[jira] Created: (WSS-56) WSS4j statically inserts Bouncycastle and Juice in list of JCE providers

Wed, 20 Sep 2006 13:07:53 -0700 

WSS4j statically inserts Bouncycastle and Juice in list of JCE providers
------------------------------------------------------------------------

                 Key: WSS-56
                 URL: http://issues.apache.org/jira/browse/WSS-56
             Project: WSS4J
          Issue Type: Bug
         Environment: IBM JDK 1.4.2 (AIX)
            Reporter: Fred Dushin
         Assigned To: Davanum Srinivas


As described in email

The WSSConfig class insists on inserting the Bouncycastle JCE provider "first" 
(or second...) in the list of JCE providers, if it can be found on the 
classpath.

The IBM JDK does not seem terribly appreciative of this fact, as the following 
test case illustrates.  For me, on AIX, using IBM's 1.4.02 JDK, the following 
code fails with "java.security.KeyStoreException: jks not found".  If I add the 
Bouncycastle provider to the end of the list of providers, I don't get the 
error.

public class Test {

    public static void
    main(
        String[] argv
    ) {
        try {

            java.security.Security.insertProviderAt(
                (java.security.Provider) 
                    Class.forName(
                        "org.bouncycastle.jce.provider.BouncyCastleProvider"
                    ).newInstance(), 
                2
            );
            final java.security.KeyStore keystore = 
                java.security.KeyStore.getInstance(
                    "jks"
            );
            java.io.FileInputStream fis =
                new java.io.FileInputStream(
                    "alice.jks"
                );
            keystore.load(fis, "password".toCharArray());

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Truss on AIX shows some intersting behavior.  It looks like the JVM can't 
locate org/bouncycastle/jce/provider/JDKMessageDigest$SHA1.class, but it's a 
bit hard to decipher.

In any event, I think they fact that the WSS4j toolkit is statically injecting 
a provider into the JVM at runtime is pretty wrong, especially in library code 
that has to co-exist peacefully in an otherwise potentially hostile 
environment...

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to