Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39473

Stop bundling bouncycastle jar files and breaking crypto for everyone else

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • docker-plugin
    • None

      If we unzip the current release of the docker plugin (0.16.2) we see the following

      unzip -l ~/Downloads/docker-plugin.hpi 
      Archive:  /Users/stephenc/Downloads/docker-plugin.hpi
        Length      Date    Time    Name
      ---------  ---------- -----   ----
      [snip]
         673715  09-13-2016 14:04   WEB-INF/lib/bcpkix-jdk15on-1.54.jar
        3277268  09-13-2016 14:04   WEB-INF/lib/bcprov-jdk15on-1.54.jar
      [snip]
      ---------                     -------
       22911566                     64 files
      

      These files conflict with the bouncycastle jars bundled in the baseline version of Jenkins that 0.16.2 ships with and depending on plugin classloader initialization order, can cause a series of very hard to trace issues with crypto within Jenkins.

      The normal solution would be to shade the jar that was being bundled, however as bouncycastle is a JCA provider and must be signed by a trusted JCA provider code signing key, this is not an option.

      The solution is to replace the bundled bouncycastle jars with a dependency on the bouncycastle-api plugin.

      As the version of bouncycastle required by the docker plugin is 1.54, this will also require bumping the core version to at least 1.648

      Once the core version dependency reaches 2.16 - at which point bouncycastle was removed from core - then the dependency on the bouncycastle-api plugin becomes critical as all plugins are required to be getting their bouncycastle from that plugin...

          [JENKINS-39473] Stop bundling bouncycastle jar files and breaking crypto for everyone else

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          docker-plugin/pom.xml
          http://jenkins-ci.org/commit/docker-plugin/ac1c0efad2ac17890a7fad7e94629bf849f5a954
          Log:
          [FIXED JENKINS-39473] Switch to bouncycastle-api plugin for bouncycastle jars (#456)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: docker-plugin/pom.xml http://jenkins-ci.org/commit/docker-plugin/ac1c0efad2ac17890a7fad7e94629bf849f5a954 Log: [FIXED JENKINS-39473] Switch to bouncycastle-api plugin for bouncycastle jars (#456)

            magnayn magnayn
            stephenconnolly Stephen Connolly
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: