Bug 575621 - bouncycastle 1.69 has invalid package imports
Summary: bouncycastle 1.69 has invalid package imports
Status: NEW
Alias: None
Product: Orbit
Classification: Tools
Component: bundles (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Orbit Bundles CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-25 10:33 EDT by Simeon Andreev CLA
Modified: 2021-09-21 02:55 EDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simeon Andreev CLA 2021-08-25 10:33:39 EDT 
When trying out lastest EGit/JGit build, we noticed invalid package imports (i.e. packages that are not exported by any plug-in):

Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.bsi [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.cmp [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.cms [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.cms.ecc [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.crmf [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.dvcs [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.eac [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.ess [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.est [1.69.0,1.70)
Error: [org.bouncycastle.bcpkix 1.69.0.v20210713-1924] package not found: org.bouncycastle.asn1.tsp [1.69.0,1.70)
(errors listed by validators from https://github.com/iloveeclipse/plugindependencies)

Upon manual inspection, I see the packages above have been moved to internal packages, e.g.:

+org.bouncycastle.internal.asn1.bsi;x-internal:=true;version="1.69.0";uses:="org.bouncycastle.asn1"
+org.bouncycastle.internal.asn1.cms;x-internal:=true;version="1.69.0";uses:="org.bouncycastle.asn1"
+org.bouncycastle.internal.asn1.eac;x-internal:=true;version="1.69.0";uses:="org.bouncycastle.asn1"
+org.bouncycastle.internal.asn1.isismtt;x-internal:=true;version="1.69.0";uses:="org.bouncycastle.asn1"

This change is not reflected in the package imports of "org.bouncycastle.bcpkix", they still refer to the old non-internal packages. E.g.:

...:/home/sandreev/tmp/jep2663/bc/169$ grep -r -B 1 "org.bouncycastle.asn1.bsi" .
[..]
./org.bouncycastle.bcpkix_1.69.0.v20210713-1924/META-INF/MANIFEST.MF-Import-Package: org.bouncycastle.asn1;version="[1.69.0,1.70)",org.bouncy
./org.bouncycastle.bcpkix_1.69.0.v20210713-1924/META-INF/MANIFEST.MF: castle.asn1.bc;version="[1.69.0,1.70)",org.bouncycastle.asn1.bsi;versio

And by the looks of it, also in its source code:

org.bouncycastle.bcpkix.source_1.69.0.v20210713-1924/org/bouncycastle/cms/DefaultCMSSignatureAlgorithmNameGenerator.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
org.bouncycastle.bcpkix.source_1.69.0.v20210713-1924/org/bouncycastle/cms/CMSAlgorithm.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
org.bouncycastle.bcpkix.source_1.69.0.v20210713-1924/org/bouncycastle/operator/jcajce/OperatorHelper.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
org.bouncycastle.bcpkix.source_1.69.0.v20210713-1924/org/bouncycastle/operator/DefaultAlgorithmNameFinder.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
org.bouncycastle.bcpkix.source_1.69.0.v20210713-1924/org/bouncycastle/operator/DefaultDigestAlgorithmIdentifierFinder.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
org.bouncycastle.bcpkix.source_1.69.0.v20210713-1924/org/bouncycastle/operator/DefaultSignatureAlgorithmIdentifierFinder.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;

E.g. what is in 1.69:

org.bouncycastle.bcprov.source_1.69.0.v20210713-1924/org/bouncycastle/internal/asn1/bsi/BSIObjectIdentifiers.java:package org.bouncycastle.internal.asn1.bsi;

E.g. what used to be in 1.65:

org.bouncycastle.bcprov.source_1.65.1.v20200529-1514/org/bouncycastle/asn1/bsi/BSIObjectIdentifiers.java:package org.bouncycastle.asn1.bsi;

I see the same when I clone: https://github.com/bcgit/bc-java.git

...:/home/sandreev/git/misc/bc-java[master]$ git grep org.bouncycastle.asn1.bsi
ant/bc+-build.xml:                 <exclude name="org/bouncycastle/asn1/bsi/**" />
ant/bc+-build.xml:                 <include name="org/bouncycastle/asn1/bsi/**" />
ant/bc+-build.xml:              <include name="org/bouncycastle/asn1/bsi/*.java" />
ant/bc+-build.xml:                <include name="org/bouncycastle/asn1/bsi/**/*.html" />
pkix/src/main/java/org/bouncycastle/cms/CMSAlgorithm.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
pkix/src/main/java/org/bouncycastle/cms/DefaultCMSSignatureAlgorithmNameGenerator.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
pkix/src/main/java/org/bouncycastle/operator/DefaultAlgorithmNameFinder.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
pkix/src/main/java/org/bouncycastle/operator/DefaultDigestAlgorithmIdentifierFinder.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
pkix/src/main/java/org/bouncycastle/operator/DefaultSignatureAlgorithmIdentifierFinder.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
pkix/src/main/java/org/bouncycastle/operator/jcajce/OperatorHelper.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
pkix/src/main/jdk1.1/org/bouncycastle/operator/jcajce/OperatorHelper.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
pkix/src/main/jdk1.3/org/bouncycastle/operator/jcajce/OperatorHelper.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
tls/src/main/java/org/bouncycastle/tls/TlsUtils.java:import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
util/src/main/java/org/bouncycastle/asn1/bsi/BSIObjectIdentifiers.java:package org.bouncycastle.asn1.bsi;
util/src/main/jdk1.9/module-info.java:    exports org.bouncycastle.asn1.bsi;

...:/home/sandreev/git/misc/bc-java[master]$ git grep org.bouncycastle.internal.asn1.bsi
core/src/main/java/org/bouncycastle/internal/asn1/bsi/BSIObjectIdentifiers.java:package org.bouncycastle.internal.asn1.bsi;
prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/EC.java:import org.bouncycastle.internal.asn1.bsi.BSIObjectIdentifiers;
prov/src/main/java/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java:import org.bouncycastle.internal.asn1.bsi.BSIObjectIdentifiers;
prov/src/main/java/org/bouncycastle/jce/provider/ProvRevocationChecker.java:import org.bouncycastle.internal.asn1.bsi.BSIObjectIdentifiers;
prov/src/test/java/org/bouncycastle/jce/provider/test/DHTest.java:import org.bouncycastle.internal.asn1.bsi.BSIObjectIdentifiers;
prov/src/test/java/org/bouncycastle/jce/provider/test/ECDSA5Test.java:import org.bouncycastle.internal.asn1.bsi.BSIObjectIdentifiers;


I've asked the author of the bouncycastle commit whether just the manifest package imports are wrong or the source code is also wrong:

https://github.com/bcgit/bc-java/commit/feee177c533ccf971d600c9ee2b9ab8fe6dd848f
Comment 1 Simeon Andreev CLA 2021-09-20 10:34:10 EDT 
I missed the reply from one of the bouncycastle contributors. Apparently we are missing this jar:

https://download.eclipse.org/tools/orbit/downloads/drops2/S20210817231813/repository/plugins/org.bouncycastle.bcutil_1.69.0.v20210713-1924.jar

When I build EGit, I don't see it in the built result. I only find the following bouncycastle bundles:

...:/data/git/egit[jep2663]$ find . -name *bouncy*
./org.eclipse.egit.repository/target/repository/plugins/org.bouncycastle.bcprov.source_1.69.0.v20210713-1924.jar
./org.eclipse.egit.repository/target/repository/plugins/org.bouncycastle.bcpg.source_1.69.0.v20210713-1924.jar
./org.eclipse.egit.repository/target/repository/plugins/org.bouncycastle.bcpg_1.69.0.v20210713-1924.jar
./org.eclipse.egit.repository/target/repository/plugins/org.bouncycastle.bcpkix.source_1.69.0.v20210713-1924.jar
./org.eclipse.egit.repository/target/repository/plugins/org.bouncycastle.bcpkix_1.69.0.v20210713-1924.jar
./org.eclipse.egit.repository/target/repository/plugins/org.bouncycastle.bcprov_1.69.0.v20210713-1924.jar

The targets do require the util bundle though, e.g.:

org.eclipse.egit.target/egit-4.21.target:      <unit id="org.bouncycastle.bcutil" version="1.69.0.v20210713-1924"/>
org.eclipse.egit.target/egit-4.21.target:      <unit id="org.bouncycastle.bcutil.source" version="1.69.0.v20210713-1924"/>

The Orbit location also has the util bundle we would need:

https://download.eclipse.org/tools/orbit/downloads/drops/S20210817231813/

https://download.eclipse.org/tools/orbit/downloads/drops2/S20210817231813/repository/plugins/org.bouncycastle.bcutil_1.69.0.v20210713-1924.jar

Matthias, any idea why the bundle org.bouncycastle.bcutil is missing in the EGit build?
Comment 2 Christian Dietrich CLA 2021-09-20 10:48:21 EDT 
maybe you are missing it here
https://git.eclipse.org/r/plugins/gitiles/egit/egit/+/refs/heads/master/org.eclipse.egit.repository/category.xml
for repackaging
Comment 3 Eclipse Genie CLA 2021-09-20 11:10:21 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/185611
Comment 4 Eclipse Genie CLA 2021-09-20 13:16:43 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/egit/egit/+/185623
Comment 7 Simeon Andreev CLA 2021-09-21 02:55:02 EDT 
OK, with the 2 commits here our products platform builds without an error.

Thanks Matthias!