-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove Bouncycastle as the default provider fixes #52 #126
Remove Bouncycastle as the default provider fixes #52 #126
Conversation
Previously, the library placed an artificial constraint needing the BouncyCastle provider to perform cryptographic functions when it was not necessary to do so. This commit removes the requirement to both require BouncyCastle as the sole provider, as well as requiring the BouncyCastle dependency at runtime. If the user wishes to use BouncyCastle, they should add the provider as is done in the tests. The library will automatically use whatever the preferred provider is instead of BouncyCastle.
👍 , I agree |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to be sure, the migration path for users would be to add BouncyCastle as a dependency and then do:
Security.addProvider(new BouncyCastleProvider())
Right?
|
||
if (expected.length != supplied.length) | ||
{ | ||
return !JwtArrayUtils.constantTimeAreEqual(expected, expected); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a link to the original source code in the description? I would like to take a look. This line seems strange. Since expected == expected
, it will most likely return true
immediately from L22 and then negate it. Would be faster to just return false
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, not a problem. You can find the link here: https://github.com/bcgit/bc-java/blob/290df7b4edfc77b32d55d0a329bf15ef5b98733b/core/src/main/java/org/bouncycastle/util/Arrays.java#L145. FWIW, it looks like this snippet originates from an older commit and there has been some recent development in that area to improve the function. If you'd prefer a particular revision, I'd be happy to use that over this revision.
@brakthehack it might be good to document what functionality in jwt relies on BouncyCastle. Is there a subset of functionality that doesn't rely on any additional security providers? |
You've got it. |
So, I'm not all that familiar with the code base so I'm not sure if I can totally confirm, but my take is that this change affects the algorithms used, which is specified by the user. For example, if the user's token uses RSA signatures, it will probably work out of the box. However, if we remove BC as the provider in the tests we see a couple of tests in the core project fail:
The primary reason is So to answer your question, it's system-specific which is why we probably should shy away declaring what is and is not supported. |
Previously, the library placed an artificial constraint needing
the BouncyCastle provider to perform cryptographic functions
when it was not necessary to do so.
This commit removes the requirement to both require BouncyCastle
as the sole provider, as well as requiring the BouncyCastle
dependency at runtime.
If the user wishes to use BouncyCastle, they should add the provider
as is done in the tests. The library will automatically use
whatever the preferred provider is instead of BouncyCastle.