ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: wss4j-1.5.12 & Bouncy Castle
Date Mon, 27 Apr 2015 09:55:41 GMT
Hi George,

The reason that BouncyCastle is inserted in position 2 in the provider list
is covered in the JIRA you linked to. BouncyCastle is required for a few
things in WSS4J, for example Kerberos decoding support in later versions.
If you are using the basic algorithms then it may not be required. Simply
try excluding the BouncyCastle jar from your project and see if it works?
Failing this, you can set the "addJceProviders" property of WSSConfig to
"false", which will turn off adding BouncyCastle. BTW WSS4J 1.5.x is no
longer supported.

Colm.

On Sun, Apr 26, 2015 at 12:11 AM, George Stanchev <Gstanchev@serena.com>
wrote:

> The relevant code is [2]. At [1] we can see that Colm has chimed in so
> maybe he can comment on this mess?
>
>
> George
>
> [1] https://issues.apache.org/jira/browse/WSS-99
>
>
> [2]
>
> //
>                 // Install the provider after the SUN provider (see WSS-99)
>                 // Otherwise fall back to the old behaviour of inserting
>                 // the provider in position 2. For AIX, install it after
>                 // the IBMJCE provider.
>                 //
>                 int ret = 0;
>                 for (int i = 0; i < provs.length; i++) {
>                     if ("SUN".equals(provs[i].getName())
>                         || "IBMJCE".equals(provs[i].getName())) {
>                         ret =
>                             java.security.Security.insertProviderAt(
>                                 (java.security.Provider) c.newInstance(),
> i + 2
>                             );
>                         break;
>                     }
>                 }
>                 if (ret == 0) {
>                     ret =
>                     java.security.Security.insertProviderAt(
>                         (java.security.Provider) c.newInstance(), 2
>                     );
>                 }
>
> -----Original Message-----
> From: George Stanchev [mailto:Gstanchev@serena.com]
> Sent: Saturday, April 25, 2015 4:48 PM
> To: dev@ws.apache.org; wss4j-dev@ws.apache.org
> Subject: wss4j-1.5.12 & Bouncy Castle
>
> Hi,
>
> I am faced in a peculiar problem that involves multiple moving parts and
> components. We are using Axis2 1.4.1 which via Rampart 1.4 ends up using
> wss4j-1.5.2. When this version of wss4j initializes, it registers BC at
> slot 2 in the javax.security.Security providers list. This initialization
> done automatically and cannot be bypassed unless BC is registered already
> at some other spot. The byproduct of all this is the Tomcat's NIO SSL
> connector either stops working with bcprov 1.5.0 or intermittently stops
> working for latest bcprov 1.5.2. All this is very complicated, because it
> has to do with the negotiation of SSL and which protocol and which
> algorithm suite is being selected. There is definitely an issue with Bouncy
> Castle's GCMBlockCipher which ends up being used in a TLS1.2 connection b/w
> Chrome and FF and Tomcat 7.0.61's NIO SSL connector which results in "
> bad_record_mac ". That's a question for the BC's dev list.
>
> What I want to know is why does wss4j-1.5.12 insist on registering BC on
> slot 2. It's been a while since it has been released and may be those day's
> JREs didn't have the algorithmic suits needed for SOAP security...
>
> If I have to work around this BC issue by pre-registering BC at some other
> slot so its GCM block cipher doesn't end up being use, which slot is it
> safe to use? And is it safe to say that wss4j-1.5.12 doesn't really need
> BC's crypto to do signature, etc...
>
> George
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org For additional
> commands, e-mail: dev-help@ws.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message