Switch to jdk18on bouncycastle jars

[harikrishna-patnala]

Description

This PR fixes #10954

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Updated my environment with the newer jars and everything seems fine

How did you try to break this feature and the system with this change?

[harikrishna-patnala]

@blueorangutan package

[blueorangutan]

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 17.38%. Comparing base (b0c7719) to head (6138c02).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #11201   +/-   ##
=========================================
  Coverage     17.38%   17.38%           
+ Complexity    15282    15281    -1     
=========================================
  Files          5891     5891           
  Lines        526356   526356           
  Branches      64270    64270           
=========================================
  Hits          91526    91526           
- Misses       424488   424489    +1     
+ Partials      10342    10341    -1     

Flag	Coverage Δ
uitests	3.61% <ø> (ø)
unittests	18.43% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14192

[DaanHoogland]

@blueorangutan test matrix

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-13786)

[blueorangutan]

[SF] Trillian Build Failed (tid-13784)

[blueorangutan]

[SF] Trillian Build Failed (tid-13785)

[blueorangutan]

[SF] Trillian Build Failed (tid-13783)

[harikrishna-patnala]

@blueorangutan test matrix

[blueorangutan]

@harikrishna-patnala a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-13806)

[blueorangutan]

[SF] Trillian Build Failed (tid-13808)

[blueorangutan]

[SF] Trillian Build Failed (tid-13807)

[blueorangutan]

[SF] Trillian Build Failed (tid-13805)

[harikrishna-patnala]

@blueorangutan package

[blueorangutan]

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[harikrishna-patnala]

@weizhouapache @DaanHoogland

The available versions for bouncy castle provider supporting jdk18 starts from 1.71 to 1.81 (https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on)

If we use 1.81 as the provider version

<cs.bcprov.version>1.81</cs.bcprov.version>

SystemVMs have trouble starting with the error

Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.bouncycastle.operator.jcajce.OperatorHelper
        at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.<init>(Unknown Source)
        at org.apache.cloudstack.utils.security.CertUtils.generateV3Certificate(CertUtils.java:241)
        at org.apache.cloudstack.ca.provider.RootCAProvider.generateCertificate(RootCAProvider.java:152)

The last version that worked with our code is

<cs.bcprov.version>1.72</cs.bcprov.version>

At the moment I don't know the reason for "OperatorHelper" class not being found, so I adjusted the code to use 1.72 version. I'm not sure how the mentioned vulnerabilities effects us https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on/1.72

Please review and see if this is fine.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✖️ debian ✔️ suse15. SL-JID 14254

[vishesh92]

clgtm

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✖️ debian ✔️ suse15. SL-JID 14256

[weizhouapache]

According to central mvn repo, 1.72 has 5 vulnerabilities, 1.81 is the latest

It seems here are some imcompatibility issue with 1.81, I think it can be fixed

[sureshanaparti]

@harikrishna-patnala check if the issues with 1.81 can be fixed or not

[harikrishna-patnala]

I've tried multiple ways to use 1.81 and rewriting code for getting X509Certificate but still facing the same issue. Can someone of you help me here @weizhouapache @sureshanaparti

[DaanHoogland]

I ran mvn dependency:tree and found

[INFO] +- org.opensaml:opensaml:jar:2.6.6:compile # updating -> 4.0.1
[INFO] |  +- org.opensaml:openws:jar:1.5.6:compile
[INFO] |  |  \- org.opensaml:xmltooling:jar:1.4.6:compile
[INFO] |  |     +- org.bouncycastle:bcprov-jdk15on:jar:1.51:compile

[INFO] +- io.minio:minio:jar:8.5.2:compile # updating -> 8.2.17
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.69:compile

[INFO] +- org.apache.directory.server:apacheds-core:jar:2.0.0.AM25:test # unpdating -> 2.0.0AM27
[INFO] |  \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile

[DaanHoogland]

after upgrading packages to latest:

[INFO] |  +- org.opensaml:opensaml-security-api:jar:4.0.1:compile
[INFO] |  |  +- org.bouncycastle:bcprov-jdk15on:jar:1.64:compile

[INFO] +- org.apache.directory.server:apacheds-core:jar:2.0.0.AM27:test
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[weizhouapache]

after upgrading packages to latest:

[INFO] |  +- org.opensaml:opensaml-security-api:jar:4.0.1:compile
[INFO] |  |  +- org.bouncycastle:bcprov-jdk15on:jar:1.64:compile

[INFO] +- org.apache.directory.server:apacheds-core:jar:2.0.0.AM27:test
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile

yes, this PR has large impact on ldap and saml

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15162