BouncyCastle Cryptography provider library used with applet on Java 7u40

Question

The case: I am maintaining a Java applet which uses the BouncyCastle libraries bcpkix-jdk15on-149.jar, and bcprov-jdk15on-149.jar.

Answer 1

After a lot of search and some post in BC mailing list.... I found the solution, so I drop it here for others who may face that issue:

The solution is basically to sign the BC library a second time with my own certificate.
The JAR needs the JCA signature in order to be trusted as a cryptography provider, so do not remove it.
The JAR also needs (in addition) a code signature in order to be able to be run in the JVM (trusted by the JRE).

One last thing, some incompatibility happened on the signature technology:

• BC lib is signed using SHA1 digest algorythm
• jarsigner (on my computer) is doing the signature with SHA256 digest algorythm by default, which leads to a verification failure.
• So I had to ask jarsigner to do it the SHA1 way. (for some reason both signatures have to be consistent from that point of view)

Here is the magic parameter of jarsigner command to add and make it happen: -digestalg SHA1

Sample command:

jarsigner -keystore ./mykeystore.jks -storepass myPass -digestalg SHA1 bcprov-jdk15on-149.jar myAlias

... and you're done!

The following post gave me the tip: What prevents Java from verifying signed jars with multiple signature algorithms