Error initializing KeyPiarGenerator ( java.security.KeyPairGenerator ) with java OpenJDK Runtime Environment (build 1.8.0_382-b05)

[DREGALLA]

Hi Team,
We are getting errors while creating the certificate.

We get errors while generating KeyPiarGenerator ( java.security.KeyPairGenerator ) with java OpenJDK Runtime Environment (build 1.8.0_382-b05). We have added following dependencies in our pom.xml

org.bouncycastle bcpkix-jdk15on 1.57 compile org.bouncycastle bcprov-jdk15on 1.57 compile

It's working fine with OpenJDK Runtime Environment (build 1.8.0_322-b06 ).

generator = KeyPairGenerator.getInstance(ALGORITHM, securityProvider); // this line is executed
generator.initialize(new ECGenParameterSpec(ELLIPTIC_CURVE), new SecureRandom()); // error executing this line

I had to catch this error by catching Throwable.

Stack trace:
WARN - Exception while getting the generator throwable org/bouncycastle/math/ec/custom/djb/Curve25519Point.withCompression
2024-08-19 07:12:25,405 [WebContainer : 6] pushnotification.PushNotificationKeyManager WARN - java.lang.NoSuchFieldError: org/bouncycastle/math/ec/custom/djb/Curve25519Point.withCompression
at org.bouncycastle.math.ec.custom.djb.Curve25519Point.(Unknown Source)
at org.bouncycastle.math.ec.custom.djb.Curve25519Point.(Unknown Source)
at org.bouncycastle.math.ec.custom.djb.Curve25519.(Unknown Source)
at org.bouncycastle.crypto.ec.CustomNamedCurves$1.createParameters(Unknown Source)
at org.bouncycastle.asn1.x9.X9ECParametersHolder.getParameters(Unknown Source)
at org.bouncycastle.crypto.ec.CustomNamedCurves.getByName(Unknown Source)
at org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util.(Unknown Source)
at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC.createKeyGenParamsJCE(Unknown Source)
at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC.initializeNamedCurve(Unknown Source)
at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC.initialize(Unknown Source)
at
at ...

Caused by: java.lang.NoSuchFieldError: org/bouncycastle/math/ec/custom/djb/Curve25519Point.withCompression
at org.bouncycastle.math.ec.custom.djb.Curve25519Point.<init>(Unknown Source) ~[bcprov-jdk15on-1.57.jar:1.57.0]
at org.bouncycastle.math.ec.custom.djb.Curve25519Point.<init>(Unknown Source) ~[bcprov-jdk15on-1.57.jar:1.57.0]
at org.bouncycastle.math.ec.custom.djb.Curve25519.<init>(Unknown Source) ~[bcprov-jdk15on-1.57.jar:1.57.0]
at org.bouncycastle.crypto.ec.CustomNamedCurves$1.createParameters(Unknown Source) ~[bcprov-jdk15on-1.57.jar:1.57.0]
at org.bouncycastle.asn1.x9.X9ECParametersHolder.getParameters(Unknown Source) ~[bc-fips-1.0.2.3.jar:1.0.2.3]
at org.bouncycastle.crypto.ec.CustomNamedCurves.getByName(Unknown Source) ~[bcprov-jdk15on-1.57.jar:1.57.0]

Please check and help us resolve the issue.

Thank you
Dattatreya

[DREGALLA]

Hi Team,
could you please check and help us resolve the issue.

Thank you
Dattatreya

[peterdettman]

The stack trace reveals that you also have bc-fips-1.0.2.3.jar in the classpath:

at org.bouncycastle.asn1.x9.X9ECParametersHolder.getParameters(Unknown Source) ~[bc-fips-1.0.2.3.jar:1.0.2.3]

FIPS and non-FIPS jars cannot be used together.

[DREGALLA]

Thank you @peterdettman

[DREGALLA]

Hi @peterdettman

I am facing the same error even after removing the fips jar. I can run the independent program when I remove the jar. But I am facing an error when I deploy my application.

Our java.security file is as follows. Do you think this will create a problem?

---

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=sun.security.ec.SunEC
security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.7=com.sun.crypto.provider.SunJCE
security.provider.8=sun.security.jgss.SunProvider
security.provider.9=com.sun.security.sasl.Provider
security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.11=sun.security.smartcardio.SunPCSC

#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

Security providers used when FIPS mode support is active

fips.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
fips.provider.3=sun.security.provider.Sun
fips.provider.4=com.sun.crypto.provider.SunJCE
fips.provider.5=com.sun.security.sasl.Provider

---

Please find the jar details below.
find / -iname bc-fips.jar*
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/lib/ext/bc-fips-1.0.2.1.jar
/opt/Avaya/Common/lib/bc-fips-1.0.2.1.jar
/opt/Avaya/wildfly-24.0.0.Final/standalone/tmp/vfs/deployment/deploymentaad4699bb62e6ea5/bc-fips-1.0.2.1.jar-8c1d6cd3e7520138/bc-fips-1.0.2.1.jar
/opt/IBM/WebSphere/AppServer/lib/ext/bc-fips-1.0.2.3.jar

find / -iname bcp.jar*
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/lib/ext/bcpkix-fips-1.0.5.jar
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/jruby-openssl-0.14.2-java/lib/org/bouncycastle/bcpkix-jdk18on/1.74/bcpkix-jdk18on-1.74.jar
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/jruby-openssl-0.14.2-java/lib/org/bouncycastle/bcprov-jdk18on/1.74/bcprov-jdk18on-1.74.jar
/usr/share/logstash/vendor/jruby/lib/ruby/stdlib/org/bouncycastle/bcpkix-jdk18on/1.71/bcpkix-jdk18on-1.71.jar
/usr/share/logstash/vendor/jruby/lib/ruby/stdlib/org/bouncycastle/bcprov-jdk18on/1.71/bcprov-jdk18on-1.71.jar
/opt/Avaya/Common/lib/bcpkix-fips-1.0.5.jar
/opt/Avaya/wildfly-24.0.0.Final/modules/system/layers/base/org/bouncycastle/bcpg/main/bcpg-jdk15on-1.68.jar
/opt/Avaya/wildfly-24.0.0.Final/modules/system/layers/base/org/bouncycastle/bcpkix/main/bcpkix-jdk15on-1.68.jar
/opt/Avaya/wildfly-24.0.0.Final/modules/system/layers/base/org/bouncycastle/bcprov/main/bcprov-jdk15on-1.68.jar
/opt/Avaya/wildfly-24.0.0.Final/standalone/tmp/vfs/deployment/deploymentaad4699bb62e6ea5/bcpg-fips-1.0.5.1.jar-8f2ba2bc1447ea24/bcpg-fips-1.0.5.1.jar
/opt/Avaya/wildfly-24.0.0.Final/standalone/tmp/vfs/deployment/deploymentaad4699bb62e6ea5/bcpkix-fips-1.0.5.jar-75a8f31e3a48c6a/bcpkix-fips-1.0.5.jar
/opt/Avaya/drs/lib/bcprov-jdk15.jar
/opt/Avaya/drs/lib/bcprov-jdk15on-169.jar
/opt/Avaya/dcm/gigaspace/lib/required/bcpkix-jdk15on-1.50.jar
/opt/Avaya/dcm/gigaspace/lib/required/bcprov-jdk15on-1.50.jar
/opt/Avaya/dcm/gigaspace/lib/required_was/bcpkix-jdk15on-1.50.jar
/opt/Avaya/dcm/gigaspace/lib/required_was/bcprov-jdk15on-1.50.jar
/opt/IBM/WebSphere/AppServer/lib/ext/bcpkix-fips-1.0.5.jar
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/Node01Cell/PSConnector-10.1.0.1.9.ear/psconnector-war-10.1.0.1-SNAPSHOT.war/WEB-INF/lib/bcpkix-jdk15on-1.57.jar
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/Node01Cell/PSConnector-10.1.0.1.9.ear/psconnector-war-10.1.0.1-SNAPSHOT.war/WEB-INF/lib/bcprov-jdk15on-1.57.jar
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/Node01Cell/PresenceServices-10.1.0.1.30.ear/psng-war-10.1.0.1-SNAPSHOT.war/WEB-INF/lib/bcpkix-jdk15on-1.57.jar
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/Node01Cell/PresenceServices-10.1.0.1.30.ear/psng-war-10.1.0.1-SNAPSHOT.war/WEB-INF/lib/bcprov-jdk15on-1.57.jar

find / -iname bct.jar*
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/lib/ext/bctls-fips-1.0.12.2.jar
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/jruby-openssl-0.14.2-java/lib/org/bouncycastle/bctls-jdk18on/1.74/bctls-jdk18on-1.74.jar
/usr/share/logstash/vendor/jruby/lib/ruby/stdlib/org/bouncycastle/bctls-jdk18on/1.71/bctls-jdk18on-1.71.jar
/opt/Avaya/Common/lib/bctls-fips-1.0.12.2.jar
/opt/IBM/WebSphere/AppServer/lib/ext/bctls-fips-1.0.12.2.jar

[dghgit]

Enterprise support for the FIPS edition is available at https://www.keyfactor.com/open-source/bouncy-castle-support/

[DREGALLA]

Thank you @dghgit