You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Closed) (JIRA)" <ji...@apache.org> on 2011/10/03 11:04:38 UTC

[jira] [Closed] (WSS-56) WSS4j statically inserts Bouncycastle and Juice in list of JCE providers

     [ https://issues.apache.org/jira/browse/WSS-56?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed WSS-56.
----------------------------------

    
> WSS4j statically inserts Bouncycastle and Juice in list of JCE providers
> ------------------------------------------------------------------------
>
>                 Key: WSS-56
>                 URL: https://issues.apache.org/jira/browse/WSS-56
>             Project: WSS4J
>          Issue Type: Bug
>         Environment: IBM JDK 1.4.2 (AIX)
>            Reporter: Fred Dushin
>             Fix For: 1.5.4
>
>
> As described in email
> The WSSConfig class insists on inserting the Bouncycastle JCE provider "first" (or second...) in the list of JCE providers, if it can be found on the classpath.
> The IBM JDK does not seem terribly appreciative of this fact, as the following test case illustrates.  For me, on AIX, using IBM's 1.4.02 JDK, the following code fails with "java.security.KeyStoreException: jks not found".  If I add the Bouncycastle provider to the end of the list of providers, I don't get the error.
> public class Test {
>     public static void
>     main(
>         String[] argv
>     ) {
>         try {
>             java.security.Security.insertProviderAt(
>                 (java.security.Provider) 
>                     Class.forName(
>                         "org.bouncycastle.jce.provider.BouncyCastleProvider"
>                     ).newInstance(), 
>                 2
>             );
>             final java.security.KeyStore keystore = 
>                 java.security.KeyStore.getInstance(
>                     "jks"
>             );
>             java.io.FileInputStream fis =
>                 new java.io.FileInputStream(
>                     "alice.jks"
>                 );
>             keystore.load(fis, "password".toCharArray());
>         } catch (Exception e) {
>             e.printStackTrace();
>         }
>     }
> }
> Truss on AIX shows some intersting behavior.  It looks like the JVM can't locate org/bouncycastle/jce/provider/JDKMessageDigest$SHA1.class, but it's a bit hard to decipher.
> In any event, I think they fact that the WSS4j toolkit is statically injecting a provider into the JVM at runtime is pretty wrong, especially in library code that has to co-exist peacefully in an otherwise potentially hostile environment...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org