geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick McGuire <rick...@gmail.com>
Subject Re: IDEA block cipher inclusion via the "bouncy castle" JCE provider
Date Thu, 01 Sep 2005 17:36:17 GMT
I found an interesting example of the inadverent problems that can be 
caused by Geronimo's current usage of bouncycastle.  The openejb SunOrb 
codes specifies a list of supported cipher suites to be used with SSL 
connections in the class SSLCipherSuiteDatabase.  The supported list 
includes the IDEA algorithms.  The Sun default JCE implemenation does 
not include IDEA, so this will not be used unless additional JCE 
provides are installed which include IDEA support.  So far, so good.  
The IDEA code, even though listed as an option, will not get used 
without explicit knowledge of the Gernonmo administrator.

However, the current console code uses the bouncycastle code to 
implement its keystore.  This usage is in a manner that requires the BC 
provider code to be installed programmatically, which the console code 
does.  Unfortunately, once this is done, the IDEA algorithms are now 
available for use for SSL connections as well.  This server is now 
potentially a royalty collection target by the IDEA patent holders, 
since they can demonstrate usage by having a client connect with this 
server using the IDEA ciphers.  We might even want to consider allowing 
these algorithms to be controlled by the server config rather than just 
hard coding them in the class.

One way to fix this is just remove the IDEA algorithms from the 
SSLCipherSuiteDatabase, so these will not be used for SSL connections.  
Another potential solution (yet to be verified) is to use the BC APIs 
that allow the default JCE provider to be used for encryption services 
rather than defaulting to the BC provider.

Rick

Mime
View raw message