fix: Force BC provider use (#76)

Force the correct use of Bouncy Castle Provider to avoid downstream non-deterministic provider usage and cross - classloader issues for some target environments.
opentdf · Jun 13, 2024 · 1bc9dd9 · 1bc9dd9
1 parent 84f9bd1
commit 1bc9dd9
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/nanotdf/ECKeyPair.java b/sdk/src/main/java/io/opentdf/platform/sdk/nanotdf/ECKeyPair.java
@@ -6,6 +6,7 @@
 import org.bouncycastle.crypto.digests.SHA256Digest;
 import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
 import org.bouncycastle.crypto.params.HKDFParameters;
+import org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi;
 import org.bouncycastle.jce.ECNamedCurveTable;
 import org.bouncycastle.jce.interfaces.ECPrivateKey;
 import org.bouncycastle.jce.interfaces.ECPublicKey;
@@ -37,6 +38,8 @@ public enum ECAlgorithm {
         ECDSA
     }
 
+    private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();
+
     public enum NanoTDFECCurve {
         SECP256R1("secp256r1"),
         PRIME256V1("prime256v1"),
@@ -65,15 +68,14 @@ public ECKeyPair(String curveName, ECAlgorithm algorithm) {
         KeyPairGenerator generator;
 
         try {
+            // Should this just use the algorithm vs use ECDH only for ECDH and ECDSA for everything else.
             if (algorithm == ECAlgorithm.ECDH) {
-                generator = KeyPairGenerator.getInstance("ECDH", "BC");
+                generator = KeyPairGeneratorSpi.getInstance(ECAlgorithm.ECDH.name(), BOUNCY_CASTLE_PROVIDER);
             } else {
-                generator = KeyPairGenerator.getInstance("ECDSA", "BC");
+                generator = KeyPairGeneratorSpi.getInstance(ECAlgorithm.ECDSA.name(), BOUNCY_CASTLE_PROVIDER);
             }
         } catch (NoSuchAlgorithmException e) {
             throw new RuntimeException(e);
-        } catch (NoSuchProviderException e) {
-            throw new RuntimeException(e);
         }
 
         ECGenParameterSpec spec = new ECGenParameterSpec(curveName);
@@ -160,7 +162,7 @@ public static String getPEMPublicKeyFromX509Cert(String pemInX509Format) {
             X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) parser.readObject();
             parser.close();
             SubjectPublicKeyInfo publicKeyInfo = x509CertificateHolder.getSubjectPublicKeyInfo();
-            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+            JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BOUNCY_CASTLE_PROVIDER);
             ECPublicKey publicKey = null;
             try {
                 publicKey = (ECPublicKey)converter.getPublicKey(publicKeyInfo);
@@ -232,7 +234,7 @@ public static ECPublicKey publicKeyFromPem(String pemEncoding) {
             SubjectPublicKeyInfo publicKeyInfo = (SubjectPublicKeyInfo) parser.readObject();
             parser.close();
 
-            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+            JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BOUNCY_CASTLE_PROVIDER);
             return (ECPublicKey) converter.getPublicKey(publicKeyInfo);
         } catch (IOException e) {
             throw new RuntimeException(e);
@@ -245,7 +247,7 @@ public static ECPrivateKey privateKeyFromPem(String pemEncoding) {
             PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo)parser.readObject();
             parser.close();
 
-            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+            JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BOUNCY_CASTLE_PROVIDER);;
             return (ECPrivateKey) converter.getPrivateKey(privateKeyInfo);
         } catch (IOException e) {
             throw new RuntimeException(e);