class "org.bouncycastle.asn1.pkcs.rsapublickey"'s signer information does not match signer information of other classes in the same packag

Hello,

I was investigating a similar problem with Open JDK release. Maybe this would help:

In new Open JDK versions they are deprecating SHA1 algorithm. In file:

• $JAVA_HOME/conf/security/java.security - Java 11 and 17


• $JAVA_HOME/jre/lib/security/java.security - Java 8

You can look for a line starting with jdk.jar.disabledAlgorithms, for example it might look like this:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \

      DSA keySize < 1024, SHA1 denyAfter 2019-01-01, \

      include jdk.disabled.namedCurves

You can see entry SHA1 denyAfter 2019-01-01.

The bc-fips.jar was signed with SHA1 after 2019-01-01 which is the cutoff date for the change as the JDK documentation says, JAR signatures created after that date are not verified anymore. This somehow leads to the change in class loading order in the bc-fips.

Solution

So if you remove this SHA1 entry from the above you will get:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \

      DSA keySize < 1024, \

      include jdk.disabled.namedCurves

Once you re-enable this deprecated method it should work fine. If it doesn’t provide more details (with JDK version). You can also reach out to SDK team directly.