Add support for JCA security providers

[smirandamedallia]

• Update the various classes to use jcajce rather than bc
• Add support to set the security provider at a library level
• Use BC and default provider

[smirandamedallia]

I couldn't make this work when I run this with ./gradlew build.
It gives me the following error:

org.bouncycastle.openpgp.PGPException: exception constructing public key
	at org.c02e.jpgpj.Encryptor.encrypt(Encryptor.java:1130)
	at org.c02e.jpgpj.Encryptor.prepareCiphertextOutputStream(Encryptor.java:974)
	at org.c02e.jpgpj.Encryptor.encrypt(Encryptor.java:857)
	at org.c02e.jpgpj.Encryptor.encrypt(Encryptor.java:826)
	at org.c02e.jpgpj.EncryptorSpec.encrypt and sign with no usage flags(EncryptorSpec.groovy:781)
Caused by: java.security.spec.InvalidParameterSpecException: Not a supported curve: java.security.spec.ECGenParameterSpec@5b0e7c05
	at java.base/sun.security.util.ECParameters.engineInit(ECParameters.java:130)
	at java.base/java.security.AlgorithmParameters.init(AlgorithmParameters.java:294)
	... 5 more

Could you please take a look

[justinludwig]

This is just an artifact of some peculiarities with groovy compilation and class loading (it fails here and not elsewhere because the JDK's default JCA implementation can handle the other test public keys, but not this test key using the P-256 curve). I believe right now it fails only when this class is recompiled and run in the same process (and not when compiled and run separately); and it will go away if a BouncyCastleProvider instance is set directly on the JcaContextHelper.securityProvider property (instead of indirectly via the JCA apparatus of Security.addProvider() / Security.getProvider()).

[smirandamedallia]

I have upgraded the version number since BC provider must be present in the list of providers or the Provider must be set before performing PGP operations

Security.addProvider(new BouncyCastleProvider())

[justinludwig]

Thank you for going ahead and doing this refactoring! It looks good to me -- I mainly have a few small suggestions (noted inline).

The one big suggestion I have is that instead of requiring JPGPJ users to register the BouncyCastleProvider with JCA (ie by calling Security.addProvider(new BouncyCastleProvider())), the JcaContextHelper class should itself try to initialize its securityProvider property with a BouncyCastleProvider instance directly. That way, existing users won't have to make any changes to their code, and can avoid messing around with JCA if they don't want to.

So that users can also use the alternative FIPS implementation if they do want to, we can do this initialization via reflection (see my suggestion for this inline) -- it'll be kind of ugly, but will make it easy for users who just use the regular Bouncy Castle implementation to do so without any JCA fiddling -- while still avoiding a big fireball that stymies users who do want to use the FIPS implementation instead.

[justinludwig]

Pull the creation of this generator (and the setting of the security provider on it) into a new factory method of the new JcaContextProvider class, like you did elsewhere for other JCA-aware objects.

[justinludwig]

Pull this into a new factory method of the JcaContextProvider class, as well.

[justinludwig]

Pull this into a new factory method of the JcaContextProvider class, as well.

[justinludwig]

Let's name this class JcaContextHelper instead of JCAContextHelper, to match the casing convention of other class names with initialisms in this project, like EncryptedAsciiArmorHeadersCallback etc.

[justinludwig]

For the convenience of users who don't otherwise need to fiddle with JCA, let's try to automatically set the securityProvider property to a BouncyCastleProvider instance by default -- and fail as gracefully as possible if it's not available. Something like this:

    private static Provider securityProvider;
    static {
        try {
           securityProvider = (Provider) Class.forName(
                "org.bouncycastle.jce.provider.BouncyCastleProvider"
            ).getDeclaredConstructor().newInstance();
        } catch (Exception e) {
            LoggerFactory.getLogger(JCAContextHelper.class.getName()).warn(
                "not using BC security provider");
        }
    }

[justinludwig]

Instead of wrapping this with a RuntimeException, wrap this with a PGPException (so users can catch a PGPException in their own code if that want to handle anything PGP-related going wrong when they use JPGPJ).

[justinludwig]

Instead of wrapping the PGPException with a RuntimeException, let's just change the signature of this buildDecryptor method to throws PGPException.

[justinludwig]

We won't need this (here, and same for the other test specs) if we change the JcaProviderHelper to automatically use the BouncyCastleProvider when available.

[justinludwig]

This is just an artifact of some peculiarities with groovy compilation and class loading (it fails here and not elsewhere because the JDK's default JCA implementation can handle the other test public keys, but not this test key using the P-256 curve). I believe right now it fails only when this class is recompiled and run in the same process (and not when compiled and run separately); and it will go away if a BouncyCastleProvider instance is set directly on the JcaContextHelper.securityProvider property (instead of indirectly via the JCA apparatus of Security.addProvider() / Security.getProvider()).

[smirandamedallia]

@justinludwig Thanks for the quick response. i have addressed the changes and have updated the version to 1.2 since it is non-breaking change

[justinludwig]

Thanks! I will push out a release for this to maven central in a day or two.

[smirandamedallia]

Thanks

[justinludwig]

I pushed JPGPJ version 1.2 with this to maven central.