cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alessio Soldano <>
Subject Re: On BouncyCastle installed as a global security provider
Date Fri, 25 Jul 2014 10:48:36 GMT
Hi Colm,
I've came up with a proposal, please see and .
The CXF side of the proposal patch is still to be finished, but it 
should give an idea of the approach.
Please let me know what you think.

On 23/07/14 12:49, Colm O hEigeartaigh wrote:
> Hi Alessio,
> I'm open to the idea of passing the BouncyCastle Provider Object to the
> various classes in WSS4J etc rather than installing it as a global
> provider, IF it can be done without large code changes. Ultimately, CXF
> does not ship with BouncyCastle installed by default, and you can use GCM
> algorithms by upgrading to Java 8 as Sergey said, and so most users will
> not have to install/use BouncyCastle.
> Colm.
> On Wed, Jul 23, 2014 at 10:44 AM, Alessio Soldano <>
> wrote:
>> Hi,
>> I've been asked whether it's possible to avoid having BC installed as a
>> global security provider when using Apache CXF. I'm of course aware that
>> WSS4J installs it on behalf of CXF for supporting e.g. GCM algorithms,
>> which is not an option. However the question is still reasonable; assuming
>> the CXF stack is not the only framework running in the JVM, other
>> frameworks are going to be affected by that. They might or might not want
>> BC installed (for instance, just an example, because of [1]). They might
>> prefer different providers for a given set of algorithm requirements.
>> Ultimately, it should be up to the user to decide which providers are set
>> as global security provider, application should either rely on the
>> installed global providers without touching them, or explicitly use what
>> they want.
>> So I'm wondering if there's a way we could modify CXF/WSS4J/Santuario for
>> using BC (or whatever we want to use ;-) ) e.g. when needing GCM without
>> installing it as a global provider. Something around e.g. getting ciphers
>> through the javax.crypto.Cipher#getInstance(String transformation,
>> Provider provider) method instead of the javax.crypto.Cipher#getInstance(String
>> transformation) after having loaded the provider without installing it
>> globally, etc.
>> Any thought / idea?
>> Thanks
>> Alessio
>> [1] /
>>, BouncyCastle DH
>> KeyPairGenerator algorithm can hang / eat lots of CPU
>> --
>> Alessio Soldano
>> Web Service Lead, JBoss

Alessio Soldano
Web Service Lead, JBoss

View raw message