Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support bc-fips in BouncyCastleSelfSignedCertGenerator (#13954)
Motivation: When using the bouncycastle FIPS dependencies (bcpkix-fips instead of bcpkix, and bc-fips instead of bcprov), BouncyCastleProvider is replaced by BouncyCastleFipsProvider. This made BouncyCastleSelfSignedCertGenerator fail even though all the necessary algorithms are present. While bc-fips is only necessary for fips-compliant production deployments, and self-signed certs are only necessary in test deployments that don't have to be fips-compliant, this change is still useful because the fips and non-fips artifacts cannot exist alongside each other. So if you have a prod fips dependency, tests that also have a non-fips dependency for self-signed certs cannot live alongside each other. It's easiest to just use the fips dependency everywhere. Modification: Use reflection in BouncyCastleSelfSignedCertGenerator to instantiate whichever provider is available. This has the advantage of not needing a new dependency, though it may have some impact on native image deployments. For this reason I've also added the providers to the reflect-config.json. No test is possible because it would require a different classpath. I tested manually that it works by changing to the fips dependencies and then running SelfSignedCertificateTest, and checking with a debugger that the correct provider was used. Result: SelfSignedCertificate will work with bc-fips dependencies.
- Loading branch information