number 2) on the provider list - then we check if JuiCE provider is available (the Apache JuiCE JCE provider that uses the openSSL crypto library). If available put it on highest possible position This function looks up provider classes in the CLASSPATH. If a provider class is not found this provider is silently ignored. Thus is both providers are available we have: - JuiCE on position 2, BC on poisition 3. If only BC is available BC is on position 2. When load a Cipher class we relay on the JCE lookup mechanisms hat uses the topmost provider that offers the algorithm. We did that because we try to have those providers on top that offer all algos we need, or in case of JuiCE the fastest provider. Reading the mail thread below it could be that we may run into problems with this WebSphere version because we put the BC and/or JuiCE on position 2 in the list - and it seems that WebSphere doesn't like that. And this is, AFAIK, in contradicition to the JCE specs. Maybe we need to implement a configuration parameter the defines "which position to use when dynamically inserting JCE providers". Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Markus Backman [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 4. Mai 2006 08:00 > An: [email protected] > Cc: David Hook > Betreff: Re: [dev-crypto] PROBLEM INSTALLING BOUNCYCASTLE IN > WEBSPHERE 5.1.2 ENVIROMENT > > Hi > > I have tried to change the location of the bouncycastle jar, > in the ext > lib, the war files lib dir and the ear. Nothing seams to > work. The wss4j > code used the following to get the padding mechanism (as far as I can > tell. I am going to takes this on their dev mailinglist also). > > Cipher.getInstance("RSA/NONE/OAEPPADDING", "BC"); > > So it mentions the BC as provider so it must be something > that is wrong > with the Websphere 5.1.2 enviroment. A possible solution is to make > changes to the wss4j code to ignore BC and use algorithm supported by > IBM JCE. But I havn't investigated the amount of work this > would require. > > I also been in contact with Benjamin Francioni that posted the first > question about websphere and bouncycastle on this mailinglist > (link in > my previous mail). And he didn't find any solution to the > problem so he > used jakarta tomcat instead. Below is a cut from he's answer: > > Unfortunately, I didn't solve this problem: > IBM JRE doesn't support this algo. > IBM JRE doesn't support BouncyCastle that implements this algo. > IBM support wasn't able to help me . > So I decided myself to use Tomcat with a Sun JVM. > > > So it seams that this is a very annoying limit in the IBM websphere > product. Hopefully I will get some form of response for this > problem by > IBM and put some pressure on them to make it work in future > versions so > that Bouncycastle can be used also under a IBM jre. > > Regards, > Markus > > David Hook wrote: > > >The only thing I can suggest is it's a class loader issue, > although I've > >no idea how it would be caused. Does your use of the padding > mechanism > >explicitly mention BC? That might help, other than that I'd > try moving > >the provider jar around if possible. > > > >Regards, > > > >David > > > >On Wed, 2006-05-03 at 17:25 +0200, Markus Backman wrote: > > > > > >>Hi > >> > >>The problem I have encountered was during a development of a WSS4J > >>(Web Service Security four Java) based Web Service. WSS4J has > >>requirement that BouncyCastle is availible as a provider. > The following > >>description states the enviroment and the development > process not only > >>for the use of bouncycastle but also the WSS4J. > >> > >>I have successfully managed to secure an Axis based Web > Service with > >>WSS4J. During the development I used SUNs JDK1.4.2_11 and > Jakarta Tomcat > >>5.0.30. I ran the test client and the deployed Web Service > on the same > >>machine both running under jre1.4.2_11. This due to make > sure that it > >>ran on the only requirement we have on the client platform, > jre1.4.2 or > >>later. This testcases worked fine. But as the company I > work for has > >>Websphere 5.1 as J2EE servers I started to move the Web > Service to WSAD > >>and a Websphere 5.1 server. When doing so I ran into a > problem. I know > >>WSS4J has a requriment on BouncyCastle so I started with > updating the > >>java.security file under the IBM 1.4 jre Websphere 5.1 is > running on. I > >>added the BouncyCastle provider as number 4, as number one > needs to be > >>suns default and 2 and 3 needs to be to IBM providers as the server > >>would start otherwise, and started the server. I ran the > >>testclient(under SUNs jre 1.4.2_11) again but recieved the > following > >>exception on the server. > >> > >>"Original Exception was > javax.crypto.NoSuchPaddingException: Padding: > >>ISO10126Padding not implemented" > >> > >>A quick check on BouncyCastles website stated that > ISO10126Padding is > >>implemented. So the BouncyCastle provider can't be > correctly installed > >>on the Websphere 5.1 server. A google later showed that a > small number > >>of people encountered this before, but with no description > on what the > >>solution are, for example: > >> > >>http://article.gmane.org/gmane.comp.encryption.bouncy-castle > .devel/2378/match=com+ibm+security+bootstrap+jdkmessagedigest+sha1 > >> > >>Has anyone successfully deployed BouncyCastle in a Websphere 5.1.2 > >>enviroment? If so how did you set up your java.security file? > >> > >>I am using WSS4J 1.1.0 that ships with > bcprov-jdk13-128.jar. I have placed > >>it in the ext lib under the IBM jre(1.4) that runs the 5.1.2 server. > >> > >>I am desperate for some assistance. > >> > >>Thanks > >>Markus > >> > >> > >> > >> > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
