-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Switch to jdk18on bouncycastle jars#11201
Switch to jdk18on bouncycastle jars #11201harikrishna-patnala wants to merge 3 commits intoapache:4.22 from
Conversation
harikrishna-patnala
commented
Jul 15, 2025
@blueorangutan package
blueorangutan
commented
Jul 15, 2025
@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@ ## 4.22 #11201 +/- ## ========================================= Coverage 17.60% 17.60% - Complexity 15624 15626 +2 ========================================= Files 5911 5911 Lines 530169 530169 Branches 64785 64785 ========================================= + Hits 93322 93344 +22 + Misses 426342 426319 -23 - Partials 10505 10506 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
blueorangutan
commented
Jul 15, 2025
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14192
DaanHoogland
commented
Jul 15, 2025
@blueorangutan test matrix
blueorangutan
commented
Jul 15, 2025
@DaanHoogland a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests
blueorangutan
commented
Jul 15, 2025
[SF] Trillian Build Failed (tid-13786)
blueorangutan
commented
Jul 15, 2025
[SF] Trillian Build Failed (tid-13784)
blueorangutan
commented
Jul 15, 2025
[SF] Trillian Build Failed (tid-13785)
blueorangutan
commented
Jul 15, 2025
[SF] Trillian Build Failed (tid-13783)
harikrishna-patnala
commented
Jul 17, 2025
@blueorangutan test matrix
blueorangutan
commented
Jul 17, 2025
@harikrishna-patnala a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests
blueorangutan
commented
Jul 17, 2025
[SF] Trillian Build Failed (tid-13806)
blueorangutan
commented
Jul 17, 2025
[SF] Trillian Build Failed (tid-13808)
blueorangutan
commented
Jul 17, 2025
[SF] Trillian Build Failed (tid-13807)
blueorangutan
commented
Jul 17, 2025
[SF] Trillian Build Failed (tid-13805)
harikrishna-patnala
commented
Jul 18, 2025
@blueorangutan package
blueorangutan
commented
Jul 18, 2025
@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
The available versions for bouncy castle provider supporting jdk18 starts from 1.71 to 1.81 (https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on)
If we use 1.81 as the provider version
<cs.bcprov.version>1.81</cs.bcprov.version>
SystemVMs have trouble starting with the error
Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.bouncycastle.operator.jcajce.OperatorHelper
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.<init>(Unknown Source)
at org.apache.cloudstack.utils.security.CertUtils.generateV3Certificate(CertUtils.java:241)
at org.apache.cloudstack.ca.provider.RootCAProvider.generateCertificate(RootCAProvider.java:152)
The last version that worked with our code is
<cs.bcprov.version>1.72</cs.bcprov.version>
At the moment I don't know the reason for "OperatorHelper" class not being found, so I adjusted the code to use 1.72 version. I'm not sure how the mentioned vulnerabilities effects us https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on/1.72
Please review and see if this is fine.
blueorangutan
commented
Jul 18, 2025
Packaging result [SF]: ✔️ el8 ✔️ el9 ✖️ debian ✔️ suse15. SL-JID 14254
@vishesh92
vishesh92
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clgtm
blueorangutan
commented
Jul 18, 2025
Packaging result [SF]: ✔️ el8 ✔️ el9 ✖️ debian ✔️ suse15. SL-JID 14256
pom.xml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to central mvn repo, 1.72 has 5 vulnerabilities, 1.81 is the latest
It seems here are some imcompatibility issue with 1.81, I think it can be fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@harikrishna-patnala check if the issues with 1.81 can be fixed or not
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried multiple ways to use 1.81 and rewriting code for getting X509Certificate but still facing the same issue. Can someone of you help me here @weizhouapache @sureshanaparti
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull request overview
Updates Apache CloudStack’s BouncyCastle dependencies to the jdk18on artifact line and bumps the shared BouncyCastle version to address the security concern in #10954.
Changes:
- Replace
bcprov/bcpkix/bctls-jdk15onartifacts with-jdk18onacross affected modules. - Bump
${cs.bcprov.version}from1.70to1.82and align dependencyManagement entries accordingly. - Update client build/shade/dependency-copy references and exclusions to match the new artifact IDs.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
pom.xml |
Bumps BouncyCastle version property and updates dependencyManagement to -jdk18on artifacts. |
utils/pom.xml |
Switches direct BouncyCastle dependencies to bcprov/bcpkix/bctls-jdk18on. |
services/console-proxy/rdpconsole/pom.xml |
Switches RDP console BouncyCastle dependencies to bcprov/bctls-jdk18on. |
plugins/integrations/kubernetes-service/pom.xml |
Updates Kubernetes plugin BouncyCastle dependencies to bcprov/bctls-jdk18on. |
client/pom.xml |
Updates Jetty plugin deps, dependency-plugin copies, and shade exclusions to -jdk18on artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
6138c02 to
207f819
Compare
207f819 to
64d2dce
Compare
harikrishna-patnala
commented
Jan 29, 2026
@blueorangutan package
blueorangutan
commented
Jan 29, 2026
@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
harikrishna-patnala
commented
Jan 29, 2026
@borisstoyanov last time we had issues in deploying the system VMs, we need to check if that is still the case
blueorangutan
commented
Jan 29, 2026
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16609
harikrishna-patnala
commented
Jan 29, 2026
@blueorangutan test
blueorangutan
commented
Jan 29, 2026
@harikrishna-patnala a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests
harikrishna-patnala
commented
Jan 29, 2026
This PR still has issues with systemVMs and host additions cc @DaanHoogland
blueorangutan
commented
Jan 29, 2026
[SF] Trillian Build Failed (tid-15333)
Uh oh!
There was an error while loading. Please reload this page.
Description
This PR fixes #10954
Types of changes
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
Updated my environment with the newer jars and everything seems fine
How did you try to break this feature and the system with this change?