Issue2469

classification
Title: Embedded BouncyCastle provider does not validate properly
Type: security Severity: normal
Components: Library Versions: Jython 2.7
Milestone: Jython 2.7.1
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: zyasoft Nosy List: dclayton, zyasoft
Priority: high Keywords:

Created on 2016-02-18.02:20:21 by dclayton, last changed 2016-03-14.16:41:15 by zyasoft.

Messages
msg10753 (view) Author: Doug Clayton (dclayton) Date: 2016-02-18.02:20:19
If you BouncyCastle for cryptography, for instance, to do AES-128 in CBC mode:

    from javax.crypto import KeyGenerator
    KeyGenerator.getInstance("2.16.840.1.101.3.4.1.2", "BC")

it fails, if you have previously imported any SSL code (eg httplib), with the following exception:

    java.security.NoSuchProviderException: JCE cannot authenticate the provider BC

This is because Jython bundles BouncyCastle in org.python.bouncycastle, then initializes it in _sslcerts.py (summarized):


try:
    # jarjar-ed version
    from org.python.bouncycastle.jce.provider import BouncyCastleProvider
except ImportError:
    # dev version from extlibs
    from org.bouncycastle.jce.provider import BouncyCastleProvider

    Security.addProvider(BouncyCastleProvider())


This registers org.python.bouncycastle.jce.provider.BouncyCastleProvider, which comes from an unsigned jar (namely python), and thus fails with that exception.
msg10754 (view) Author: Doug Clayton (dclayton) Date: 2016-02-18.02:24:46
Note that there are workarounds for the end user:

1. You can add the proper BC jar to your JRE (http://stackoverflow.com/questions/13721579/jce-cannot-authenticate-the-provider-bc-in-java-swing-application).

2. You can put a relative path to the BC jar in the manifest for the jython jar:

Class-Path: Path/to/your/BC.jar

and run this before any other code:

    from org.bouncycastle.jce.provider import BouncyCastleProvider
    Security.addProvider(BouncyCastleProvider())
msg10755 (view) Author: Doug Clayton (dclayton) Date: 2016-02-18.02:35:32
One fix for Jython is to change the preferred order in _sslcerts.py to use the proper bouncycastle package name, if it can be imported, and  fall back to the embedded version if not (which evidently works for all Jython's SSL use cases). That way users who want the real signed bouncycastle jar can use it if they need it.
msg10756 (view) Author: Jim Baker (zyasoft) Date: 2016-02-18.04:47:51
@Doug, sounds good about the change in import ordering. Makes sense, and something we can easily do.
msg10769 (view) Author: Jim Baker (zyasoft) Date: 2016-02-24.05:56:55
Fixed as of https://hg.python.org/jython/rev/b41685e8b69c
msg10779 (view) Author: Doug Clayton (dclayton) Date: 2016-02-24.13:06:28
That was quick, thanks!
History
Date User Action Args
2016-03-14 16:41:15zyasoftsetstatus: pending -> closed
2016-02-24 13:06:28dclaytonsetmessages: + msg10779
2016-02-24 06:30:45zyasoftsetresolution: accepted -> fixed
2016-02-24 05:56:56zyasoftsetstatus: open -> pending
messages: + msg10769
2016-02-18 21:34:53zyasoftsetpriority: high
2016-02-18 04:47:51zyasoftsetassignee: zyasoft
resolution: accepted
messages: + msg10756
nosy: + zyasoft
milestone: Jython 2.7.1
2016-02-18 02:35:32dclaytonsetmessages: + msg10755
2016-02-18 02:24:47dclaytonsetmessages: + msg10754
2016-02-18 02:20:21dclaytoncreate