Removes all hard dependencies on bcprov-specific#85
Open
strehle wants to merge 3 commits into
Open
Conversation
## Summary Removes all hard dependencies on bcprov-specific internal classes so the library works transparently with either BouncyCastleProvider (BC) or BouncyCastleFipsProvider (BCFIPS), whichever is registered at runtime. Root cause: Several classes bypassed the JCA provider abstraction by instantiating BC internal SPI and utility classes directly. These classes do not exist in bc-fips, causing ClassNotFoundException at runtime when the FIPS provider is used. Changes per file: - CertUtil — Adds a public bouncyCastleProvider() utility method that resolves the active BC provider at runtime: prefers BCFIPS if registered, falls back to BC, and finally instantiates BouncyCastleProvider reflectively if neither is registered. Both JcaContentSignerBuilder and JcaX509CertificateConverter now use this provider explicitly. - CsrUtil — Passes bouncyCastleProvider() to JcaContentSignerBuilder.setProvider() so CSR signing routes through whichever BC provider is active. - KeyPairGenerator — Replaces direct instantiation of bcprov internal *KeyPairGeneratorSpi classes (DSA, RSA, EC) with java.security.KeyPairGenerator.getInstance(algo, provider) — the standard JCA pattern, compatible with both BC and BCFIPS. - KeyPairUtil — Replaces ECUtil.generatePrivateKeyParameter / generatePublicKeyParameter (bcprov-only) with PrivateKeyFactory.createKey(PrivateKeyInfo.getInstance(...)) and PublicKeyFactory.createKey(SubjectPublicKeyInfo.getInstance(...)), which are available in both BC and BCFIPS via the shared bcpkix layer. - OpenSSLPrivateKeyDecoder — Replaces ECUtil.getNamedCurveByOid (bcprov-only) with ECNamedCurveTable.getByOID from org.bouncycastle.asn1.x9, which is present in both bcprov and bc-fips. - AbstractWrappedECKey — Replaces EC5Util.convertCurve (bcprov-only) with an inline conversion using standard java.security.spec.ECFieldFp / ECFieldF2m — no BC provider dependency at all. ## Test plan - All 359 existing tests pass unchanged (mvn test) - CertUtil.bouncyCastleProvider() returns BCFIPS when that provider is registered, BC otherwise - generateX509Certificate and generateCsr complete successfully with an explicitly registered BouncyCastleProvider
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removes all hard dependencies on bcprov-specific internal classes so the library works transparently with either BouncyCastleProvider (BC) or BouncyCastleFipsProvider (BCFIPS), whichever is registered at runtime
Solution for issue #43
This PR was generate with help of AI but manually verified