Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39473

Stop bundling bouncycastle jar files and breaking crypto for everyone else


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • docker-plugin
    • None

      If we unzip the current release of the docker plugin (0.16.2) we see the following

      unzip -l ~/Downloads/docker-plugin.hpi 
      Archive:  /Users/stephenc/Downloads/docker-plugin.hpi
        Length      Date    Time    Name
      ---------  ---------- -----   ----
         673715  09-13-2016 14:04   WEB-INF/lib/bcpkix-jdk15on-1.54.jar
        3277268  09-13-2016 14:04   WEB-INF/lib/bcprov-jdk15on-1.54.jar
      ---------                     -------
       22911566                     64 files

      These files conflict with the bouncycastle jars bundled in the baseline version of Jenkins that 0.16.2 ships with and depending on plugin classloader initialization order, can cause a series of very hard to trace issues with crypto within Jenkins.

      The normal solution would be to shade the jar that was being bundled, however as bouncycastle is a JCA provider and must be signed by a trusted JCA provider code signing key, this is not an option.

      The solution is to replace the bundled bouncycastle jars with a dependency on the bouncycastle-api plugin.

      As the version of bouncycastle required by the docker plugin is 1.54, this will also require bumping the core version to at least 1.648

      Once the core version dependency reaches 2.16 - at which point bouncycastle was removed from core - then the dependency on the bouncycastle-api plugin becomes critical as all plugins are required to be getting their bouncycastle from that plugin...

            magnayn magnayn
            stephenconnolly Stephen Connolly
            0 Vote for this issue
            2 Start watching this issue