ARTICLE AD BOX
I am facing an issue when loading a BKS (BouncyCastle) keystore in a Spring-based application running on Oracle JDK 21. The same code works without any issues on OpenJDK 21.
Environment details:
OS: Oracle Linux 9.6 JDK (problematic): Oracle JDK 21 JDK (working): OpenJDK 21 App Server: JBoss EAP 8 Keystore Type: BKS Provider: BouncyCastle 1.82I reproduced the issue locally by setting up the exact same environment (Oracle Linux 9.6 + Oracle JDK 21). On OpenJDK 21 the keystore loads successfully; on Oracle JDK 21 it fails.
static { // Force BC to load first Security.removeProvider("BC"); Security.insertProviderAt(new BouncyCastleProvider(), 1); } private void contextInitialized() { Security.addProvider(new BouncyCastleProvider()); InputStream keystoreStream = getClass().getClassLoader() .getResourceAsStream(propertyConfig.getMcashKeystoreConfig()); KeyStore keystore = KeyStore.getInstance("BKS", "BC"); keystore.load(keystoreStream, propertyConfig.getMcashKeystorePassword().toCharArray()); key = keystore.getKey( propertyConfig.getMcashKeyAlias(), propertyConfig.getMcashKeyPassword().toCharArray() ); }Provider list (Oracle JDK 21)
Even after inserting the provider at index 1, the keystore still fails:
[BC version 1.82, SUN version 21, SunRsaSign version 21, SunEC version 21, SunJSSE version 21, SunJCE version 21, ...]Error stack trace
java.security.UnrecoverableKeyException: no match at java.base/sun.security.provider.KeyProtector.recover(KeyProtector.java:XXX) at java.base/sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:XXX) at java.base/java.security.KeyStore.getKey(KeyStore.java:XXX) at com.myapp.wallet.service.ContextProvider.contextInitialized(ContextProvider.java:XX)The alias exists, and passwords are correct in both environments. The keystore loads perfectly on OpenJDK 21 with the same file and password.
What I have tried
Added BouncyCastle to java.security: security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider Forced the provider programmatically: Security.removeProvider("BC"); Security.insertProviderAt(new BouncyCastleProvider(), 1); Verified the provider order via logging. Verified keystore integrity using keytool -list. Recreated the entire environment locally — issue only appears on Oracle JDK 21.Expected result
BKS keystore should load successfully on Oracle JDK 21, same as OpenJDK 21.Actual result
Oracle JDK 21 always throws UnrecoverableKeyException: no match. OpenJDK 21 works without any issues.Question
Is there a known incompatibility or restriction in Oracle JDK 21 related to the BouncyCastle BKS keystore type?
Why does the same BKS keystore load correctly under OpenJDK 21 but fail under Oracle JDK 21, even with BouncyCastle inserted at provider position 1?
What is the correct way to make Oracle JDK 21 load a BKS keystore reliably?
