JCE cannot authenticate the provider BC in java swing application

  1. edit jre\lib\security\java.security
  2. add security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
  3. copy bc*.jar to jre\lib\ext

To expand on the comment from GregS, all JCE provider JARs must be signed before they will be trusted by your Java runtime.

BouncyCastle dutifully supplies signed JARs that will work without a problem. However, if you extract class files from this JAR, or recompile the source, it will remove the signature and cause Java to reject the code.

See this related SO question: How to sign a custom JCE security provider


For those finding this issue but actually using SpongyCastle, it might be interesting to know that on Android there is no such signature test and for your tests you can use SpongyCastle via the openJDK-8 as that doesn't care about signatures neither.

For reference, with SpongyCastle the error reads:

java.lang.SecurityException: JCE cannot authenticate the provider SC

More information in this issue


We have been suffering with the same issue for a few weeks and had tried a lot of the suggested steps to no avail. Providing our solution below so others don't have to suffer like we did!

We were attempting to use bcprov-ext-jdk15on-162.jar, added to classpath, included in JBoss lib directories, bundled with WAR, marked as provided and added to JBoss /lib directories but no luck.

In the end, we tried different versions of bouncycastle and found a less recent version who's signature could be verified by our particular Java version's jarsigner (1.5X).

Despite the jar's signature being verifiable by our Java version, when the .jar is packaged into a WAR the signature was invalidated somehow by JBoss.

In the end, the solution for us was to;

1. Add bouncycastle jar to JBoss classpath
2. Add 'org.bouncycastle.jce.provider.BouncyCastleProvider' to 'java.security' providers
3. Mark bouncycastle in your WAR as a 'provided' dependency

Once we had a version of the .jar on our classpath and were sure that our WAR was not packaging it in we were golden.

The issue seems to be tightly coupled to whatever Java/JBoss version you happen to be using. So if this solution does not work for you I would suggest to test different versions of bouncycastle with

jarsigner -verify <bouncycastle.jar>

There are lot of solutions to this problem but unfortunately nobody talks about the causing issue.

If you are generating an executable jar that has BC.jar in it(in form of any dependency) than this issue would occur if below condition matches:

  1. Generating jar via eclipse's export option i.e. Export-> Runnable Jar File -> Libary Handling {extract required libraries into generated Jar}-> FINISH

Boom, now you have landed into trouble and you will face an error i.e. JCE can't authenticate the provider BC

The reason for above problem is, when you create a jar with option 1 than you are actually unpacking the BouncyCastle jar again that violates the security assosiated with BC. So, whenever you run it again java validates it and finds current BC.jar in your assosiated jar has an error.

So, guys make sure what you are doing is justified because by changing the JDK's security data that will make it work but not for everyone.

How to make it work?{This will work on local/personal machine only,not on every machine }

  1. edit jre\lib\security\java.security file
  2. add security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
  3. copy bc*.jar to jre\lib\ext

That's it.