tomaswolf commented on issue #590:
URL: https://github.com/apache/mina-sshd/issues/590#issuecomment-2323424687
We have the following direct imports from org.bouncycastle:
```
~/git/mina-sshd/sshd-core $ find . -name "*.java" -exec grep -nHi 'import
org.bouncycastle' {} \;
./src/test/java/org/apache/sshd/common/cipher/OpenSshCipherTest.java:33:import
org.bouncycastle.jce.provider.BouncyCastleProvider;
./src/test/java/org/apache/sshd/client/opensshcerts/ClientOpenSSHCertificatesTest.java:44:import
org.bouncycastle.jce.provider.BouncyCastleProvider;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:24:import
org.bouncycastle.crypto.AsymmetricCipherKeyPair;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:25:import
org.bouncycastle.crypto.SecretWithEncapsulation;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:26:import
org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKEMExtractor;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:27:import
org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKEMGenerator;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:28:import
org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKeyGenerationParameters;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:29:import
org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKeyPairGenerator;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:30:import
org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeParameters;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:31:import
org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimePrivateKeyParameters;
./src/main/java/org/apache/sshd/common/kex/SNTRUP761.java:32:import
org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimePublicKeyParameters;
~/git/mina-sshd/sshd-core $ cd ../sshd-common
~/git/mina-sshd/sshd-common $ find . -name "*.java" -exec grep -nHi 'import
org.bouncycastle' {} \;
./src/test/java/org/apache/sshd/common/cipher/BaseCipherResetTest.java:35:import
org.bouncycastle.jce.provider.BouncyCastleProvider;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java:45:import
org.bouncycastle.openssl.PEMDecryptorProvider;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java:46:import
org.bouncycastle.openssl.PEMEncryptedKeyPair;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java:47:import
org.bouncycastle.openssl.PEMKeyPair;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java:48:import
org.bouncycastle.openssl.PEMParser;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java:49:import
org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java:50:import
org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandom.java:26:import
org.bouncycastle.crypto.prng.RandomGenerator;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandom.java:27:import
org.bouncycastle.crypto.prng.VMPCRandomGenerator;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandomFactory.java:24:import
org.bouncycastle.crypto.prng.RandomGenerator;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleGeneratorHostKeyProvider.java:34:import
org.bouncycastle.openssl.jcajce.JcaPEMWriter;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleEncryptedPrivateKeyInfoDecryptor.java:28:import
org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleEncryptedPrivateKeyInfoDecryptor.java:29:import
org.bouncycastle.pkcs.PKCSException;
./src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleEncryptedPrivateKeyInfoDecryptor.java:30:import
org.bouncycastle.pkcs.jcajce.JcePKCSPBEInputDecryptorProviderBuilder;
~/git/mina-sshd/sshd-common $
```
We can ignore test classes. None of these classes exist in bc-fips 2.0.0.
So in sshd-core, there's only the new SNTRUP761, and that is properly
guarded. It won't be used if the classes are not present.
In common, there is stuff for PEM and PKCS8 parsing. The classes are not
present in bc-fips anyway, so there's no way this can ever work with bc-fips.
Apparently the `PKCS8PEMResourceKeyPairParser` is the problem with its
`Decryptor`. This needs a plain JCE fallback, so that we never even try to use
BC there if it isn't present.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
