From d1425f129c4950feb90430f5a0da5cfbaad060ed Mon Sep 17 00:00:00 2001 From: Foivos Zakkak Date: Tue, 20 Dec 2022 17:38:38 +0200 Subject: [PATCH] Register bouncycastle classes for reflection only when present Co-authored-by: Nicolas Filotto --- .../deployment/SecurityProcessor.java | 48 +++++++++++-------- 1 file changed, 28 insertions(+), 20 deletions(-) diff --git a/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java b/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java index 1b8d98a392ae0..924c0ed173d62 100644 --- a/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java +++ b/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java @@ -58,6 +58,7 @@ import io.quarkus.deployment.builditem.nativeimage.NativeImageSecurityProviderBuildItem; import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem; import io.quarkus.deployment.builditem.nativeimage.RuntimeReinitializedClassBuildItem; +import io.quarkus.deployment.pkg.builditem.CurateOutcomeBuildItem; import io.quarkus.deployment.pkg.steps.NativeOrNativeSourcesBuild; import io.quarkus.gizmo.CatchBlockCreator; import io.quarkus.gizmo.ClassCreator; @@ -145,7 +146,8 @@ void registerJCAProvidersForReflection(BuildProducer c } @BuildStep - void prepareBouncyCastleProviders(BuildProducer reflection, + void prepareBouncyCastleProviders(CurateOutcomeBuildItem curateOutcomeBuildItem, + BuildProducer reflection, BuildProducer runtimeReInitialized, List bouncyCastleProviders, List bouncyCastleJsseProviders) throws Exception { @@ -158,35 +160,41 @@ void prepareBouncyCastleProviders(BuildProducer reflec runtimeReInitialized .produce(new RuntimeReinitializedClassBuildItem( "org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers")); - prepareBouncyCastleProvider(reflection, runtimeReInitialized, bouncyCastleJsseProvider.get().isInFipsMode()); + prepareBouncyCastleProvider(curateOutcomeBuildItem, reflection, runtimeReInitialized, + bouncyCastleJsseProvider.get().isInFipsMode()); } else { Optional bouncyCastleProvider = getOne(bouncyCastleProviders); if (bouncyCastleProvider.isPresent()) { - prepareBouncyCastleProvider(reflection, runtimeReInitialized, bouncyCastleProvider.get().isInFipsMode()); + prepareBouncyCastleProvider(curateOutcomeBuildItem, reflection, runtimeReInitialized, + bouncyCastleProvider.get().isInFipsMode()); } } } - private static void prepareBouncyCastleProvider(BuildProducer reflection, - BuildProducer runtimeReInitialized, - boolean isFipsMode) { + private static void prepareBouncyCastleProvider(CurateOutcomeBuildItem curateOutcomeBuildItem, + BuildProducer reflection, + BuildProducer runtimeReInitialized, boolean isFipsMode) { reflection.produce(new ReflectiveClassBuildItem(true, true, isFipsMode ? SecurityProviderUtils.BOUNCYCASTLE_FIPS_PROVIDER_CLASS_NAME : SecurityProviderUtils.BOUNCYCASTLE_PROVIDER_CLASS_NAME)); - reflection.produce(new ReflectiveClassBuildItem(true, true, - "org.bouncycastle.jcajce.provider.symmetric.AES", - "org.bouncycastle.jcajce.provider.symmetric.AES$CBC", - "org.bouncycastle.crypto.paddings.PKCS7Padding", - "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi", - "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi$EC", - "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi$ECDSA", - "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi", - "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC", - "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$ECDSA", - "org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyFactorySpi", - "org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi", - "org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi", - "org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi$SHA256withRSA")); + + if (curateOutcomeBuildItem.getApplicationModel().getDependencies().stream().anyMatch( + x -> x.getGroupId().equals("org.bouncycastle") && x.getArtifactId().startsWith("bcprov-"))) { + reflection.produce(new ReflectiveClassBuildItem(true, true, + "org.bouncycastle.jcajce.provider.symmetric.AES", + "org.bouncycastle.jcajce.provider.symmetric.AES$CBC", + "org.bouncycastle.crypto.paddings.PKCS7Padding", + "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi", + "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi$EC", + "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi$ECDSA", + "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi", + "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC", + "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$ECDSA", + "org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyFactorySpi", + "org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi", + "org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi", + "org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi$SHA256withRSA")); + } runtimeReInitialized .produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.crypto.CryptoServicesRegistrar")); if (!isFipsMode) {