Skip to main content

We are developing a system using Java on Microsoft Azure AppService.


I’m developing a feature that uses the Box API in a system I’m developing.


Box API authentication is done via JWT using the SDK.


An error occurs at “BoxDeveloperEditionAPIConnection api = BoxDeveloperEditionAPIConnection.getAppEnterpriseConnection(boxConfig);” at runtime.


The error message is “class “org.bouncycastle.asn1.pkcs.rsapublickey”'s signer information does not match signer information of other classes in the same packag”.


I am using Box SDK version 3.4.0.



I would like to know the solution for this error.

Hello,



I was investigating a similar problem with Open JDK release. Maybe this would help:



In new Open JDK versions they are deprecating SHA1 algorithm. In file:





  • $JAVA_HOME/conf/security/java.security - Java 11 and 17


  • $JAVA_HOME/jre/lib/security/java.security - Java 8




You can look for a line starting with jdk.jar.disabledAlgorithms, for example it might look like this:



jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \

DSA keySize < 1024, SHA1 denyAfter 2019-01-01, \

include jdk.disabled.namedCurves



You can see entry SHA1 denyAfter 2019-01-01.



The bc-fips.jar was signed with SHA1 after 2019-01-01 which is the cutoff date for the change as the JDK documentation says, JAR signatures created after that date are not verified anymore. This somehow leads to the change in class loading order in the bc-fips.



Solution



So if you remove this SHA1 entry from the above you will get:



jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \

DSA keySize < 1024, \

include jdk.disabled.namedCurves



Once you re-enable this deprecated method it should work fine. If it doesn’t provide more details (with JDK version). You can also reach out to SDK team directly.


Reply