[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    Fwd: [dev-crypto] Using BouncyCastle with Java-9?
From:       Phil Edwards <phil.m.edwards () gmail ! com>
Date:       2017-11-06 17:36:17
Message-ID: CAMcKv85C3ZKZSnRxE1ffo-CNA6r+KewPJHjYy+1aJboFA3xgBA () mail ! gmail ! com
[Download RAW message or body]

Haven't tried doing it statically yet.  We've been able to add BC (well,
BCFIPS) as a provider at runtime.  The problem we've been having is with
BCFIPS, combined with Java 9's new hatred for reflective access.  After
loading and registering the provider, we then do a call to
Cipher.getMaxAllowedKeyLength() to check whether the user has correctly put
policy files in place.  (Our users have a choice of FIPS providers, combined
with a choice of whether to replace the policy files.  Starting with Java 9
you don't need replacement policy files, but the code was written under 7/8.)

Static providers should be working the same as in Java 8, from what I recall.

Anyway, the call to Cipher.getMaxAllowedKeyLength() causes noise at runtime.
It's "technically" just a warning, but this will become an error whenever the
next release of Java comes out:

WARNING: Illegal reflective access by
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
(file:/the/path/to/the/BCFIPS.jar) to method
sun.security.jca.Providers.getSunProvider()
    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.getSunProvider(Unknown
Source)
    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.<init>(Unknown
Source)
    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown
Source)
    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown
Source)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown
Source)
    at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(Unknown
Source)
    at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown
Source)
    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
    at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)
    at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:272)
    at java.base/java.security.SecureRandom.<init>(SecureRandom.java:218)
    at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:78)
    at java.base/javax.crypto.JceSecurityManager.<clinit>(JceSecurityManager.java:65)
    at java.base/javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2611)
    at java.base/javax.crypto.Cipher.getMaxAllowedKeyLength(Cipher.java:2633)

The warning can be suppressed with the appropriate --add-opens option to the
java launcher (at runtime!), or an Add-Opens manifest entry for an executable
JAR file, etc.


> P.S. I've asked pretty much these questions on Stackoverflow.

That link gives an error, with "This question was voluntarily removed by its
author."  That doesn't really help anyone else who might be having the same
problem in the future, and who was hoping to read your solution (for example
https://xkcd.com/979/ et al).


Phil

[prev in list] [next in list] [prev in thread] [next in thread]