'Re: [dev-crypto] Using BouncyCastle with Java-9?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    Re: [dev-crypto] Using BouncyCastle with Java-9?
From:       Uri Blumenthal <uri () mit ! edu>
Date:       2017-11-07 2:48:20
Message-ID: E07D99A7-FC2C-49F5-898D-B020B1776098 () mit ! edu
[Download RAW message or body]

[Attachment #2 (text/plain)]

The maintainers of Stackoverflow suggested closing my question. So down it went. And \
since there was no solution - either mine or anybody else's (the comments basically \
said "it can't be done") - there was no point arguing. Sorry that you got to it after \
the fireworks finished.

After looking more at Java-9, I find it screwed up enough to avoid it for the near \
future. Will stay with Java-8 instead for as long as practical, and then we'll see.


On Nov 6, 2017, at 12:36 , Phil Edwards \
<phil.m.edwards@gmail.com<mailto:phil.m.edwards@gmail.com>> wrote:

Haven't tried doing it statically yet.  We've been able to add BC (well,
BCFIPS) as a provider at runtime.  The problem we've been having is with
BCFIPS, combined with Java 9's new hatred for reflective access.  After
loading and registering the provider, we then do a call to
Cipher.getMaxAllowedKeyLength() to check whether the user has correctly put
policy files in place.  (Our users have a choice of FIPS providers, combined
with a choice of whether to replace the policy files.  Starting with Java 9
you don't need replacement policy files, but the code was written under 7/8.)

Static providers should be working the same as in Java 8, from what I recall.

Anyway, the call to Cipher.getMaxAllowedKeyLength() causes noise at runtime.
It's "technically" just a warning, but this will become an error whenever the
next release of Java comes out:

WARNING: Illegal reflective access by
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
(file:/the/path/to/the/BCFIPS.jar) to method
sun.security.jca.Providers.getSunProvider()
   at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.getSunProvider(Unknown
 Source)
   at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.<init>(Unknown
 Source)
   at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown
Source)
   at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown
Source)
   at java.base/java.security.AccessController.doPrivileged(Native Method)
   at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown
 Source)
   at org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(Unknown
Source)
   at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown
 Source)
   at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
   at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
   at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)
   at java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:272)
   at java.base/java.security.SecureRandom.<init>(SecureRandom.java:218)
   at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:78)
   at java.base/javax.crypto.JceSecurityManager.<clinit>(JceSecurityManager.java:65)
   at java.base/javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2611)
   at java.base/javax.crypto.Cipher.getMaxAllowedKeyLength(Cipher.java:2633)

The warning can be suppressed with the appropriate --add-opens option to the
java launcher (at runtime!), or an Add-Opens manifest entry for an executable
JAR file, etc.


P.S. I've asked pretty much these questions on Stackoverflow.

That link gives an error, with "This question was voluntarily removed by its
author."  That doesn't really help anyone else who might be having the same
problem in the future, and who was hoping to read your solution (for example
https://xkcd.com/979/ et al).


Phil


--
Uri Blumenthal
uri@mit.edu<mailto:uri@mit.edu>


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;" class=""> The maintainers of Stackoverflow suggested closing my \
question. So down it went. And since there was no solution - either mine or anybody \
else's (the comments basically said "it can't be done") - there was no point arguing. \
Sorry that you got to it after the  fireworks finished.
<div class=""><br class="">
</div>
<div class="">After looking more at Java-9, I find it screwed up enough to avoid it \
for the near future. Will stay with Java-8 instead for as long as practical, and then \
we'll see.&nbsp;</div> <div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Nov 6, 2017, at 12:36 , Phil Edwards &lt;<a \
href="mailto:phil.m.edwards@gmail.com" class="">phil.m.edwards@gmail.com</a>&gt; \
wrote:</div> <br class="Apple-interchange-newline">
<div class="">
<div class="">Haven't tried doing it statically yet. &nbsp;We've been able to add BC \
(well,<br class=""> BCFIPS) as a provider at runtime. &nbsp;The problem we've been \
having is with<br class=""> BCFIPS, combined with Java 9's new hatred for reflective \
access. &nbsp;After<br class=""> loading and registering the provider, we then do a \
call to<br class=""> Cipher.getMaxAllowedKeyLength() to check whether the user has \
correctly put<br class=""> policy files in place. &nbsp;(Our users have a choice of \
FIPS providers, combined<br class=""> with a choice of whether to replace the policy \
files. &nbsp;Starting with Java 9<br class=""> you don't need replacement policy \
files, but the code was written under 7/8.)<br class=""> <br class="">
Static providers should be working the same as in Java 8, from what I recall.<br \
class=""> <br class="">
Anyway, the call to Cipher.getMaxAllowedKeyLength() causes noise at runtime.<br \
class=""> It's &quot;technically&quot; just a warning, but this will become an error \
whenever the<br class=""> next release of Java comes out:<br class="">
<br class="">
WARNING: Illegal reflective access by<br class="">
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom<br \
class=""> (file:/the/path/to/the/BCFIPS.jar) to method<br class="">
sun.security.jca.Providers.getSunProvider()<br class="">
&nbsp;&nbsp;&nbsp;at \
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.getSunProvider(Unknown<br \
class=""> Source)<br class="">
&nbsp;&nbsp;&nbsp;at \
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom.&lt;init&gt;(Unknown<br \
class=""> Source)<br class="">
&nbsp;&nbsp;&nbsp;at \
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown<br class=""> \
Source)<br class=""> &nbsp;&nbsp;&nbsp;at \
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$2.run(Unknown<br class=""> \
Source)<br class=""> &nbsp;&nbsp;&nbsp;at \
java.base/java.security.AccessController.doPrivileged(Native Method)<br class=""> \
&nbsp;&nbsp;&nbsp;at \
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getDefaultSecureRandom(Unknown<br \
class=""> Source)<br class="">
&nbsp;&nbsp;&nbsp;at \
org.bouncycastle.jcajce.provider.ProvRandom$1.createInstance(Unknown<br class=""> \
Source)<br class=""> &nbsp;&nbsp;&nbsp;at \
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown<br \
class=""> Source)<br class="">
&nbsp;&nbsp;&nbsp;at \
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)<br class=""> \
&nbsp;&nbsp;&nbsp;at \
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)<br class=""> \
&nbsp;&nbsp;&nbsp;at \
java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)<br class=""> \
&nbsp;&nbsp;&nbsp;at \
java.base/java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:272)<br \
class=""> &nbsp;&nbsp;&nbsp;at \
java.base/java.security.SecureRandom.&lt;init&gt;(SecureRandom.java:218)<br class=""> \
&nbsp;&nbsp;&nbsp;at \
java.base/javax.crypto.JceSecurity.&lt;clinit&gt;(JceSecurity.java:78)<br class=""> \
&nbsp;&nbsp;&nbsp;at \
java.base/javax.crypto.JceSecurityManager.&lt;clinit&gt;(JceSecurityManager.java:65)<br \
class=""> &nbsp;&nbsp;&nbsp;at \
java.base/javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2611)<br class=""> \
&nbsp;&nbsp;&nbsp;at \
java.base/javax.crypto.Cipher.getMaxAllowedKeyLength(Cipher.java:2633)<br class=""> \
<br class=""> The warning can be suppressed with the appropriate --add-opens option \
to the<br class=""> java launcher (at runtime!), or an Add-Opens manifest entry for \
an executable<br class=""> JAR file, etc.<br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">P.S. I've asked pretty much these questions on \
Stackoverflow.<br class=""> </blockquote>
<br class="">
That link gives an error, with &quot;This question was voluntarily removed by its<br \
class=""> author.&quot; &nbsp;That doesn't really help anyone else who might be \
having the same<br class=""> problem in the future, and who was hoping to read your \
solution (for example<br class=""> <a href="https://xkcd.com/979/" \
class="">https://xkcd.com/979/</a> et al).<br class=""> <br class="">
<br class="">
Phil<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
<div class="">
<div style="orphans: 2; widows: 2;" class="">--</div>
<div style="orphans: 2; widows: 2;" class="">Uri Blumenthal</div>
<div style="orphans: 2; widows: 2;" class=""><a href="mailto:uri@mit.edu" \
class="">uri@mit.edu</a></div> </div>
<br class="">
</div>
</body>
</html>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic