Issues with the BouncyCastle provider
-------------------------------------
Key: JRUBY-4535
URL: http://jira.codehaus.org/browse/JRUBY-4535
Project: JRuby
Issue Type: Bug
Components: OpenSSL
Affects Versions: JRuby-OpenSSL 0.6
Reporter: Giedrius Noreikis
Hi,
we are running Redmine (it's implemented in Ruby) on a Glassfish V3 AS (of
course, using the JRuby container). The jruby-openssl gem has to be installed
as well, in order for the IMAP email receiving to function (actually, we are
not using SSL, but I couldn't find an option to disable this requirement). All
the time we were facing strange issues with the BouncyCastle provider. We have
several applications deployed on the Glassfish which use the BC provider.
Sometimes, the BC just disappears (judging from the logs, despite the BC is
configured statically), and the appropriate application crashes.
Further analysis (I was hunting this bug for a few days) showed that the root
of the problem lies in the
org.jruby.ext.openssl.OpenSSLReal.getWithBCProvider().
The design of this method is based on the following logic. It installs the BC
provider, then executes the specified action, and then removes the BC provider
(i.e. installs it just "temporarily"). This can work in a stand-alone
application, but never on an AS. Imagine the BC was already installed - either
statically, or by another application running on the same AS. The first
addProvider() effectively does nothing. However, the removeProvider() does
remove the BC - from the entire AS, of course.
If the AS is running with a security manager enabled, the insert or removal of
a security provider may be prevented, leading to the runtime exceptions however.
Having several years of experience with Java and JCE/JCA, I believe it's
impossible to remove a JCE provider safely once it is installed. Any other
application may start using it immediately, once the provider is installed, and
the consequences of the removal "in the middle of the action" are always hard
to predict.
To fix this bug, at least, a check should be performed to determine if the BC
is already installed. If it is installed, it should be assigned to the "public
static java.security.Provider PROVIDER", and then never ever get removed by the
getWithBCProvider().
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
