You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2020/01/27 12:44:00 UTC

[jira] [Resolved] (AMQ-7142) Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks KeyStore Loading

     [ https://issues.apache.org/jira/browse/AMQ-7142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré resolved AMQ-7142.
---------------------------------------
    Resolution: Fixed

> Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks KeyStore Loading
> ----------------------------------------------------------------------------------------------
>
>                 Key: AMQ-7142
>                 URL: https://issues.apache.org/jira/browse/AMQ-7142
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Camel
>    Affects Versions: 5.15.2
>         Environment: OpenJDK 11 (AdoptOpenJDK).
> Mac OS
>            Reporter: Nathan Hook
>            Assignee: Colm O hEigeartaigh
>            Priority: Blocker
>             Fix For: 5.16.0, 5.15.12
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The insertion of the Bouncy Castle Provider in the org.apache.activemq.broker.BrokerService class is causing issues with our app that expecting one of the default SunJCE Ciphers to be called, but a Bouncy Castle Cipher is returned instead.
> This causes our Spring Security SAML keystores to not be loaded correctly because the Bouncy Castle Cipher thinks that the keystore was tampered with.
>  
> I believe that the source of the problem is this line in the BrokerService class:
> Security.insertProviderAt(bouncycastle, Integer.getInteger("org.apache.activemq.broker.BouncyCastlePosition", 2));
> Looking at the Java 11 source code there are 6 providers installed by the java.security.Security class in the initializeStatic method:
> {code:java}
> private static void initializeStatic() {
>  props.put("security.provider.1", "sun.security.provider.Sun");
>  props.put("security.provider.2", "sun.security.rsa.SunRsaSign");
>  props.put("security.provider.3", "com.sun.net.ssl.internal.ssl.Provider");
>  props.put("security.provider.4", "com.sun.crypto.provider.SunJCE");
>  props.put("security.provider.5", "sun.security.jgss.SunProvider");
>  props.put("security.provider.6", "com.sun.security.sasl.Provider");
> }{code}
>  
> If possible it would be great if the org.apache.activemq.broker.BrokerService class would call 
> addProvider instead of insertProviderAt.
>  
> Thank you for your time.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)