Shade BC libs to avoid conflict with BC FIPS (#930)

maximthomas · web-flow · commit 7420458a94c7 · 2025-11-06T16:44:28.000+03:00
diff --git a/bcpkix-shaded/pom.xml b/bcpkix-shaded/pom.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2025 3A Systems LLC.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.openidentityplatform.openam</groupId>
+        <artifactId>openam</artifactId>
+        <version>16.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>bcpkix-shaded</artifactId>
+    <version>${bouncycastle.version}</version>
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.6.1</version>
+                <executions>
+                    <execution>
+                        <id>shade-bouncycastle-classes</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                        <configuration>
+                            <artifactSet>
+                                <includes>
+                                    <include>org.bouncycastle:bcpkix-jdk18on</include>
+                                    <include>org.bouncycastle:bcutil-jdk18on</include>
+                                    <include>org.bouncycastle:bcprov-jdk18on</include>
+                                </includes>
+                            </artifactSet>
+                            <relocations>
+                                <relocation>
+                                    <pattern>org.bouncycastle</pattern>
+                                    <shadedPattern>org.openidentityplatform.bouncycastle</shadedPattern>
+                                </relocation>
+                            </relocations>
+                            <filters>
+                                <filter>
+                                    <artifact>org.bouncycastle:*</artifact>
+                                    <excludes>
+                                        <exclude>META-INF/**</exclude>
+                                    </excludes>
+                                </filter>
+                            </filters>
+                            <createSourcesJar>true</createSourcesJar>
+                            <shadeSourcesContent>true</shadeSourcesContent>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>unpack</id>
+                        <phase>process-classes</phase>
+                        <goals>
+                            <goal>unpack</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>org.bouncycastle</groupId>
+                                    <artifactId>bcpkix-jdk18on</artifactId>
+                                    <version>${bouncycastle.version}</version>
+                                    <outputDirectory>${project.build.outputDirectory}</outputDirectory>
+                                </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.bouncycastle</groupId>
+                                    <artifactId>bcutil-jdk18on</artifactId>
+                                    <version>${bouncycastle.version}</version>
+                                    <outputDirectory>${project.build.outputDirectory}</outputDirectory>
+                                </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.bouncycastle</groupId>
+                                    <artifactId>bcprov-jdk18on</artifactId>
+                                    <version>${bouncycastle.version}</version>
+                                    <outputDirectory>${project.build.outputDirectory}</outputDirectory>
+                                </artifactItem>
+                            </artifactItems>
+                            <excludes>META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA</excludes>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/openam-authentication/openam-auth-oauth2/pom.xml b/openam-authentication/openam-auth-oauth2/pom.xml
@@ -54,8 +54,8 @@
              <artifactId>esapi</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk18on</artifactId>
+            <groupId>org.openidentityplatform.openam</groupId>
+            <artifactId>bcpkix-shaded</artifactId>
             <version>1.81</version>
         </dependency>
 		<dependency>
diff --git a/openam-authentication/openam-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/service/esia/Signer.java b/openam-authentication/openam-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/service/esia/Signer.java
@@ -1,25 +1,41 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2018-2025 3A Systems LLC.
+ */
+
 package org.forgerock.openam.authentication.modules.oauth2.service.esia;
 
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
 import com.iplanet.am.util.SystemProperties;
 import org.apache.commons.codec.binary.Base64;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.cert.X509CertificateHolder;
-import org.bouncycastle.cert.jcajce.JcaCertStore;
-import org.bouncycastle.cms.CMSProcessableByteArray;
-import org.bouncycastle.cms.CMSSignedData;
-import org.bouncycastle.cms.CMSSignedDataGenerator;
-import org.bouncycastle.cms.CMSTypedData;
-import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
-import org.bouncycastle.operator.ContentSigner;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
-import org.bouncycastle.util.Store;
+import org.openidentityplatform.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.openidentityplatform.bouncycastle.cert.X509CertificateHolder;
+import org.openidentityplatform.bouncycastle.cert.jcajce.JcaCertStore;
+import org.openidentityplatform.bouncycastle.cms.CMSProcessableByteArray;
+import org.openidentityplatform.bouncycastle.cms.CMSSignedData;
+import org.openidentityplatform.bouncycastle.cms.CMSSignedDataGenerator;
+import org.openidentityplatform.bouncycastle.cms.CMSTypedData;
+import org.openidentityplatform.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
+import org.openidentityplatform.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.openidentityplatform.bouncycastle.openssl.PEMKeyPair;
+import org.openidentityplatform.bouncycastle.openssl.PEMParser;
+import org.openidentityplatform.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.openidentityplatform.bouncycastle.operator.ContentSigner;
+import org.openidentityplatform.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.openidentityplatform.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
+import org.openidentityplatform.bouncycastle.util.Store;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -35,7 +51,7 @@ public class Signer {
 	
 	final static Logger logger = LoggerFactory.getLogger(Signer.class);
 	static {
-		Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
+		Security.addProvider(new org.openidentityplatform.bouncycastle.jce.provider.BouncyCastleProvider());
 	}
 
 	private static final Cache<String, X509CertificateHolder> certificateHolderCache = CacheBuilder.newBuilder().maximumSize(10)
diff --git a/openam-authentication/openam-auth-oauth2/src/test/java/org/forgerock/openam/authentication/modules/oauth2/ESIATest.java b/openam-authentication/openam-auth-oauth2/src/test/java/org/forgerock/openam/authentication/modules/oauth2/ESIATest.java
@@ -1,6 +1,22 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2018-2025 3A Systems LLC.
+ */
+
 package org.forgerock.openam.authentication.modules.oauth2;
 
-import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+import org.openidentityplatform.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.forgerock.openam.authentication.modules.oauth2.service.ESIAServiceUrlProvider;
 import org.forgerock.openam.authentication.modules.oauth2.service.esia.Signer;
 import org.mockito.Matchers;
@@ -50,7 +66,7 @@ public void syncOffsetTest() throws Exception {
 	
 	@Test
 	public void testSigner() throws Exception {
-		Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
+		Security.addProvider(new org.openidentityplatform.bouncycastle.jce.provider.BouncyCastleProvider());
 
 		KeyPairGenerator keygen = KeyPairGenerator.getInstance(algorithm, "BC");
 		keygen.initialize(new ECGenParameterSpec(paramsSpec));
@@ -66,22 +82,22 @@ public void testSigner() throws Exception {
 	}
 
 	private String generateTempCertificateFile(KeyPair keyPair)throws Exception {
-		org.bouncycastle.asn1.x500.X500Name subject = new org.bouncycastle.asn1.x500.X500Name("CN=" + alias);
+		org.openidentityplatform.bouncycastle.asn1.x500.X500Name subject = new org.openidentityplatform.bouncycastle.asn1.x500.X500Name("CN=" + alias);
 		BigInteger serial = BigInteger.ONE;
 		Date notBefore = new Date();
 		Date notAfter = new Date(notBefore.getTime() + TimeUnit.DAYS.toMillis(365 * 10));
 
-		org.bouncycastle.cert.X509v3CertificateBuilder certificateBuilder = new org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder(
+		org.openidentityplatform.bouncycastle.cert.X509v3CertificateBuilder certificateBuilder = new org.openidentityplatform.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder(
 				subject, serial,
 				notBefore, notAfter,
 				subject, keyPair.getPublic()
 		);
-		org.bouncycastle.cert.X509CertificateHolder certificateHolder = certificateBuilder.build(
-				new org.bouncycastle.operator.jcajce.JcaContentSignerBuilder(signatureAlgorithm)
+		org.openidentityplatform.bouncycastle.cert.X509CertificateHolder certificateHolder = certificateBuilder.build(
+				new org.openidentityplatform.bouncycastle.operator.jcajce.JcaContentSignerBuilder(signatureAlgorithm)
 						.build(keyPair.getPrivate())
 		);
-		org.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter
-				= new org.bouncycastle.cert.jcajce.JcaX509CertificateConverter();
+		org.openidentityplatform.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter
+				= new org.openidentityplatform.bouncycastle.cert.jcajce.JcaX509CertificateConverter();
 
 		X509Certificate certificate = certificateConverter.getCertificate(certificateHolder);
 
diff --git a/pom.xml b/pom.xml
@@ -139,6 +139,7 @@
     <logback.version>1.3.15</logback.version>
     <netty.version>4.1.125.Final</netty.version>
     <netty-tcnative-boringssl.version>2.0.69.Final</netty-tcnative-boringssl.version>
+    <bouncycastle.version>1.81</bouncycastle.version>
     <javadoc.opts>-Xdoclint:none</javadoc.opts>
     <java.surefire.options>
       -Xmx1g
@@ -241,6 +242,7 @@
                         <excludeArtifact>org.restlet.ext.json</excludeArtifact>
                         <excludeArtifact>org.restlet.ext.servlet</excludeArtifact>
                         <excludeArtifact>org.restlet.ext.xml</excludeArtifact>
+                        <excludeArtifact>bcpkix-shaded</excludeArtifact>
                       </excludeArtifacts>
                   </configuration>
 			    </plugin>
@@ -253,6 +255,7 @@
   <modules>
     <!-- shaded libraries -->
     <module>jato-shaded</module>
+    <module>bcpkix-shaded</module>
     <module>openam-http</module>
     <module>openam-ldap-utils</module>
     <module>openam-datastore</module>
@@ -405,16 +408,6 @@
         <groupId>org.openidentityplatform.opendj</groupId>
         <artifactId>opendj-core</artifactId>
         <version>${opendj.version}</version>
-        <exclusions>
-          <exclusion>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bc-fips</artifactId>
-          </exclusion>
-          <exclusion>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bctls-fips</artifactId>
-          </exclusion>
-        </exclusions>
       </dependency>
 	  <dependency>
 		  <groupId>org.mockito</groupId>
