[Backport 1.x] Bump BouncyCastle from jdk15on to jdk15to18 (opensearc…

…h-project#8247) (opensearch-project#8349) jdk15on are not supported anymore since based development was moved from jsk15on to jdk18on. jdk15to18 contains fixed for: - CVE-2023-33201 - CVE-2022-45146 (cherry picked from commit 9856cb7) Signed-off-by: Andrey Pleskach <ples@aiven.io>
willyborankin · Jun 29, 2023 · c8a63ba · c8a63ba
1 parent c9d5b3f
commit c8a63ba
Show file tree

Hide file tree

Showing 18 changed files with 30 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 ## [Unreleased 1.x]
 ### Added
 ### Dependencies
+- Bump `org.bouncycastle:bcprov-jdk15on` to `org.bouncycastle:bcprov-jdk15to18` version 1.75 ([#8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+- Bump `org.bouncycastle:bcmail-jdk15on` to `org.bouncycastle:bcmail-jdk15to18` version 1.75 ([#8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+- Bump `org.bouncycastle:bcpkix-jdk15on` to `org.bouncycastle:bcpkix-jdk15to18` version 1.75 ([#8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+
 ### Changed
 ### Deprecated
 ### Removed

diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
@@ -100,6 +100,20 @@ repositories {
 
 dependencies {
 
+  modules {
+    module("org.bouncycastle:bcprov-jdk15on") {
+      replacedBy("org.bouncycastle:bcprov-jdk15to18", "the jdk15on artifacts are not supported anymore")
+    }
+    module("org.bouncycastle:bcpkix-jdk15on") {
+      replacedBy("org.bouncycastle:bcpkix-jdk15to18", "the jdk15on artifacts are not supported anymore")
+    }
+    module("org.bouncycastle:bcpg-jdk15on") {
+      replacedBy("org.bouncycastle:bcpg-jdk15to18", "the jdk15on artifacts are not supported anymore")
+    }
+    module("org.bouncycastle:bcutil-jdk15on") {
+      replacedBy("org.bouncycastle:bcutil-jdk15to18", "the jdk15on artifacts are not supported anymore")
+    }
+  }
   api localGroovy()
 
   api 'commons-codec:commons-codec:1.15'
@@ -118,10 +132,10 @@ dependencies {
   api 'org.apache.maven:maven-model:3.6.2'
   api 'com.networknt:json-schema-validator:1.0.36'
   api "com.fasterxml.jackson.core:jackson-databind:${props.getProperty('jackson_databind')}"
-  api "org.bouncycastle:bcprov-jdk15on:${props.getProperty('bouncycastle')}"
-  api "org.bouncycastle:bcpkix-jdk15on:${props.getProperty('bouncycastle')}"
-  api "org.bouncycastle:bcpg-jdk15on:${props.getProperty('bouncycastle')}"
-  api "org.bouncycastle:bcutil-jdk15on:${props.getProperty('bouncycastle')}"
+  api "org.bouncycastle:bcprov-jdk15to18:${props.getProperty('bouncycastle')}"
+  api "org.bouncycastle:bcpkix-jdk15to18:${props.getProperty('bouncycastle')}"
+  api "org.bouncycastle:bcpg-jdk15to18:${props.getProperty('bouncycastle')}"
+  api "org.bouncycastle:bcutil-jdk15to18:${props.getProperty('bouncycastle')}"
 
   testFixturesApi "junit:junit:${props.getProperty('junit')}"
   testFixturesApi "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${props.getProperty('randomizedrunner')}"

diff --git a/buildSrc/version.properties b/buildSrc/version.properties
@@ -31,7 +31,7 @@ jetty             = 9.4.51.v20230217
 # when updating this version, you need to ensure compatibility with:
 #  - plugins/ingest-attachment (transitive dependency, check the upstream POM)
 #  - distribution/tools/plugin-cli
-bouncycastle=1.70
+bouncycastle=1.75
 # test dependencies
 randomizedrunner  = 2.7.1
 junit             = 4.13.2

diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle
@@ -71,9 +71,9 @@ dependencies {
   api "org.apache.pdfbox:fontbox:${versions.pdfbox}"
   api "org.apache.pdfbox:jempbox:1.8.16"
   api "commons-logging:commons-logging:${versions.commonslogging}"
-  api "org.bouncycastle:bcmail-jdk15on:${versions.bouncycastle}"
-  api "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"
-  api "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
+  api "org.bouncycastle:bcmail-jdk15to18:${versions.bouncycastle}"
+  api "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
+  api "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
   // OpenOffice
   api "org.apache.poi:poi-ooxml:${versions.poi}"
   api "org.apache.poi:poi:${versions.poi}"

diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+b316bcd094e3917b1ece93a6edbab93f8315fb3b
diff --git a/...hment/licenses/bcmail-jdk15on-LICENSE.txt → ...ent/licenses/bcmail-jdk15to18-LICENSE.txt b/...hment/licenses/bcmail-jdk15on-LICENSE.txt → ...ent/licenses/bcmail-jdk15to18-LICENSE.txt
diff --git a/...chment/licenses/bcmail-jdk15on-NOTICE.txt → ...ment/licenses/bcmail-jdk15to18-NOTICE.txt b/...chment/licenses/bcmail-jdk15on-NOTICE.txt → ...ment/licenses/bcmail-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+f16e5252ad7a46d5eaf255231b0a5da307599082
diff --git a/...hment/licenses/bcpkix-jdk15on-LICENSE.txt → ...ent/licenses/bcpkix-jdk15to18-LICENSE.txt b/...hment/licenses/bcpkix-jdk15on-LICENSE.txt → ...ent/licenses/bcpkix-jdk15to18-LICENSE.txt
diff --git a/...chment/licenses/bcpkix-jdk15on-NOTICE.txt → ...ment/licenses/bcpkix-jdk15to18-NOTICE.txt b/...chment/licenses/bcpkix-jdk15on-NOTICE.txt → ...ment/licenses/bcpkix-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+df22e1b6a9f6b218913f5b68dd16641344397fe0
diff --git a/...hment/licenses/bcprov-jdk15on-LICENSE.txt → ...ent/licenses/bcprov-jdk15to18-LICENSE.txt b/...hment/licenses/bcprov-jdk15on-LICENSE.txt → ...ent/licenses/bcprov-jdk15to18-LICENSE.txt
diff --git a/...chment/licenses/bcprov-jdk15on-NOTICE.txt → ...ment/licenses/bcprov-jdk15to18-NOTICE.txt b/...chment/licenses/bcprov-jdk15on-NOTICE.txt → ...ment/licenses/bcprov-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/src/main/plugin-metadata/plugin-security.policy b/plugins/ingest-attachment/src/main/plugin-metadata/plugin-security.policy
@@ -35,9 +35,6 @@ grant {
   // needed to apply additional sandboxing to tika parsing
   permission java.security.SecurityPermission "createAccessControlContext";
 
-  // TODO: fix PDFBox not to actually install bouncy castle like this
-  permission java.security.SecurityPermission "putProviderProperty.BC";
-  permission java.security.SecurityPermission "insertProvider";
   // TODO: fix POI XWPF to not do this: https://bz.apache.org/bugzilla/show_bug.cgi?id=58597
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
   // needed by xmlbeans, as part of POI for MS xml docs

diff --git a/test/fixtures/hdfs-fixture/build.gradle b/test/fixtures/hdfs-fixture/build.gradle
@@ -38,6 +38,7 @@ dependencies {
     exclude module: 'guava'
     exclude module: 'protobuf-java'
     exclude group: 'org.codehaus.jackson'
+    exclude group: "org.bouncycastle"
   }
 
   api "org.codehaus.jettison:jettison:${versions.jettison}"
@@ -47,7 +48,6 @@ dependencies {
   api "org.apache.logging.log4j:log4j-core:${versions.log4j}"
   api "io.netty:netty-all:${versions.netty}"
   api 'com.google.code.gson:gson:2.9.0'
-  api "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
   api "com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:${versions.jackson}"
   api "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}"
   api "com.fasterxml.woodstox:woodstox-core:${versions.woodstox}"