This is a one way choice so then bouncycastle becomes a jre provided lib (as jaxb was) for consumers and bundles are no more working or use other actual instances making it potentially corrupted if bundles and part of the boot - potentially not just karaf jars -must share bc. Also note it would prevent some osgi manifest feature (capabilities) to work if bc gets it at some point.
So guess the boot logic using it must be moved to early bundles too. Can be part of the jaxb work since it is exactly the same issue. Wdyt? Le dim. 2 févr. 2020 à 16:53, Benjamin Graf <benjamin.g...@gmx.net> a écrit : > Hi together, > > how going on with this topic. Actually bouncastle is the defacto > standard security library for karaf and bundled by default. So taking > the approach explained by Robert sounds reasonable to upstream to Karaf > itself and moving libs to from system to boot and maybe even register > org.apache.karaf.security.providers = > org.bouncycastle.jce.provider.BouncyCastleProvider. Something to be > solved before 4.3RC2? > > Regards, > > Benjamin > > On 15.01.2020 17:00, Robert Varga wrote: > > On 15/01/2020 16:25, Benjamin Graf wrote: > >> Hi, > >> > >> I'm actually playing around with the latest 4.3.0-SNAPSHOT. I recognize > >> that the ssh bundle is using bouncycastle for reading pem files right > >> now (KARAF-6383). The "issue" I'm facing is that if I like to set > >> bouncycastle as the security provider via > >> "org.apache.karaf.security.providers = > >> org.bouncycastle.jce.provider.BouncyCastleProvider" I have to distribute > >> the same bundle twice or otherwise have to remove it from system and add > >> needed packages to "org.osgi.framework.bootdelegation". > >> > >> Anybody seeing a better solution? > > Not sure, but in OpenDaylight we have two fragment bundles which attach > > to framework bundle and expose all of BouncyCastle to OSGi: > > > > > https://github.com/opendaylight/odlparent/tree/master/karaf/bcpkix-framework-ext > > > https://github.com/opendaylight/odlparent/tree/master/karaf/bcprov-framework-ext > > > > perhaps these should be upstreamed (but then we upgrade BC much more > > quickly than we upgrade Karaf). > > > > Regards, > > Robert > > > >