[ https://issues.apache.org/jira/browse/AMQ-7142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on AMQ-7142 started by Colm O hEigeartaigh. ------------------------------------------------ > Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks > KeyStore Loading > ---------------------------------------------------------------------------------------------- > > Key: AMQ-7142 > URL: https://issues.apache.org/jira/browse/AMQ-7142 > Project: ActiveMQ > Issue Type: Bug > Components: Camel > Affects Versions: 5.15.2 > Environment: OpenJDK 11 (AdoptOpenJDK). > Mac OS > Reporter: Nathan Hook > Assignee: Colm O hEigeartaigh > Priority: Blocker > Fix For: 5.16.0, 5.15.12 > > > The insertion of the Bouncy Castle Provider in the > org.apache.activemq.broker.BrokerService class is causing issues with our app > that expecting one of the default SunJCE Ciphers to be called, but a Bouncy > Castle Cipher is returned instead. > This causes our Spring Security SAML keystores to not be loaded correctly > because the Bouncy Castle Cipher thinks that the keystore was tampered with. > > I believe that the source of the problem is this line in the BrokerService > class: > Security.insertProviderAt(bouncycastle, > Integer.getInteger("org.apache.activemq.broker.BouncyCastlePosition", 2)); > Looking at the Java 11 source code there are 6 providers installed by the > java.security.Security class in the initializeStatic method: > {code:java} > private static void initializeStatic() { > props.put("security.provider.1", "sun.security.provider.Sun"); > props.put("security.provider.2", "sun.security.rsa.SunRsaSign"); > props.put("security.provider.3", "com.sun.net.ssl.internal.ssl.Provider"); > props.put("security.provider.4", "com.sun.crypto.provider.SunJCE"); > props.put("security.provider.5", "sun.security.jgss.SunProvider"); > props.put("security.provider.6", "com.sun.security.sasl.Provider"); > }{code} > > If possible it would be great if the org.apache.activemq.broker.BrokerService > class would call > addProvider instead of insertProviderAt. > > Thank you for your time. -- This message was sent by Atlassian Jira (v8.3.4#803005)