mdarifmustafa / vt-middleware

Automatically exported from code.google.com/p/vt-middleware
0 stars 0 forks source link

vt-crypt: CryptProvider is unconditionally adding BouncyCastle as a security provider in a static block #163

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
This class contains:

static {
  // Bouncy Castle provider
  addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider(), "BC");
}

This global, JVM-wide change is happening unconditionally.  Ideally this should 
be capable of being disabled in some manner, or even better, make the library 
user explicitly decide to load BC ("opt-in" vs "opt-out").

Having unexpected providers loaded auto-magically can affect apps that aren't 
expecting it, like the Shibboleth IdP.  Also, imagine for example multiple apps 
running in the same web container.  This global change affects them all. 

Original issue reported on code.google.com by putm...@georgetown.edu on 7 Jun 2013 at 8:19

GoogleCodeExporter commented 8 years ago
Btw, I didn't necessarily mean to flag this as a Defect, vs an enhancement,etc. 
I haven't used this issue system before, so I'm not sure how to change.

Original comment by putm...@georgetown.edu on 7 Jun 2013 at 8:21

GoogleCodeExporter commented 8 years ago
I wanted to document how this issue came to light, as the usage pattern wasn't 
obvious:
A library that performs encryption operations loops over a set of algorithm 
names attempting to find one that is supported.
Presumably the algorithms are in order of preference.
When a specific algorithm can be instantiated it is used.

Now here comes vt-crypt which adds the BC provider to the mix and suddenly an 
algorithm that wasn't supported now is.

Original comment by dfis...@gmail.com on 7 Jun 2013 at 9:02