Loading...

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.0.0.ER7
Affects Version/s: 7.0.0.ER5
Component/s: Productization
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.0.0.GA
Steps to Reproduce:

Hide

For Web Services:
git clone https://github.com/jbossws/jbossws-cxf.git && cd jbossws-cxf
mvn -Pwildfly1000 -Dnodeploy -Dserver.home=/home/development/jbossqe/~~JBEAP-7~~.0.0.ER5/build/jboss-eap-7.0 integration-test -Dtest=SignEncryptGCMTestCase

Show
For Web Services: git clone https://github.com/jbossws/jbossws-cxf.git && cd jbossws-cxf mvn -Pwildfly1000 -Dnodeploy -Dserver.home=/home/development/jbossqe/ JBEAP-7 .0.0.ER5/build/jboss-eap-7.0 integration-test -Dtest=SignEncryptGCMTestCase

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The productized BouncyCastle provider (BC) in EAP 7 can't be registered in Oracle Java.

Security providers registered in Oracle JDK has to be signed by Oracle [1]. Original (community) bits of the BC are signed [2], but the productized ones are not. So the BC provider loaded from EAP modules will not work in Oracle JDK.

Components referencing BouncyCastle in the source code (see grep below):

Web Services
- in order for using AES encryption with GCM for symmetric encryption in XML/WS-Security, BouncyCastle library is required
- with new JBWS 5+ there is a new feature that allows load BC provider from classpath (ie. module) which in turn removes the need for statically install BC provider in used JDK
- there is a prepared testcase in JBossWS testsuite that fails when BC is not available, https://github.com/jbossws/jbossws-cxf/blob/master/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/basic/SignEncryptGCMTestCase.java
RestEasy
- BouncyCastle is used in non-supported and private RESTEasy-crypto module. Exception is thrown if REST response is encrypted by X509Certificate and this certificate was created by BC provider by RSA algorithm.
- Exception: java.util.jar.JarException: jar:file:/home/mkopecky/jboss-eap-7.0/modules/system/layers/base/org/bouncycastle/main/bcprov-jdk15on-1.52.0.redhat-2.jar!/ has unsigned entries - org/bouncycastle/LICENSE.class
- REST end-point example:
```
@GET
public EnvelopedOutput get() {
    EnvelopedOutput output = new EnvelopedOutput("hello world", "text/plain");
    output.setCertificate(CryptoCertResource.cert);      // X509Certificate cert;
    return output;
}
```
PicketLink
- not used – no org.picketlink* module depends on org.bouncycastle module – hence, BouncyCastle provider is not on class-path
Netty
- not used

Grep for BouncyCastleProvider shows:

~/test/eap-src$ grep -R BouncyCastleProvider | egrep -v '^org/bouncycastle'
org/apache/cxf/rt/security/crypto/CryptoUtils.java:  public static void installBouncyCastleProvider()
org/apache/cxf/rt/security/crypto/CryptoUtils.java:    String bcClassName = "org.bouncycastle.jce.provider.BouncyCastleProvider";
org/apache/cxf/rt/security/crypto/CryptoUtils.java:    if (Security.getProvider("org.bouncycastle.jce.provider.BouncyCastleProvider") == null) {
org/apache/cxf/rt/security/crypto/CryptoUtils.java:      Security.addProvider((Provider)ClassLoaderUtils.loadClass("org.bouncycastle.jce.provider.BouncyCastleProvider", CryptoUtils.class).newInstance());
org/apache/cxf/rt/security/crypto/CryptoUtils.java:  public static void removeBouncyCastleProvider()
org/apache/cxf/rt/security/crypto/CryptoUtils.java:    Security.removeProvider("org.bouncycastle.jce.provider.BouncyCastleProvider");
org/apache/wss4j/common/crypto/WSProviderConfig$3.java:    String bcProviderStr = WSProviderConfig.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
org/apache/wss4j/common/crypto/WSProviderConfig$1.java:    String bcProviderStr = WSProviderConfig.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
org/apache/wss4j/common/crypto/WSProviderConfig.java:            String bcProviderStr = WSProviderConfig.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
org/apache/wss4j/common/crypto/WSProviderConfig.java:            String bcProviderStr = WSProviderConfig.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
org/picketlink/identity/federation/core/util/ProvidersUtil$1.java:    ProvidersUtil.access$100("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
org/picketlink/identity/federation/core/util/ProvidersUtil.java:        ProvidersUtil.addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
org/jboss/wsf/stack/cxf/Loggers.java:  public abstract void cannotLoadBouncyCastleProvider(String paramString, @Cause Throwable paramThrowable);
org/jboss/wsf/stack/cxf/client/configuration/SecurityProviderConfig.java:        Class<?> clazz = SecurityProviderConfig.class.getClassLoader().loadClass("org.bouncycastle.jce.provider.BouncyCastleProvider");
org/jboss/wsf/stack/cxf/client/configuration/SecurityProviderConfig.java:        Loggers.ROOT_LOGGER.cannotLoadBouncyCastleProvider("org.jboss.ws.cxf.noLocalBC", t);
org/jboss/wsf/stack/cxf/client/configuration/SecurityProviderConfig$Holder.java:      Class<?> clazz = SecurityProviderConfig.class.getClassLoader().loadClass("org.bouncycastle.jce.provider.BouncyCastleProvider");
org/jboss/wsf/stack/cxf/client/configuration/SecurityProviderConfig$Holder.java:      Loggers.ROOT_LOGGER.cannotLoadBouncyCastleProvider("org.jboss.ws.cxf.noLocalBC", t);
org/jboss/wsf/stack/cxf/Loggers_$logger.java:  private static final String cannotLoadBouncyCastleProvider = "JBWS024103: Could not load BouncyCastle security provider; either setup your classpath properly or prevent loading by using the '%s' system property.";
org/jboss/wsf/stack/cxf/Loggers_$logger.java:  public final void cannotLoadBouncyCastleProvider(String property, Throwable cause)
org/jboss/wsf/stack/cxf/Loggers_$logger.java:    log.logf(FQCN, Logger.Level.DEBUG, cause, cannotLoadBouncyCastleProvider$str(), property);
org/jboss/wsf/stack/cxf/Loggers_$logger.java:  protected String cannotLoadBouncyCastleProvider$str()
org/jboss/wsf/stack/cxf/Loggers.i18n.properties:cannotLoadBouncyCastleProvider=Could not load BouncyCastle security provider; either setup your classpath properly or prevent loading by using the '%s' system property.
org/jboss/resteasy/jose/jwe/crypto/AES.java:import org.bouncycastle.jce.provider.BouncyCastleProvider;
org/jboss/resteasy/jose/jwe/crypto/AES.java:      keygen = KeyGenerator.getInstance("AES", new BouncyCastleProvider());
org/jboss/resteasy/security/BouncyIntegration.java:import org.bouncycastle.jce.provider.BouncyCastleProvider;
org/jboss/resteasy/security/BouncyIntegration.java:      Security.addProvider(new BouncyCastleProvider());
io/netty/handler/ssl/util/BouncyCastleSelfSignedCertGenerator.java:import org.bouncycastle.jce.provider.BouncyCastleProvider;
io/netty/handler/ssl/util/BouncyCastleSelfSignedCertGenerator.java:  private static final Provider PROVIDER = new BouncyCastleProvider();

[1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step61
[2] https://www.bouncycastle.org/latest_releases.html

is related to

JBEAP-287 Implementation version in Manifest does not reflect JAR version: Bouncy Castle JARs

Closed

relates to

JBEAP-3727 Missing testcase for BouncyCastle module usage

Closed

JBEAP-21195 "bcprov-jdk15on-1.67.0.redhat-00001.jar is not signed by a trusted signer" exception on IBM JDK

Closed

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates