voyent
icepdf changes crypto providers  XML
Forum Index -> ICEpdf General
Author Message
irun5k

Joined: 26/Aug/2011 07:36:39
Messages: 3
Offline


Hello, we recently ran into an issue where the certificate handling in our app broke when we integrated the ice pdf swing viewer.

After much research we determined that it is probably SignatureHandler.java

javax.crypto.Cipher.getInstance("RSA").getProvider().getName();

before loading the pdf viewer this code returned "SunJCE"
after loading the pdf viewer, "BCS"

The net effect of this is that the supported key length is reduced meaning our users can no longer load their client certificates.

Is there a recommended way around this?
patrick.corless

Joined: 26/Oct/2004 00:00:00
Messages: 1889
Offline


The SignatureHandler as you've noticed loads the "org.bouncycastle.jce.provider.BouncyCastleProvide" security provider and replacing the default JCE implementation. However we use the call Security.insertProviderAt ("provider", 2). Which should leave the JCE provider intact at index 1. I'm curious what Security.getProviders() returns for ordering?

There is a system property -Dorg.icepdf.core.security.jceProvide can be used to set any security provider but our Signatures panel in the Viewer RI needs a few classes from the bouncy castle jars. So if you remove the bouncy castle jar then you need to use the PropertiesManager to hide the "signatures" tab to avoid any class not found exceptions.
[Email]
irun5k

Joined: 26/Aug/2011 07:36:39
Messages: 3
Offline


Thank you for the reply. the defaults in Java 8 are this (see java.security file):

Code:
 security.provider.1=sun.security.provider.Sun
 security.provider.2=sun.security.rsa.SunRsaSign
 security.provider.3=sun.security.ec.SunEC
 security.provider.4=com.sun.net.ssl.internal.ssl.Provider
 security.provider.5=com.sun.crypto.provider.SunJCE
 security.provider.6=sun.security.jgss.SunProvider
 security.provider.7=com.sun.security.sasl.Provider
 security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
 security.provider.9=sun.security.smartcardio.SunPCSC
 security.provider.10=apple.security.AppleProvider
 


I believe what is happening is that by inserting into position 1, bouncy castle becomes the RSA provider which is by default at position 2.

Does Bouncy Castle need to be ahead of the other items or could it be added after the last existing entry?

patrick.corless

Joined: 26/Oct/2004 00:00:00
Messages: 1889
Offline


I don't see any issues adding the BC provider at the end of the list as we don't need to override any of the other providers for what we need from the API.

I'll create an enhancement bug for using Security.addProvider() instead of Security.insertProviderAt().
[Email]
irun5k

Joined: 26/Aug/2011 07:36:39
Messages: 3
Offline


Thank you, and I can confirm that this should work.

For now in case it helps anyone else, I employed this workaround:

Code:
         try {
             //force this class to load since it has a static block that inserts bouncy castle as a provider
             Class.forName("org.icepdf.core.pobjects.acroform.SignatureHandler");
         }
         catch (ClassNotFoundException ignored) {
         }
         Provider bc = Security.getProvider("BC");
         Security.removeProvider("BC");
         //add to the very end of the list so it won't conflict with anything
         Security.addProvider(bc); 
 
 
Forum Index -> ICEpdf General
Go to:   
Powered by JForum 2.1.7ice © JForum Team