cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alessio Soldano <asold...@redhat.com>
Subject Re: On BouncyCastle installed as a global security provider
Date Fri, 25 Jul 2014 10:48:36 GMT
Hi Colm,
I've came up with a proposal, please see 
https://issues.apache.org/jira/browse/WSS-507 and 
https://issues.apache.org/jira/browse/CXF-5905 .
The CXF side of the proposal patch is still to be finished, but it 
should give an idea of the approach.
Please let me know what you think.
Thanks
Alessio

On 23/07/14 12:49, Colm O hEigeartaigh wrote:
> Hi Alessio,
>
> I'm open to the idea of passing the BouncyCastle Provider Object to the
> various classes in WSS4J etc rather than installing it as a global
> provider, IF it can be done without large code changes. Ultimately, CXF
> does not ship with BouncyCastle installed by default, and you can use GCM
> algorithms by upgrading to Java 8 as Sergey said, and so most users will
> not have to install/use BouncyCastle.
>
> Colm.
>
>
> On Wed, Jul 23, 2014 at 10:44 AM, Alessio Soldano <asoldano@redhat.com>
> wrote:
>
>> Hi,
>> I've been asked whether it's possible to avoid having BC installed as a
>> global security provider when using Apache CXF. I'm of course aware that
>> WSS4J installs it on behalf of CXF for supporting e.g. GCM algorithms,
>> which is not an option. However the question is still reasonable; assuming
>> the CXF stack is not the only framework running in the JVM, other
>> frameworks are going to be affected by that. They might or might not want
>> BC installed (for instance, just an example, because of [1]). They might
>> prefer different providers for a given set of algorithm requirements.
>> Ultimately, it should be up to the user to decide which providers are set
>> as global security provider, application should either rely on the
>> installed global providers without touching them, or explicitly use what
>> they want.
>> So I'm wondering if there's a way we could modify CXF/WSS4J/Santuario for
>> using BC (or whatever we want to use ;-) ) e.g. when needing GCM without
>> installing it as a global provider. Something around e.g. getting ciphers
>> through the javax.crypto.Cipher#getInstance(String transformation,
>> Provider provider) method instead of the javax.crypto.Cipher#getInstance(String
>> transformation) after having loaded the provider without installing it
>> globally, etc.
>> Any thought / idea?
>> Thanks
>> Alessio
>>
>> [1] http://bouncycastle.org/jira/browse/BJA-19 /
>> https://issues.apache.org/jira/browse/HARMONY-3789, BouncyCastle DH
>> KeyPairGenerator algorithm can hang / eat lots of CPU
>>
>> --
>> Alessio Soldano
>> Web Service Lead, JBoss
>>
>>
>


-- 
Alessio Soldano
Web Service Lead, JBoss


Mime
View raw message