cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: On BouncyCastle installed as a global security provider
Date Wed, 23 Jul 2014 10:49:55 GMT
Hi Alessio,

I'm open to the idea of passing the BouncyCastle Provider Object to the
various classes in WSS4J etc rather than installing it as a global
provider, IF it can be done without large code changes. Ultimately, CXF
does not ship with BouncyCastle installed by default, and you can use GCM
algorithms by upgrading to Java 8 as Sergey said, and so most users will
not have to install/use BouncyCastle.

Colm.


On Wed, Jul 23, 2014 at 10:44 AM, Alessio Soldano <asoldano@redhat.com>
wrote:

> Hi,
> I've been asked whether it's possible to avoid having BC installed as a
> global security provider when using Apache CXF. I'm of course aware that
> WSS4J installs it on behalf of CXF for supporting e.g. GCM algorithms,
> which is not an option. However the question is still reasonable; assuming
> the CXF stack is not the only framework running in the JVM, other
> frameworks are going to be affected by that. They might or might not want
> BC installed (for instance, just an example, because of [1]). They might
> prefer different providers for a given set of algorithm requirements.
> Ultimately, it should be up to the user to decide which providers are set
> as global security provider, application should either rely on the
> installed global providers without touching them, or explicitly use what
> they want.
> So I'm wondering if there's a way we could modify CXF/WSS4J/Santuario for
> using BC (or whatever we want to use ;-) ) e.g. when needing GCM without
> installing it as a global provider. Something around e.g. getting ciphers
> through the javax.crypto.Cipher#getInstance(String transformation,
> Provider provider) method instead of the javax.crypto.Cipher#getInstance(String
> transformation) after having loaded the provider without installing it
> globally, etc.
> Any thought / idea?
> Thanks
> Alessio
>
> [1] http://bouncycastle.org/jira/browse/BJA-19 /
> https://issues.apache.org/jira/browse/HARMONY-3789, BouncyCastle DH
> KeyPairGenerator algorithm can hang / eat lots of CPU
>
> --
> Alessio Soldano
> Web Service Lead, JBoss
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message