Re: Setting security provider for Karaf 4.3.0-SNAPSHOT

2020-02-02 Thread Jean-Baptiste Onofré
Agree, we should take the same approach.

It should not be part of lib and more "startup" bundles (as we have
eventadmin and others).

I will create a Jira about that.

Regards
JB

On 02/02/2020 17:43, Romain Manni-Bucau wrote:
> This is a one way choice  so then bouncycastle becomes a jre provided lib
> (as jaxb was) for consumers and bundles are no more working or use other
> actual instances making it potentially corrupted if bundles and part of the
> boot - potentially not just karaf jars -must share bc. Also note it would
> prevent some osgi manifest feature (capabilities) to work if bc gets it at
> some point.
> 
> So guess the boot logic using it must be moved to early bundles too. Can be
> part of the jaxb work since it is exactly the same issue.
> 
> Wdyt?
> 
> Le dim. 2 févr. 2020 à 16:53, Benjamin Graf  a
> écrit :
> 
>> Hi together,
>>
>> how going on with this topic. Actually bouncastle is the defacto
>> standard security library for karaf and bundled by default. So taking
>> the approach explained by Robert sounds reasonable to upstream to Karaf
>> itself and moving libs to from system to boot and maybe even register
>> org.apache.karaf.security.providers =
>> org.bouncycastle.jce.provider.BouncyCastleProvider. Something to be
>> solved before 4.3RC2?
>>
>> Regards,
>>
>> Benjamin
>>
>> On 15.01.2020 17:00, Robert Varga wrote:
>>> On 15/01/2020 16:25, Benjamin Graf wrote:
 Hi,

 I'm actually playing around with the latest 4.3.0-SNAPSHOT. I recognize
 that the ssh bundle is using bouncycastle for reading pem files right
 now (KARAF-6383). The "issue" I'm facing is that if I like to set
 bouncycastle as the security provider via
 "org.apache.karaf.security.providers =
 org.bouncycastle.jce.provider.BouncyCastleProvider" I have to distribute
 the same bundle twice or otherwise have to remove it from system and add
 needed packages to "org.osgi.framework.bootdelegation".

 Anybody seeing a better solution?
>>> Not sure, but in OpenDaylight we have two fragment bundles which attach
>>> to framework bundle and expose all of BouncyCastle to OSGi:
>>>
>>>
>> https://github.com/opendaylight/odlparent/tree/master/karaf/bcpkix-framework-ext
>>>
>> https://github.com/opendaylight/odlparent/tree/master/karaf/bcprov-framework-ext
>>>
>>> perhaps these should be upstreamed (but then we upgrade BC much more
>>> quickly than we upgrade Karaf).
>>>
>>> Regards,
>>> Robert
>>>
>>
>>
> 

-- 
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com


Re: Setting security provider for Karaf 4.3.0-SNAPSHOT

2020-02-02 Thread Romain Manni-Bucau
This is a one way choice  so then bouncycastle becomes a jre provided lib
(as jaxb was) for consumers and bundles are no more working or use other
actual instances making it potentially corrupted if bundles and part of the
boot - potentially not just karaf jars -must share bc. Also note it would
prevent some osgi manifest feature (capabilities) to work if bc gets it at
some point.

So guess the boot logic using it must be moved to early bundles too. Can be
part of the jaxb work since it is exactly the same issue.

Wdyt?

Le dim. 2 févr. 2020 à 16:53, Benjamin Graf  a
écrit :

> Hi together,
>
> how going on with this topic. Actually bouncastle is the defacto
> standard security library for karaf and bundled by default. So taking
> the approach explained by Robert sounds reasonable to upstream to Karaf
> itself and moving libs to from system to boot and maybe even register
> org.apache.karaf.security.providers =
> org.bouncycastle.jce.provider.BouncyCastleProvider. Something to be
> solved before 4.3RC2?
>
> Regards,
>
> Benjamin
>
> On 15.01.2020 17:00, Robert Varga wrote:
> > On 15/01/2020 16:25, Benjamin Graf wrote:
> >> Hi,
> >>
> >> I'm actually playing around with the latest 4.3.0-SNAPSHOT. I recognize
> >> that the ssh bundle is using bouncycastle for reading pem files right
> >> now (KARAF-6383). The "issue" I'm facing is that if I like to set
> >> bouncycastle as the security provider via
> >> "org.apache.karaf.security.providers =
> >> org.bouncycastle.jce.provider.BouncyCastleProvider" I have to distribute
> >> the same bundle twice or otherwise have to remove it from system and add
> >> needed packages to "org.osgi.framework.bootdelegation".
> >>
> >> Anybody seeing a better solution?
> > Not sure, but in OpenDaylight we have two fragment bundles which attach
> > to framework bundle and expose all of BouncyCastle to OSGi:
> >
> >
> https://github.com/opendaylight/odlparent/tree/master/karaf/bcpkix-framework-ext
> >
> https://github.com/opendaylight/odlparent/tree/master/karaf/bcprov-framework-ext
> >
> > perhaps these should be upstreamed (but then we upgrade BC much more
> > quickly than we upgrade Karaf).
> >
> > Regards,
> > Robert
> >
>
>


Re: Setting security provider for Karaf 4.3.0-SNAPSHOT

2020-02-02 Thread Benjamin Graf
Hi together,

how going on with this topic. Actually bouncastle is the defacto
standard security library for karaf and bundled by default. So taking
the approach explained by Robert sounds reasonable to upstream to Karaf
itself and moving libs to from system to boot and maybe even register
org.apache.karaf.security.providers =
org.bouncycastle.jce.provider.BouncyCastleProvider. Something to be
solved before 4.3RC2?

Regards,

Benjamin

On 15.01.2020 17:00, Robert Varga wrote:
> On 15/01/2020 16:25, Benjamin Graf wrote:
>> Hi,
>>
>> I'm actually playing around with the latest 4.3.0-SNAPSHOT. I recognize
>> that the ssh bundle is using bouncycastle for reading pem files right
>> now (KARAF-6383). The "issue" I'm facing is that if I like to set
>> bouncycastle as the security provider via
>> "org.apache.karaf.security.providers =
>> org.bouncycastle.jce.provider.BouncyCastleProvider" I have to distribute
>> the same bundle twice or otherwise have to remove it from system and add
>> needed packages to "org.osgi.framework.bootdelegation".
>>
>> Anybody seeing a better solution? 
> Not sure, but in OpenDaylight we have two fragment bundles which attach
> to framework bundle and expose all of BouncyCastle to OSGi:
>
> https://github.com/opendaylight/odlparent/tree/master/karaf/bcpkix-framework-ext
> https://github.com/opendaylight/odlparent/tree/master/karaf/bcprov-framework-ext
>
> perhaps these should be upstreamed (but then we upgrade BC much more
> quickly than we upgrade Karaf).
>
> Regards,
> Robert
>



signature.asc
Description: OpenPGP digital signature


Re: Setting security provider for Karaf 4.3.0-SNAPSHOT

2020-01-15 Thread Robert Varga
On 15/01/2020 16:25, Benjamin Graf wrote:
> Hi,
> 
> I'm actually playing around with the latest 4.3.0-SNAPSHOT. I recognize
> that the ssh bundle is using bouncycastle for reading pem files right
> now (KARAF-6383). The "issue" I'm facing is that if I like to set
> bouncycastle as the security provider via
> "org.apache.karaf.security.providers =
> org.bouncycastle.jce.provider.BouncyCastleProvider" I have to distribute
> the same bundle twice or otherwise have to remove it from system and add
> needed packages to "org.osgi.framework.bootdelegation".
> 
> Anybody seeing a better solution? 

Not sure, but in OpenDaylight we have two fragment bundles which attach
to framework bundle and expose all of BouncyCastle to OSGi:

https://github.com/opendaylight/odlparent/tree/master/karaf/bcpkix-framework-ext
https://github.com/opendaylight/odlparent/tree/master/karaf/bcprov-framework-ext

perhaps these should be upstreamed (but then we upgrade BC much more
quickly than we upgrade Karaf).

Regards,
Robert



signature.asc
Description: OpenPGP digital signature


Re: Setting security provider for Karaf 4.3.0-SNAPSHOT

2020-01-15 Thread Romain Manni-Bucau
+1 a temp classloader using local resolution or plain reimpl of pem read
does not sound terrible to me

Le mer. 15 janv. 2020 à 16:25, Benjamin Graf  a
écrit :

> Hi,
>
> I'm actually playing around with the latest 4.3.0-SNAPSHOT. I recognize
> that the ssh bundle is using bouncycastle for reading pem files right
> now (KARAF-6383). The "issue" I'm facing is that if I like to set
> bouncycastle as the security provider via
> "org.apache.karaf.security.providers =
> org.bouncycastle.jce.provider.BouncyCastleProvider" I have to distribute
> the same bundle twice or otherwise have to remove it from system and add
> needed packages to "org.osgi.framework.bootdelegation".
>
> Anybody seeing a better solution? Maybe an enhancement needed?
>
> Regards
>
> Benjamin
>
>
>


Setting security provider for Karaf 4.3.0-SNAPSHOT

2020-01-15 Thread Benjamin Graf
Hi,

I'm actually playing around with the latest 4.3.0-SNAPSHOT. I recognize
that the ssh bundle is using bouncycastle for reading pem files right
now (KARAF-6383). The "issue" I'm facing is that if I like to set
bouncycastle as the security provider via
"org.apache.karaf.security.providers =
org.bouncycastle.jce.provider.BouncyCastleProvider" I have to distribute
the same bundle twice or otherwise have to remove it from system and add
needed packages to "org.osgi.framework.bootdelegation".

Anybody seeing a better solution? Maybe an enhancement needed?

Regards

Benjamin




signature.asc
Description: OpenPGP digital signature