Anybody working with PGP in Lucee 5?



I have one final (hopefully!) breaking issue preventing me from upgrading a server from to 5.2.x. We have some PGP operations which work fine on 4.5.x (thanks to Bilal Soylu’s BonCode PGP for ColdFusion Unfortunately, this does not work in 5.x.

The stack trace says:
lucee.runtime.exp.NativeException: org/bouncycastle/jce/provider/BouncyCastleProvider at net.boncode.crypto.SimpleFileProcessor.fProcessFile( at net.boncode.crypto.PGPController.fEncryptSimpleFile(

Which I’ve tracked down in to be:

Security.addProvider(new BouncyCastleProvider());

Any ideas? I loaded BCP 1.46 instead of the 1.38 version that ships with Lucee. It doesn’t seem to be a JVM issue since I’m running both 4.5 and 5.2 on Java 1.8_x.

If not this then does anybody have any recommendations for working with PGP in Lucee? I would hate to have to do this executing from the command line.




Is there an actual error. That error message just lists some class names but doesn’t say what happened. Is there a “caused by” in the stack?


Whoops, yes.

Caused by: java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider ... 65 more 
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider not found by PGPController [89] 
at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation( 
at org.apache.felix.framework.BundleWiringImpl.access$400( 
at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass( 
at java.lang.ClassLoader.loadClass( ... 65 more

So looking a little deeper, I see in that the 1.52 version of bcprov (org.lucee.bouncycastle.bcprov) is automatically installed (if I’m not mistaken as part of the S3 Extension).

If I’m reading the tea leaves correctly, this means that BonCode PGP for ColdFusion requires v1.46 of Bouncy Castle and is incompatible with v1.52 which Lucee installs.

I don’t think I can run without the S3 Extension. (Uninstalling causes errors, beyond the fact that my application also uses S3.)



The fact that I see Felix (our OSGI framework) involved in that message makes me think that the existing jars in an OSGI bundle are getting in the way, but can’t find your other jars perhaps? You’ll probably need @micstriit to look into this. You might want to create a ticket in JIRA since he doesn’t seem to pop into Discourse very often and this might be a bug of sorts?


Yeah, I’ve done PGP work in Lucee though I’m not sure of the versions. Here is a simple CFC and I’m pretty sure the jar libs are from


There were braking changes to OpenPGP from version 1.47 onward of BouncyCastle libraries.
Mainly in the form of call signatures as far as I understand.
I have not looked into this in a while so I will see what has changed in particular and attempt to use 1.52 (1.58 is the lastest).