• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Issues with bouncycastle upgrade.

 
Ranch Hand
Posts: 479
1
IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

A security vulnerability has been listed in bouncycastle-1.38 that I am using and have to upgradeto the latest version 1.71

Creating a Certificate signing request -  



Line [4] throws -


I have bcprov-jdk15to18-171.jar and bcpkix-jdk15to18-171.jar on CLASSPATH.

What could I be missing here?
 
Sheriff
Posts: 22784
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you post the full stack trace? Because I have a feeling that this exception error has a cause that shows what's actually going wrong.

Bouncy Castle is a great library, but it has terrible versioning. It doesn't use semantic versioning (semver) at all, so while you think that from 1.38 to 1.71 should be pretty simple, there is actually at least one, possibly more, version bump in between that introduced breaking changes.
 
Rajkamal Pillai
Ranch Hand
Posts: 479
1
IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Stacktrace:



Guessing the Algo 'name' has been changed, I checked SHA1WithRSA and SHA256WithRSAEncryption but to no avail.
After going through the documentation I found that all three are still available.

Thank you in advance, Rob!  
 
Rob Spoor
Sheriff
Posts: 22784
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That looks like you have a version mismatch. Perhaps another Bouncy Castle JAR files made it onto your class path somehow. That can happen through a different dependency, or your application container (JBoss, WildFly, etc.) provides a version, or worst case even in the JDK somewhere. Another issue with Bouncy Castle is the different Maven artifacts that have different names but contain more-or-less the same classes. For instance, you use bcprov-jdk15to18, but there's also bcprov-jdk16, bcprov-jdk15on, bcprov-jdk14, and possibly more. All those others will not be excluded from the dependency tree because Maven doesn't know they're actually the same thing.
 
Saloon Keeper
Posts: 15551
364
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you using Maven? If so, show us the dependencies section of your POM.

Otherwise, show us the full command that you're using to run Java.
 
Rajkamal Pillai
Ranch Hand
Posts: 479
1
IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Rob,

Your advice was really helpful.

Playing around with DefaultAlgorithmNameFinder, I ran into the Error -

java.lang.LinkageError: loader constraint violation: when resolving field "id_TA_ECDSA_SHA_1"
the class loader (instance of com/*****/*****/core/server/*****ClassLoader) of the referring class
, org/bouncycastle/asn1/eac/EACObjectIdentifiers, and the class loader (instance of java/net/URLClassLoader) for the field's resolved type
, org/bouncycastle/asn1/ASN1ObjectIdentifier, have different Class objects for that type

Further investigation revealed that there were older versions lying around (1.38, in fact).

Thanks a TON!


 
Rob Spoor
Sheriff
Posts: 22784
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You're welcome
reply
    Bookmark Topic Watch Topic
  • New Topic