Re: [jgit-dev] Could jgit be packaged with Bouncy Castle?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jgit-dev] Could jgit be packaged with Bouncy Castle?

From: James Yonan <james@xxxxxxxxxxx>
Date: Tue, 24 Sep 2013 00:34:52 -0600
Delivered-to: jgit-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jgit-dev>
List-help: <mailto:jgit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jgit-dev>, <mailto:jgit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jgit-dev>, <mailto:jgit-dev-request@eclipse.org?subject=unsubscribe>
Organization: OpenVPN Technologies, Inc.
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8



On 24/09/2013 00:02, Matthias Sohn wrote:

On Mon, Sep 23, 2013 at 10:30 PM, James Yonan <james@xxxxxxxxxxx
<mailto:james@xxxxxxxxxxx>> wrote:

    PBEWithMD5AndDES is woefully inadequate these days, and getting jgit
    to see a separately installed Bouncy Castle provider is tricky
    without editing system config files.

    It would be great if Bouncy Castle could be packaged into the jgit
    standalone binary.


I need to find time to fix
https://bugs.eclipse.org/bugs/show_bug.cgi?id=391302
Which bouncycastle library to you need ? We have an IP approval to use
bcpg-jdk15on and bcprov-jdk15on in version 1.47 but due to bug 391302
they are not yet available in Orbit.

Latest stable would be great. Not too particular, just looking forreasonable strong crypto options such asPBEWITHSHA256AND256BITAES-CBC-BC for using S3 as a backing store.

BTW, is it even possible for an end user to build jgit command line tool+ bouncy castle together via maven without any special code signingauthority? I attempted it and had all sorts of problems such as:

* java.lang.SecurityException: Invalid signature file digest forManifest main attributes -- apparently an issue with maven shade plugininteracting badly with BC signature


* Tried excluding the sigs from maven shade plugin with

       <configuration>
          <filters>
            <filter>
              <artifact>*:*</artifact>
              <excludes>
                <exclude>META-INF/*.SF</exclude>
                <exclude>META-INF/*.DSA</exclude>
                <exclude>META-INF/*.RSA</exclude>
              </excludes>
            </filter>
          </filters>
        </configuration>

This fixed the "Invalid signature file digest for Manifest mainattributes", however jgit could still not see the BC ciphers.

* The only way I was able to make it work was by linking to BC .jar atruntime. I used this snippet in pom.xml, set JGIT_CLASSPATH, and didSecurity.addProvider(new BouncyCastleProvider()) in main().


    <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcprov-jdk16</artifactId>
      <version>1.46</version>
      <scope>provided</scope>
    </dependency>

This is okay for now, but still an integrated build would be great thatsupports BC out of the box.


James

References:
- [jgit-dev] Could jgit be packaged with Bouncy Castle?
  - From: James Yonan
- Re: [jgit-dev] Could jgit be packaged with Bouncy Castle?
  - From: Matthias Sohn

Prev by Date: Re: [jgit-dev] [PATCH] Fix a NullPointerException if properties file doesn't exist.
Next by Date: Re: [jgit-dev] SecurityException using latest self-contained executable
Previous by thread: Re: [jgit-dev] Could jgit be packaged with Bouncy Castle?
Next by thread: [jgit-dev] preparing 3.1
Index(es):
- Date
- Thread

Breadcrumbs