Bug ID 910507
Summary bouncycastle security provider not registered on pkg install, edits to java.security config file not persistent across version upgrades
Classification openSUSE
Product openSUSE Distribution
Version 13.2
Hardware x86-64
OS openSUSE 13.2
Status NEW
Severity Normal
Priority P5 - None
Component Java
Assignee bnc-team-java@forge.provo.novell.com
Reporter grantksupport@operamail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker ---

on 13.2

I've installed jdk/jre both Sun & OpenJDK

    rpm -qa | grep -i jdk
        jdk1.8.0_25-1.8.0_25-fcs.x86_64
        java-1_8_0-openjdk-1.8.0.40~b12-52.1.x86_64
        java-1_8_0-openjdk-headless-1.8.0.40~b12-52.1.x86_64
        java-1_8_0-openjdk-devel-1.8.0.40~b12-52.1.x86_64
        java-1_8_0-openjdk-javadoc-1.8.0.40~b12-52.1.noarch

In order to get necessary, up-to-date cipher/algo support, I've installed

    rpm -qa | grep -i bouncy
        bouncycastle-1.46-13.1.3.noarch

Per the wiki at

    http://www.bouncycastle.org/wiki/display/JA1/Provider+Installation

        "...
        Installing the Provider Statically

        To install the provider statically you need to add it as an entry to
the java.security file which can be found in
$JAVA_HOME/jre/lib/security/java.security for the JRE/JDK you are using. Look
for a list of lines with security.provider.X where X is some number. At the
bottom of the list add the line:

        security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider

        where N is one more than the last number in the list.

        It is possible to add the provider higher up in the list. If you do
this we recommend you don't add it earlier than position 2 as there are
occasionally internal dependencies on the provider at position 1 which may
cause some operations by your JVM to result in errors.
        ..."

so, both of these need to be edited

    /usr/java/jdk1.8.0_25/jre/lib/security/java.security
    /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/security/java.security

to
        ...
        security.provider.1=sun.security.provider.Sun
+        security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
-        security.provider.2=sun.security.rsa.SunRsaSign
-        security.provider.3=sun.security.ec.SunEC
-        security.provider.4=com.sun.net.ssl.internal.ssl.Provider
-        security.provider.5=com.sun.crypto.provider.SunJCE
-        security.provider.6=sun.security.jgss.SunProvider
-        security.provider.7=com.sun.security.sasl.Provider
-        security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
-        security.provider.9=sun.security.smartcardio.SunPCSC
+        security.provider.3=sun.security.rsa.SunRsaSign
+        security.provider.4=sun.security.ec.SunEC
+        security.provider.5=com.sun.net.ssl.internal.ssl.Provider
+        security.provider.6=com.sun.crypto.provider.SunJCE
+        security.provider.7=sun.security.jgss.SunProvider
+        security.provider.8=com.sun.security.sasl.Provider
+        security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+        security.provider.10=sun.security.smartcardio.SunPCSC
        ...

(1) shouldn't the install of the bouncy rpm make those changes?  i understand
that priority would need to be set -- perhaps in a /etc/sysconfig/bouncy ? 
then processed ...

(2) making edits to those files ^^^ will not survive jdk/jre version upgrades.

user/admin modifications to java security.provider settings should be
persistent


You are receiving this mail because: