sshj icon indicating copy to clipboard operation
sshj copied to clipboard

Published 20 hours ago verified publisher icon hierynomus

use BouncyCastle as a library vs a JCE provider

Open jclouds opened this issue 11 years ago • 15 comments

in jclouds, we'd like to make tools that can be completely contained in a single jar. Ex. http://skife.org/java/unix/2011/06/20/really_executable_jars.html

While sshj uses BouncyCastle as a JCE provider, this is not possible due to signed jar issues. It complicates things and many forget to put it separately or have to screw with their shade config, etc. In general, while a good idea, it introduces some accidental complexity.

Can we move sshj to just use BouncyCastle libraries? In doing so apps like jclouds don't need to dance around JCE issues, makine a much cleaner experience.

jclouds avatar Jul 08 '12 16:07 jclouds

agreed, this will make sshj usage more straightforward

shikhar avatar Jul 08 '12 18:07 shikhar

Has there been any progress on this issue? I'm facing the exact same issue as described here:

http://stackoverflow.com/questions/19815748/sshj-and-the-maven-shade-plugin

That is, I'm trying to create an executable jar file with the sshj "baked in" but I'm failing to use sshj since the bouncycastle jar file seems to be unusable as a JCE provider in such a setup.

petergardfjall avatar Jan 31 '14 12:01 petergardfjall

A PR would be welcome. Currently bit short on time to implement this.

hierynomus avatar Jan 09 '15 13:01 hierynomus

This issue is really annoying for Java EE applications, where we use to deploy an uber WAR file including all the dendencies. Because of that I had to switch from sshj to Jsch :-(

Zlika avatar Apr 21 '15 06:04 Zlika

I will try to solve this in 1.0.0 (which introduces more breaking changes)...

hierynomus avatar Apr 21 '15 08:04 hierynomus

Great. I suppose this will also resolve #188.

dkocher avatar Apr 21 '15 08:04 dkocher

Yes, I will make it switchable so that on Android you can use Spongy

2015-04-21 10:36 GMT+02:00 David Kocher [email protected]:

Great. I suppose this will also resolve #188 https://github.com/hierynomus/sshj/issues/188.

— Reply to this email directly or view it on GitHub https://github.com/hierynomus/sshj/issues/82#issuecomment-94702733.

hierynomus avatar Apr 21 '15 08:04 hierynomus

@jclouds @hierynomus I'm assuming this is still an issue. As we wait for the release of v1.0.0, what is the recommended workaround solution for developers that want to bundle their apps as uber/fat jars?

For my project, I'm using Gradle to create my uber jar (as opposed to Maven Shade).

raskasa avatar Nov 25 '15 03:11 raskasa

@jclouds @hierynomus @raskasa has there been any progress on this? we also have the exact use case where we must use a shade jar.

igkins avatar Oct 25 '16 20:10 igkins

Welp, I think I have hit this as well.

wilx avatar Jun 23 '17 10:06 wilx

Same here. Did anyone find a workaround for this?

FearlessHyena avatar Aug 08 '17 03:08 FearlessHyena

Hit this myself.

daum avatar Jan 23 '18 21:01 daum

Just hit this myself. Going to try a different library :(

MrThomasWagner avatar May 14 '19 19:05 MrThomasWagner

Why does the code even try to force BouncyCastle? I tried to disable the BouncyCastle provider registration and I have changed some to not depend on it and most tests pass. It seems to me that the only major failing part is the Elliptic Curves stuff. It seems to me recent JDK should provide enough to implement at least few viable combinations of algorithms for SSH connections.

diff --git a/src/main/java/net/schmizz/sshj/DefaultConfig.java b/src/main/java/net/schmizz/sshj/DefaultConfig.java
index 00eb521..3d4e737 100644
--- a/src/main/java/net/schmizz/sshj/DefaultConfig.java
+++ b/src/main/java/net/schmizz/sshj/DefaultConfig.java
@@ -104,7 +104,7 @@ public class DefaultConfig
     }
 
     protected void initKeyExchangeFactories(boolean bouncyCastleRegistered) {
-        if (bouncyCastleRegistered) {
+        if (true || bouncyCastleRegistered) {
             setKeyExchangeFactories(
                     new Curve25519SHA256.Factory(),
                     new Curve25519SHA256.FactoryLibSsh(),
@@ -139,7 +139,7 @@ public class DefaultConfig
     }
 
     protected void initFileKeyProviderFactories(boolean bouncyCastleRegistered) {
-        if (bouncyCastleRegistered) {
+        if (true || bouncyCastleRegistered) {
             setFileKeyProviderFactories(
                     new OpenSSHKeyV1KeyFile.Factory(),
                     new PKCS8KeyFile.Factory(),
diff --git a/src/main/java/net/schmizz/sshj/common/SecurityUtils.java b/src/main/java/net/schmizz/sshj/common/SecurityUtils.java
index eb4bab0..01d4335 100644
--- a/src/main/java/net/schmizz/sshj/common/SecurityUtils.java
+++ b/src/main/java/net/schmizz/sshj/common/SecurityUtils.java
@@ -58,7 +58,7 @@ public class SecurityUtils {
     private static String securityProvider = null;
 
     // relate to BC registration (or SpongyCastle on Android)
-    private static Boolean registerBouncyCastle;
+    private static Boolean registerBouncyCastle = false;
     private static boolean registrationDone;
 
     public static boolean registerSecurityProvider(String providerClassName) {

wilx avatar May 14 '19 22:05 wilx

What is the impact of disabling bounty castle ? Will there be corner cases with some remote machines ? Less encryption models supported ?

I also had a problem with bounty castle because my vagrant vbox vm didn't have enough entropy (rndnd was not installed by default).

nmoreaud avatar Sep 16 '20 16:09 nmoreaud