From 59d84b167ed3138589e9a10bf333dd6413c4db2e Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Wed, 28 Jun 2023 23:12:09 +0200
Subject: [PATCH] Bump BouncyCastle from jdk15on to jdk15to18 (#8247)

jdk15on are not supported anymore since based development was moved from jsk15on to jdk18on.

jdk15to18 contains fixed for:
- CVE-2023-33201
- CVE-2022-45146

Signed-off-by: Andrey Pleskach <ples@aiven.io>
(cherry picked from commit 9856cb77bc1bf6908210d91af7f95cc29d41b3a5)
Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 CHANGELOG.md                                                | 4 ++++
 buildSrc/version.properties                                 | 2 +-
 plugins/ingest-attachment/build.gradle                      | 6 +++---
 .../ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1 | 1 -
 .../licenses/bcmail-jdk15to18-1.75.jar.sha1                 | 1 +
 ...ail-jdk15on-LICENSE.txt => bcmail-jdk15to18-LICENSE.txt} | 0
 ...cmail-jdk15on-NOTICE.txt => bcmail-jdk15to18-NOTICE.txt} | 0
 .../ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1 | 1 -
 .../licenses/bcpkix-jdk15to18-1.75.jar.sha1                 | 1 +
 ...kix-jdk15on-LICENSE.txt => bcpkix-jdk15to18-LICENSE.txt} | 0
 ...cpkix-jdk15on-NOTICE.txt => bcpkix-jdk15to18-NOTICE.txt} | 0
 .../ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1 | 1 -
 .../licenses/bcprov-jdk15to18-1.75.jar.sha1                 | 1 +
 ...rov-jdk15on-LICENSE.txt => bcprov-jdk15to18-LICENSE.txt} | 0
 ...cprov-jdk15on-NOTICE.txt => bcprov-jdk15to18-NOTICE.txt} | 0
 .../src/main/plugin-metadata/plugin-security.policy         | 3 ---
 test/fixtures/hdfs-fixture/build.gradle                     | 2 +-
 17 files changed, 12 insertions(+), 11 deletions(-)
 delete mode 100644 plugins/ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1
 create mode 100644 plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1
 rename plugins/ingest-attachment/licenses/{bcmail-jdk15on-LICENSE.txt => bcmail-jdk15to18-LICENSE.txt} (100%)
 rename plugins/ingest-attachment/licenses/{bcmail-jdk15on-NOTICE.txt => bcmail-jdk15to18-NOTICE.txt} (100%)
 delete mode 100644 plugins/ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1
 create mode 100644 plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1
 rename plugins/ingest-attachment/licenses/{bcpkix-jdk15on-LICENSE.txt => bcpkix-jdk15to18-LICENSE.txt} (100%)
 rename plugins/ingest-attachment/licenses/{bcpkix-jdk15on-NOTICE.txt => bcpkix-jdk15to18-NOTICE.txt} (100%)
 delete mode 100644 plugins/ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1
 create mode 100644 plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1
 rename plugins/ingest-attachment/licenses/{bcprov-jdk15on-LICENSE.txt => bcprov-jdk15to18-LICENSE.txt} (100%)
 rename plugins/ingest-attachment/licenses/{bcprov-jdk15on-NOTICE.txt => bcprov-jdk15to18-NOTICE.txt} (100%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51ce86c1dee09..b5e891a59cc14 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 ## [Unreleased 1.x]
 ### Added
 ### Dependencies
+- Bump `org.bouncycastle:bcprov-jdk15on` to `org.bouncycastle:bcprov-jdk15to18` version 1.75 ([#8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+- Bump `org.bouncycastle:bcmail-jdk15on` to `org.bouncycastle:bcmail-jdk15to18` version 1.75 ([#8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+- Bump `org.bouncycastle:bcpkix-jdk15on` to `org.bouncycastle:bcpkix-jdk15to18` version 1.75 ([#8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+
 ### Changed
 ### Deprecated
 ### Removed
diff --git a/buildSrc/version.properties b/buildSrc/version.properties
index 97141c337184c..f3fd0295b6f9d 100644
--- a/buildSrc/version.properties
+++ b/buildSrc/version.properties
@@ -31,7 +31,7 @@ jetty             = 9.4.51.v20230217
 # when updating this version, you need to ensure compatibility with:
 #  - plugins/ingest-attachment (transitive dependency, check the upstream POM)
 #  - distribution/tools/plugin-cli
-bouncycastle=1.70
+bouncycastle=1.75
 # test dependencies
 randomizedrunner  = 2.7.1
 junit             = 4.13.2
diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle
index 8838b83cf3350..452d969aba862 100644
--- a/plugins/ingest-attachment/build.gradle
+++ b/plugins/ingest-attachment/build.gradle
@@ -71,9 +71,9 @@ dependencies {
   api "org.apache.pdfbox:fontbox:${versions.pdfbox}"
   api "org.apache.pdfbox:jempbox:1.8.16"
   api "commons-logging:commons-logging:${versions.commonslogging}"
-  api "org.bouncycastle:bcmail-jdk15on:${versions.bouncycastle}"
-  api "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"
-  api "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
+  api "org.bouncycastle:bcmail-jdk15to18:${versions.bouncycastle}"
+  api "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
+  api "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
   // OpenOffice
   api "org.apache.poi:poi-ooxml:${versions.poi}"
   api "org.apache.poi:poi:${versions.poi}"
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1
deleted file mode 100644
index 672e479eda8d7..0000000000000
--- a/plugins/ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-08f4aafad90f6cc7f16b9992279828ae848c9e0d
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1
new file mode 100644
index 0000000000000..e6840a9b02b38
--- /dev/null
+++ b/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+b316bcd094e3917b1ece93a6edbab93f8315fb3b
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15on-LICENSE.txt b/plugins/ingest-attachment/licenses/bcmail-jdk15to18-LICENSE.txt
similarity index 100%
rename from plugins/ingest-attachment/licenses/bcmail-jdk15on-LICENSE.txt
rename to plugins/ingest-attachment/licenses/bcmail-jdk15to18-LICENSE.txt
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15on-NOTICE.txt b/plugins/ingest-attachment/licenses/bcmail-jdk15to18-NOTICE.txt
similarity index 100%
rename from plugins/ingest-attachment/licenses/bcmail-jdk15on-NOTICE.txt
rename to plugins/ingest-attachment/licenses/bcmail-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1
deleted file mode 100644
index e348463a21257..0000000000000
--- a/plugins/ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-f81e5af49571a9d5a109a88f239a73ce87055417
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1
new file mode 100644
index 0000000000000..9181b1c3ab1b6
--- /dev/null
+++ b/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+f16e5252ad7a46d5eaf255231b0a5da307599082
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15on-LICENSE.txt b/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-LICENSE.txt
similarity index 100%
rename from plugins/ingest-attachment/licenses/bcpkix-jdk15on-LICENSE.txt
rename to plugins/ingest-attachment/licenses/bcpkix-jdk15to18-LICENSE.txt
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15on-NOTICE.txt b/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-NOTICE.txt
similarity index 100%
rename from plugins/ingest-attachment/licenses/bcpkix-jdk15on-NOTICE.txt
rename to plugins/ingest-attachment/licenses/bcpkix-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1
deleted file mode 100644
index f5e89c0f5ed45..0000000000000
--- a/plugins/ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-4636a0d01f74acaf28082fb62b317f1080118371
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1
new file mode 100644
index 0000000000000..9911bb75f9209
--- /dev/null
+++ b/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+df22e1b6a9f6b218913f5b68dd16641344397fe0
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15on-LICENSE.txt b/plugins/ingest-attachment/licenses/bcprov-jdk15to18-LICENSE.txt
similarity index 100%
rename from plugins/ingest-attachment/licenses/bcprov-jdk15on-LICENSE.txt
rename to plugins/ingest-attachment/licenses/bcprov-jdk15to18-LICENSE.txt
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15on-NOTICE.txt b/plugins/ingest-attachment/licenses/bcprov-jdk15to18-NOTICE.txt
similarity index 100%
rename from plugins/ingest-attachment/licenses/bcprov-jdk15on-NOTICE.txt
rename to plugins/ingest-attachment/licenses/bcprov-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/src/main/plugin-metadata/plugin-security.policy b/plugins/ingest-attachment/src/main/plugin-metadata/plugin-security.policy
index 0fa85f6f040f6..4b90f9a21aae4 100644
--- a/plugins/ingest-attachment/src/main/plugin-metadata/plugin-security.policy
+++ b/plugins/ingest-attachment/src/main/plugin-metadata/plugin-security.policy
@@ -35,9 +35,6 @@ grant {
   // needed to apply additional sandboxing to tika parsing
   permission java.security.SecurityPermission "createAccessControlContext";
 
-  // TODO: fix PDFBox not to actually install bouncy castle like this
-  permission java.security.SecurityPermission "putProviderProperty.BC";
-  permission java.security.SecurityPermission "insertProvider";
   // TODO: fix POI XWPF to not do this: https://bz.apache.org/bugzilla/show_bug.cgi?id=58597
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
   // needed by xmlbeans, as part of POI for MS xml docs
diff --git a/test/fixtures/hdfs-fixture/build.gradle b/test/fixtures/hdfs-fixture/build.gradle
index be88b6f280a2f..f1ceaff60b6a5 100644
--- a/test/fixtures/hdfs-fixture/build.gradle
+++ b/test/fixtures/hdfs-fixture/build.gradle
@@ -47,7 +47,7 @@ dependencies {
   api "org.apache.logging.log4j:log4j-core:${versions.log4j}"
   api "io.netty:netty-all:${versions.netty}"
   api 'com.google.code.gson:gson:2.9.0'
-  api "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
+  api "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
   api "com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:${versions.jackson}"
   api "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}"
   api "com.fasterxml.woodstox:woodstox-core:${versions.woodstox}"