Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3550

BouncyCastle security provider can't be used in non-OpenJDK (missing signatures)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 7.0.0.ER7
    • 7.0.0.ER5
    • Productization
    • None
    • Hide

      For Web Services:
      git clone https://github.com/jbossws/jbossws-cxf.git && cd jbossws-cxf
      mvn -Pwildfly1000 -Dnodeploy -Dserver.home=/home/development/jbossqe/JBEAP-7.0.0.ER5/build/jboss-eap-7.0 integration-test -Dtest=SignEncryptGCMTestCase

      Show
      For Web Services: git clone https://github.com/jbossws/jbossws-cxf.git && cd jbossws-cxf mvn -Pwildfly1000 -Dnodeploy -Dserver.home=/home/development/jbossqe/ JBEAP-7 .0.0.ER5/build/jboss-eap-7.0 integration-test -Dtest=SignEncryptGCMTestCase

    Description

      The productized BouncyCastle provider (BC) in EAP 7 can't be registered in Oracle Java.

      Security providers registered in Oracle JDK has to be signed by Oracle [1]. Original (community) bits of the BC are signed [2], but the productized ones are not. So the BC provider loaded from EAP modules will not work in Oracle JDK.

      Components referencing BouncyCastle in the source code (see grep below):

      Grep for BouncyCastleProvider shows:

      ~/test/eap-src$ grep -R BouncyCastleProvider | egrep -v '^org/bouncycastle'
      org/apache/cxf/rt/security/crypto/CryptoUtils.java:  public static void installBouncyCastleProvider()
      org/apache/cxf/rt/security/crypto/CryptoUtils.java:    String bcClassName = "org.bouncycastle.jce.provider.BouncyCastleProvider";
      org/apache/cxf/rt/security/crypto/CryptoUtils.java:    if (Security.getProvider("org.bouncycastle.jce.provider.BouncyCastleProvider") == null) {
      org/apache/cxf/rt/security/crypto/CryptoUtils.java:      Security.addProvider((Provider)ClassLoaderUtils.loadClass("org.bouncycastle.jce.provider.BouncyCastleProvider", CryptoUtils.class).newInstance());
      org/apache/cxf/rt/security/crypto/CryptoUtils.java:  public static void removeBouncyCastleProvider()
      org/apache/cxf/rt/security/crypto/CryptoUtils.java:    Security.removeProvider("org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/apache/wss4j/common/crypto/WSProviderConfig$3.java:    String bcProviderStr = WSProviderConfig.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/apache/wss4j/common/crypto/WSProviderConfig$1.java:    String bcProviderStr = WSProviderConfig.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/apache/wss4j/common/crypto/WSProviderConfig.java:            String bcProviderStr = WSProviderConfig.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/apache/wss4j/common/crypto/WSProviderConfig.java:            String bcProviderStr = WSProviderConfig.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/picketlink/identity/federation/core/util/ProvidersUtil$1.java:    ProvidersUtil.access$100("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/picketlink/identity/federation/core/util/ProvidersUtil.java:        ProvidersUtil.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/jboss/wsf/stack/cxf/Loggers.java:  public abstract void cannotLoadBouncyCastleProvider(String paramString, @Cause Throwable paramThrowable);
      org/jboss/wsf/stack/cxf/client/configuration/SecurityProviderConfig.java:        Class<?> clazz = SecurityProviderConfig.class.getClassLoader().loadClass("org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/jboss/wsf/stack/cxf/client/configuration/SecurityProviderConfig.java:        Loggers.ROOT_LOGGER.cannotLoadBouncyCastleProvider("org.jboss.ws.cxf.noLocalBC", t);
      org/jboss/wsf/stack/cxf/client/configuration/SecurityProviderConfig$Holder.java:      Class<?> clazz = SecurityProviderConfig.class.getClassLoader().loadClass("org.bouncycastle.jce.provider.BouncyCastleProvider");
      org/jboss/wsf/stack/cxf/client/configuration/SecurityProviderConfig$Holder.java:      Loggers.ROOT_LOGGER.cannotLoadBouncyCastleProvider("org.jboss.ws.cxf.noLocalBC", t);
      org/jboss/wsf/stack/cxf/Loggers_$logger.java:  private static final String cannotLoadBouncyCastleProvider = "JBWS024103: Could not load BouncyCastle security provider; either setup your classpath properly or prevent loading by using the '%s' system property.";
      org/jboss/wsf/stack/cxf/Loggers_$logger.java:  public final void cannotLoadBouncyCastleProvider(String property, Throwable cause)
      org/jboss/wsf/stack/cxf/Loggers_$logger.java:    log.logf(FQCN, Logger.Level.DEBUG, cause, cannotLoadBouncyCastleProvider$str(), property);
      org/jboss/wsf/stack/cxf/Loggers_$logger.java:  protected String cannotLoadBouncyCastleProvider$str()
      org/jboss/wsf/stack/cxf/Loggers.i18n.properties:cannotLoadBouncyCastleProvider=Could not load BouncyCastle security provider; either setup your classpath properly or prevent loading by using the '%s' system property.
      org/jboss/resteasy/jose/jwe/crypto/AES.java:import org.bouncycastle.jce.provider.BouncyCastleProvider;
      org/jboss/resteasy/jose/jwe/crypto/AES.java:      keygen = KeyGenerator.getInstance("AES", new BouncyCastleProvider());
      org/jboss/resteasy/security/BouncyIntegration.java:import org.bouncycastle.jce.provider.BouncyCastleProvider;
      org/jboss/resteasy/security/BouncyIntegration.java:      Security.addProvider(new BouncyCastleProvider());
      io/netty/handler/ssl/util/BouncyCastleSelfSignedCertGenerator.java:import org.bouncycastle.jce.provider.BouncyCastleProvider;
      io/netty/handler/ssl/util/BouncyCastleSelfSignedCertGenerator.java:  private static final Provider PROVIDER = new BouncyCastleProvider();
      

      [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step61
      [2] https://www.bouncycastle.org/latest_releases.html

      Attachments

        Issue Links

          Activity

            People

              psakar@redhat.com Petr Sakar (Inactive)
              jbliznak@redhat.com Jan Blizňák
              Jan Blizňák Jan Blizňák
              Jan Blizňák Jan Blizňák
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: