Issues with bouncycastle upgrade.

Hello,

A security vulnerability has been listed in bouncycastle-1.38 that I am using and have to upgradeto the latest version 1.71

Creating a Certificate signing request -  

JcaPKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(                               new X500Principal( "...", new String[]{ hostName } )                               , keypair.getPublic()); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA")                               .build(keypair.getPrivate());

Line [4] throws -
java.lang.NoClassDefFoundError: Could not initialize class org.bouncycastle.operator.jcajce.OperatorHelper org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.<init>(Unknown Source)

I have bcprov-jdk15to18-171.jar and bcpkix-jdk15to18-171.jar on CLASSPATH.

What could I be missing here?

Can you post the full stack trace? Because I have a feeling that this exception error has a cause that shows what's actually going wrong.

Bouncy Castle is a great library, but it has terrible versioning. It doesn't use semantic versioning (semver) at all, so while you think that from 1.38 to 1.71 should be pretty simple, there is actually at least one, possibly more, version bump in between that introduced breaking changes.

Stacktrace:

java.lang.NoSuchFieldError: id_RSASSA_PSS_SHAKE128 at org.bouncycastle.operator.DefaultSignatureNameFinder.<clinit>(Unknown Source) at org.bouncycastle.operator.jcajce.OperatorHelper.<clinit>(Unknown Source) at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.<init>(Unknown Source) at com.xxxxxx.xxx.broker.ext.command.CreateClientCertificate.invoke(CreateXXXXXXClientCertificate.java:205) at com.xxxxxx.yyyyy.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1275) at com.xxxxxx.yyyyy.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:1000) at com.xxxxxx.yyyyy.core.cmd.CommandInvoker.invoke(CommandInvoker.java:969) at com.xxxxxx.yyyyy.remote.servlet.CommandServlet.doPost(CommandServlet.java:217)

Guessing the Algo 'name' has been changed, I checked SHA1WithRSA and SHA256WithRSAEncryption but to no avail.
After going through the documentation I found that all three are still available.

Thank you in advance, Rob!  

That looks like you have a version mismatch. Perhaps another Bouncy Castle JAR files made it onto your class path somehow. That can happen through a different dependency, or your application container (JBoss, WildFly, etc.) provides a version, or worst case even in the JDK somewhere. Another issue with Bouncy Castle is the different Maven artifacts that have different names but contain more-or-less the same classes. For instance, you use bcprov-jdk15to18, but there's also bcprov-jdk16, bcprov-jdk15on, bcprov-jdk14, and possibly more. All those others will not be excluded from the dependency tree because Maven doesn't know they're actually the same thing.

Are you using Maven? If so, show us the dependencies section of your POM.

Otherwise, show us the full command that you're using to run Java.

Hello Rob,

Your advice was really helpful.

Playing around with DefaultAlgorithmNameFinder, I ran into the Error -

java.lang.LinkageError: loader constraint violation: when resolving field "id_TA_ECDSA_SHA_1"
the class loader (instance of com/*****/*****/core/server/*****ClassLoader) of the referring class
, org/bouncycastle/asn1/eac/EACObjectIdentifiers, and the class loader (instance of java/net/URLClassLoader) for the field's resolved type
, org/bouncycastle/asn1/ASN1ObjectIdentifier, have different Class objects for that type

Further investigation revealed that there were older versions lying around (1.38, in fact).

Thanks a TON!

You're welcome