Message12974

Author	jeff.allen
Recipients	jeff.allen
Date	2020-02-04.22:46:30
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1580856390.93.0.792421352798.issue2858@roundup.psfhosted.org>
In-reply-to

Content
This is not to do with shading, since I get the same effect when classes are bundled as org.bouncycastle... .. The Bouncy Castle JAR is signed and our jython.jar is rejected as a security provider, somewhere in the depths of javax.crypto,. The exception then emerges as a "not available". BC is perhaps following this guidance: https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#integritycheck The checks only apply to certain operations, which are used in the failing test. Options now appear to be: 1. Do not bundle Bouncy Castle at all, and recommend installing it on the class path. 2. Bundle Bouncy Castle (un)shaded, and recommend installing it on the class path if an application needs the checked services. 3. Get our JARs acknowledged as a security provider. I favour 2, shaded. Most of SSL then still works, judging by the test. When the checked services are required, _sslcerts.py will pick up the unshaded version in preference to the one we bundle. Option 3 sounds difficult: it's a claim of quality I doubt we could get the CA to back.

This is not to do with shading, since I get the same effect when classes are bundled as org.bouncycastle... .. The Bouncy Castle JAR is signed and our jython.jar is rejected as a security provider, somewhere in the depths of javax.crypto,. The exception then emerges as a "not available".

BC is perhaps following this guidance: https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#integritycheck

The checks only apply to certain operations, which are used in the failing test. Options now appear to be:
1. Do not bundle Bouncy Castle at all, and recommend installing it on the class path.
2. Bundle Bouncy Castle (un)shaded, and recommend installing it on the class path if an application needs the checked services.
3. Get our JARs acknowledged as a security provider.

I favour 2, shaded. Most of SSL then still works, judging by the test. When the checked services are required, _sslcerts.py will pick up the unshaded version in preference to the one we bundle. Option 3 sounds difficult: it's a claim of quality I doubt we could get the CA to back.

History
Date	User	Action	Args
2020-02-04 22:46:30	jeff.allen	set	messageid: <1580856390.93.0.792421352798.issue2858@roundup.psfhosted.org>
2020-02-04 22:46:30	jeff.allen	set	recipients: + jeff.allen
2020-02-04 22:46:30	jeff.allen	link	issue2858 messages
2020-02-04 22:46:30	jeff.allen	create