bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

Dependency Conflict: Incompatible Bouncy Castle Artifacts (bcprov-jdk15on:1.65 vs. bcprov-jdk15to18:1.77) Causing Duplicate Classes Issue

Open moumitaDas15 opened this issue 10 months ago • 11 comments

I am sharing the scenario below which is causing an issue after adding an SDK dependency:

I am facing a duplicate classes issue for Bouncy Castle (snapshot of the issue given below):

Duplicate class org.bouncycastle.x509.util.LDAPStoreHelper found in modules bcprov-jdk15on-1.65.jar -> bcprov-jdk15on-1.65 (org.bouncycastle:bcprov-jdk15on:1.65) and bcprov-jdk15to18-1.77.jar -> bcprov-jdk15to18-1.77 (org.bouncycastle:bcprov-jdk15to18:1.77)
Duplicate class org.bouncycastle.x509.util.StreamParser found in modules bcprov-jdk15on-1.65.jar -> bcprov-jdk15on-1.65 (org.bouncycastle:bcprov-jdk15on:1.65) and bcprov-jdk15to18-1.77.jar -> bcprov-jdk15to18-1.77 (org.bouncycastle:bcprov-jdk15to18:1.77)
Duplicate class org.bouncycastle.x509.util.StreamParsingException found in modules bcprov-jdk15on-1.65.jar -> bcprov-jdk15on-1.65 (org.bouncycastle:bcprov-jdk15on:1.65) and bcprov-jdk15to18-1.77.jar -> bcprov-jdk15to18-1.77 (org.bouncycastle:bcprov-jdk15to18:1.77)

Duplicate Classes Found in:

bcprov-jdk15on-1.65.jar (org.bouncycastle:bcprov-jdk15on:1.65)
bcprov-jdk15to18-1.77.jar (org.bouncycastle:bcprov-jdk15to18:1.77)

Duplicate Classes:

org.bouncycastle.x509.util.LDAPStoreHelper
org.bouncycastle.x509.util.StreamParser
org.bouncycastle.x509.util.StreamParsingException

On running the ./gradlew app:dependencies command, I found that Bouncy Castle is included by two different SDKs : (by the new SDK which I am adding, and a SDK which already exists in our project)

 +--- another SDK 
|    |    |    +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.21 -> 2.0.21 (*)
|    |    |    +--- org.bouncycastle:bcpkix-jdk15on:1.65
|    |    |    |    \--- org.bouncycastle:bcprov-jdk15on:1.65
|    |    |    +--- org.bouncycastle:bcprov-jdk15on:1.65

--- new SDK
|    |    |    +--- org.slf4j:slf4j-api:1.7.36
|    |    |    +--- org.bouncycastle:bcprov-jdk15to18:1.77

bcprov-jdk15on:1.65 → included by that one SDK which already exists in our project. bcprov-jdk15to18:1.77 → included by the SDK which I newly adding.

Shared dependencies are common, and Gradle usually resolves them by selecting the latest version. However, in this case, the issue likely arises due to **incompatible Bouncy Castle artifacts rather than just a version conflict**.

bcprov-jdk15on:1.65 and bcprov-jdk15to18:1.77 are different artifacts, not just different versions. Some libraries expect bcprov-jdk15on, while others expect bcprov-jdk15to18. If Gradle picks bcprov-jdk15to18:1.77, but another library relies on classes that only exist in bcprov-jdk15on, we will get missing class/unresolved reference errors.

We need Bouncy Castle’s team support to understand the best way to resolve this dependency issue.

moumitaDas15 avatar Mar 10 '25 17:03 moumitaDas15

Move to bcprov-jdk15to18 1.77. It is quite a jump, what are the missing classes?

dghgit avatar Mar 10 '25 22:03 dghgit

Hey @dghgit ,

Are you suggesting the below solution??

Move to bcprov-jdk15to18 1.77. It is quite a jump, what are the missing classes?

  • Remove the older version (bcprov-jdk15on:1.65) from my dependencies.
  • Use only bcprov-jdk15to18:1.77 in my project.

moumitaDas15 avatar Mar 11 '25 09:03 moumitaDas15

Yes. That's the only way forward.

dghgit avatar Mar 14 '25 02:03 dghgit

Hey @dghgit ,

Along with moving to the bcprov-jdk15to18:1.77, do we also need to move to bcpkix-jdk15to18:1.77 from bcpkix-jdk15on:1.65 ??

Cause as per the dependency chart:

 +--- another SDK 
|    |    |    +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.21 -> 2.0.21 (*)
|    |    |    +--- org.bouncycastle:bcpkix-jdk15on:1.65
|    |    |    |    \--- org.bouncycastle:bcprov-jdk15on:1.65
|    |    |    +--- org.bouncycastle:bcprov-jdk15on:1.65

--- new SDK
|    |    |    +--- org.slf4j:slf4j-api:1.7.36
|    |    |    +--- org.bouncycastle:bcprov-jdk15to18:1.77

moumitaDas15 avatar Mar 18 '25 16:03 moumitaDas15

Yes, make sure everything is the same version.

dghgit avatar Mar 18 '25 22:03 dghgit

Hey @dghgit,

When I only move to bcprov-jdk15to18:1.77, it works fine.

But when I move to bcpkix-jdk15to18:1.77 as well its giving unresolved classes error for org.bouncycastle.openssl.PEMParser also giving unresolved classes error for the existing SDK which currently uses org.bouncycastle:bcpkix-jdk15on:1.65

moumitaDas15 avatar Mar 26 '25 09:03 moumitaDas15

Hey @dghgit,

Is it ok, if we move to bcprov-jdk15to18:1.77 only?

moumitaDas15 avatar Mar 26 '25 13:03 moumitaDas15

Hey @dghgit any updates on this?

moumitaDas15 avatar Apr 17 '25 07:04 moumitaDas15

Hey @dghgit , we move to bcprov-jdk15to18:1.77 but getting unresolved classes error. Please help us with this one.

moumitaDas15 avatar May 07 '25 19:05 moumitaDas15

You should use everything at the same version, so bcprov-jdk15to18:1.77 with bcpkix-jdk15to18:1.77. You would also need bcutil-jdk15to18:1.77 since some code was moved into a new jar as of v1.69.

BTW the current version is 1.80 which you could use instead for all three jars.

peterdettman avatar May 08 '25 05:05 peterdettman

So, to conclude we must move to the higher versions of all three jars as below?? bcprov-jdk15to18:1.80 bcpkix-jdk15to18:1.80 bcutil-jdk15to18:1.80

@peterdettman

I will try this and update here if I am getting missing classes / unresolved class error any more.

moumitaDas15 avatar May 08 '25 08:05 moumitaDas15

Inactive, presumed resolved.

dghgit avatar Aug 11 '25 04:08 dghgit