-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bc-fips 2.0.0 is not OSGi compatible #1769
Comments
Any news about this? |
The problem was more that when the original submission went in there was no real tooling for dealing with multi-release jar. The new jar looks better, but it's still missing the multi-release manifests, the only way I've found of getting these to add correctly (which is what was done with the additional jars) is via the gradle plugin, however everything was frozen until we got the certificate. I'll try and bump this up the list. |
An addition to the missing osgi compatibility: We could deploy the modified bc-fips-2.0.0-osgi.jar in Karaf 4.4.4 but when initializing BouncyCastleFipsProvider the verification fails in FipsStatus with marker = "jar:bundle://a653bb1c-548b-4779-9c16-6e6897c2d394_336.0:0/!/" which is not supported: |
@Pharell As far as I understand, you won't be able to pass the validation using the modified jar as it won't match the checksum of the validated FIPS release. It was mainly created as a test to check whether the manifest was the only issue. |
@gabrielandrade2 I am aware that the bundle only resolves with the additional osgi-headers and that the checksum is changed when modifying the file content. I just wanted to add that - when actually initializing the provider - the checksum is not loaded because the prefix of the marker ("jar:bundle") is not recognized as valid. So no check is executed at all and the initialization fails. |
Okay, try https://downloads.bouncycastle.org/fips-java/osgi/bc-fips-2.0.0.jar this has the OSGI properties in the primary manifest. We couldn't add the extra files as a code change is required to ignore them in the checksum calculation the checksum cannot be changed - we will in the next release though. It appears to activate the jar in karaf, not sure what other implications there might be though. |
@dghgit As far as I know, such an error was fixed for version 1.0.2.5 of bc-fips, so maybe it was not ported to 2.0.0 (and 2.0.1)? By the way, do you have an estimate for the next release date? |
@gabrielandrade2 I've checked the jar, you shouldn't see that error, the checksum in the jar is correct. It sounds like there's something else going on, are you able to confirm what URI the jar thinks it's using for checksum calculation? Is it possible to provide a more complete stack trace? Thanks. |
The stacktrace above states that the checksum itself is not wrong but cannot even been found at all: "Module checksum failed: unable to find". In the source code of bc-fips-2.0.0 this is thrown in
In
So the returned result for marker stays null which leads to the exception in In v1.0.2.5 there is a matching check, but I assume the jar cannot not be loaded from the resulting name, so the result is set to null:
In the futher processing of the value of
The value of So this works in OSGi but skips checksum validation at all which is probably not intended. |
Okay, this may need a bit more thought... would you email me at [email protected] about this? I think I'll need to you to try a couple of things out for me, please mention "github #1769" in the subject line (spam filtering sometimes over enthusiastic...) |
The project I am currently working on is built on top of an Apache Karaf distribution; thus making use of the OSGi framework.
We have integrated the FIPS variant of BouncyCastle (version 1.0.2.4) into our system without any issues. However, during the migration process to the newly released 2.0.0 version, I am experiencing some missing requirement issues when trying to compile the Karaf distribution.
I noticed that the
2.0.0
version ofbc-fips
doesn't have an OSGi-compliant manifest. None of the mandatory OSGi fields are present and the lack ofExport-Package
explains the issue I am having.I was able to modify the maven library to be OSGi-compliant by using the
bnd.sh
script in this repo paired with the7.0
version ofbnd
as it provides support for multi-release jars. (I attached the resulting jar here).With this jar, I was able to successfully compile and run my Karaf distribution
Interestingly, I noticed that other 2.0 bc libraries do provide OSGi-compliant manifests, such as
bcpkix-fips
orbcutil-fips
.Were the OSGi headers purposefully removed? Or is it a simple mistake on the 2.0.0 release of
bc-fips
?The text was updated successfully, but these errors were encountered: