Anybody working with PGP in Lucee 5?

Juan_Aguilar · November 29, 2017, 3:52pm

Hello,

I have one final (hopefully!) breaking issue preventing me from upgrading a server from 4.5.5.006 to 5.2.x. We have some PGP operations which work fine on 4.5.x (thanks to Bilal Soylu’s BonCode PGP for ColdFusion http://pgp.riaforge.org/). Unfortunately, this does not work in 5.x.

The stack trace says:
lucee.runtime.exp.NativeException: org/bouncycastle/jce/provider/BouncyCastleProvider at net.boncode.crypto.SimpleFileProcessor.fProcessFile(SimpleFileProcessor.java:364) at net.boncode.crypto.PGPController.fEncryptSimpleFile(PGPController.java:107)

Which I’ve tracked down in SimpleFileProcessor.java to be:

Security.addProvider(new BouncyCastleProvider());

Any ideas? I loaded BCP 1.46 instead of the 1.38 version that ships with Lucee. It doesn’t seem to be a JVM issue since I’m running both 4.5 and 5.2 on Java 1.8_x.

If not this then does anybody have any recommendations for working with PGP in Lucee? I would hate to have to do this executing from the command line.

Thanks,

Juan

bdw429s · November 29, 2017, 3:59pm

Is there an actual error. That error message just lists some class names but doesn’t say what happened. Is there a “caused by” in the stack?

Juan_Aguilar · November 29, 2017, 5:01pm

Whoops, yes.

Caused by: java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider ... 65 more 
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider not found by PGPController [89] 
at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1558) 
at org.apache.felix.framework.BundleWiringImpl.access$400(BundleWiringImpl.java:79) 
at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1998) 
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ... 65 more

So looking a little deeper, I see in that the 1.52 version of bcprov (org.lucee.bouncycastle.bcprov) is automatically installed (if I’m not mistaken as part of the S3 Extension).

If I’m reading the tea leaves correctly, this means that BonCode PGP for ColdFusion requires v1.46 of Bouncy Castle and is incompatible with v1.52 which Lucee installs.

I don’t think I can run without the S3 Extension. (Uninstalling causes errors, beyond the fact that my application also uses S3.)

Sigh.

bdw429s · November 29, 2017, 5:09pm

The fact that I see Felix (our OSGI framework) involved in that message makes me think that the existing jars in an OSGI bundle are getting in the way, but can’t find your other jars perhaps? You’ll probably need @micstriit to look into this. You might want to create a ticket in JIRA since he doesn’t seem to pop into Discourse very often and this might be a bug of sorts?

Don_Quist · December 1, 2017, 11:06pm

Yeah, I’ve done PGP work in Lucee though I’m not sure of the versions. Here is a simple CFC gist:9b502f55ac76a11294c1924a4a4007b8 · GitHub and I’m pretty sure the jar libs are from GitHub - sniggle/simple-pgp: A wrapper library making PGP usage in applications simple. Based off of BouncyCastle.

gist.github.com

https://gist.github.com/sigmaprojects/9b502f55ac76a11294c1924a4a4007b8

gistfile1.txt

component output="false" displayname="SimplePGP" {


	public SimplePGP function init(Required String config="PDS") {

		variables.logger = application.logbox.getLogger(this);

		switch(arguments.config) {
			default: {
				variables.publicKeyPath = expandPath('/path/to/key.pub');

This file has been truncated. show original

Bilal · December 3, 2017, 8:40pm

There were braking changes to OpenPGP from version 1.47 onward of BouncyCastle libraries.
Mainly in the form of call signatures as far as I understand.
I have not looked into this in a while so I will see what has changed in particular and attempt to use 1.52 (1.58 is the lastest).

Best,
Bilal