Directory ApacheDS
  1. Directory ApacheDS
  2. DIRSERVER-877

BouncyCastle IP issues with IDEA algo included in jars

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.0.1, 1.5.0
    • Fix Version/s: 1.0.2, 1.5.0
    • Component/s: None
    • Labels:
      None

      Description

      The BouncyCastle jars contains some classes which implement the IDEA algorithm, abusivly patented by a company, which thinks that patenting algorithm is a good way to make money.

      We should get these classes out of the jar, or use the Geronimo jar instead

      1. DIRSERVER-877-2.patch
        10 kB
        David Jencks
      2. DIRSERVER-877-broken-1.patch
        10 kB
        David Jencks

        Activity

        Hide
        Enrique Rodriguez added a comment -

        Removed parent POM reference to BouncyCastle on rev 522613.

        Show
        Enrique Rodriguez added a comment - Removed parent POM reference to BouncyCastle on rev 522613.
        Hide
        Enrique Rodriguez added a comment -

        I removed the parent POM BouncyCastle mention and the trunk builds OK. Once integration tests complete I will check in the removed dependency.

        Show
        Enrique Rodriguez added a comment - I removed the parent POM BouncyCastle mention and the trunk builds OK. Once integration tests complete I will check in the removed dependency.
        Hide
        David Jencks added a comment -

        Can we remove the bouncycastle mention from root pom dependency management before any releases? It looks to me as if it is still in the 1.5 pom.xml, I didn't check the 1.0.1 pom

        Also, geronimo is going to remove most of the classes recently added to support this to avoid any possible question about whether any of them implement encryption algorithms that might be covered by export regulations. So... don't try to go back to using the geronimo-util solution

        Show
        David Jencks added a comment - Can we remove the bouncycastle mention from root pom dependency management before any releases? It looks to me as if it is still in the 1.5 pom.xml, I didn't check the 1.0.1 pom Also, geronimo is going to remove most of the classes recently added to support this to avoid any possible question about whether any of them implement encryption algorithms that might be covered by export regulations. So... don't try to go back to using the geronimo-util solution
        Hide
        Emmanuel Lecharny added a comment -

        Affected and fixed versions are back for 1.5.0

        Show
        Emmanuel Lecharny added a comment - Affected and fixed versions are back for 1.5.0
        Hide
        Emmanuel Lecharny added a comment -

        I have removed the affected and fixed versions, it was a bad move. Fixed

        Show
        Emmanuel Lecharny added a comment - I have removed the affected and fixed versions, it was a bad move. Fixed
        Hide
        Emmanuel Lecharny added a comment -

        Backported Enrique modifications :
        http://svn.apache.org/viewvc?view=rev&rev=521997

        Show
        Emmanuel Lecharny added a comment - Backported Enrique modifications : http://svn.apache.org/viewvc?view=rev&rev=521997
        Hide
        Emmanuel Lecharny added a comment -

        Simply removed 1.5.0 from the list of affected versions

        Show
        Emmanuel Lecharny added a comment - Simply removed 1.5.0 from the list of affected versions
        Hide
        Emmanuel Lecharny added a comment -

        I reopen the issue for 1.0.2.

        Show
        Emmanuel Lecharny added a comment - I reopen the issue for 1.0.2.
        Show
        Enrique Rodriguez added a comment - BouncyCastle dependency was replaced with JDK JCE on revs: http://svn.apache.org/viewvc?view=rev&revision=521939 http://svn.apache.org/viewvc?view=rev&revision=521941 http://svn.apache.org/viewvc?view=rev&revision=521942 http://svn.apache.org/viewvc?view=rev&revision=521943
        Hide
        David Jencks added a comment -

        Rick added the necessary classes to geronimo-util, and I deployed a snapshot to the apache snapshot repo.

        The attached patch makes apacheds build without bouncy-castle jars and all the integration tests pass. The only drawback I can see is that it uses a snapshot version.

        I can see 2 choices here:

        • I could try to get the changes into geronimo 1.2 which may get released soon (we are waiting only for a couple other releases)
        • At the end of the month we are expecting to push geronimo 2.0-M4
        Show
        David Jencks added a comment - Rick added the necessary classes to geronimo-util, and I deployed a snapshot to the apache snapshot repo. The attached patch makes apacheds build without bouncy-castle jars and all the integration tests pass. The only drawback I can see is that it uses a snapshot version. I can see 2 choices here: I could try to get the changes into geronimo 1.2 which may get released soon (we are waiting only for a couple other releases) At the end of the month we are expecting to push geronimo 2.0-M4
        Hide
        David Jencks added a comment -

        I took a look at substituting the geronimo-util jar. We apparenly changed the package names, and not all the classes apacheds uses are in the current geronimo-util jar.

        Missing are:
        org.bouncycastle.crypto.digests.SHA1Digest
        org.bouncycastle.crypto.modes.CBCBlockCipher
        org.bouncycastle.crypto.params.ParametersWithIV
        org.bouncycastle.crypto.engines.DESEngine
        org.bouncycastle.crypto.engines.DESedeEngine
        org.bouncycastle.crypto.digests.MD4Digest
        org.bouncycastle.crypto.params.DESParameters
        org.bouncycastle.crypto.digests.MD5Digest

        I'll see if we (geronimo) can figure out if we can include these or if equivalents are available in the built-in crypto support.

        Show
        David Jencks added a comment - I took a look at substituting the geronimo-util jar. We apparenly changed the package names, and not all the classes apacheds uses are in the current geronimo-util jar. Missing are: org.bouncycastle.crypto.digests.SHA1Digest org.bouncycastle.crypto.modes.CBCBlockCipher org.bouncycastle.crypto.params.ParametersWithIV org.bouncycastle.crypto.engines.DESEngine org.bouncycastle.crypto.engines.DESedeEngine org.bouncycastle.crypto.digests.MD4Digest org.bouncycastle.crypto.params.DESParameters org.bouncycastle.crypto.digests.MD5Digest I'll see if we (geronimo) can figure out if we can include these or if equivalents are available in the built-in crypto support.

          People

          • Assignee:
            Enrique Rodriguez
            Reporter:
            Emmanuel Lecharny
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development