Jenkins : Bouncy Castle API Plugin

Plugin Information

View bouncycastle API on the plugin site for more information.

Provides an stable API to Bouncy Castle related tasks. Plugins using Bouncy Castle should depend on this plugin and not directly on Bouncy Castle

PLEASE NOTE: Version 2.17 requires Java 8.

PLEASE NOTE: Version 2.16.0 requires Jenkins 2.16 or newer and is the culmination of the decoupling of bouncycastle from Jenkins core.

Notice: Currently there are two version lines 1.X for Jenkins cores < 1.648 and 1.648.X for Jenkins cores >= 1.648. Make sure you have the version matching your Jenkins version. 

Changelog

Version 2.17 (Aug 21, 2018)

  • JENKINS-53074 - Bouncy Castle library (bcpkix-jdk15on) updated to 1.60. Now requires Java 8.

Version 2.16.3 (Jun 6, 2018)

  • JENKINS-50915 - Bouncy Castle library (bcpkix-jdk15on) updated to 1.59

Version 2.16.2 (Jul 24, 2017)

  • JENKINS-45621 - Bouncy Castle library (bcpkix-jdk15on) updated to 1.57

Version 2.16.1 (Apr 4, 2017)

  • JENKINS-41978 - Fixed NullPointerException when a PEM file couldn't be read.
  • Reduce startup log level from INFO to FINE.

Version 2.16.0 (Jul 27, 2016)

MAJOR IMPROVEMENT: JENKINS-36923 - Move bcpkix dependency from jenkins-war to bouncycastle-api plugin. Requires Jenkins 2.16 or newer

Version 1.648.3 (Jun 17, 2016)

BugfixJENKINS-36035 - Register Bouncy Castle before any plugin is started

Version 1.648.2 (Jun 15, 2016)

ImprovementJENKINS-35696 - Provide a mechanism to register Bouncy Castle on the build agents. 

Registration can be performed by calling InstallBouncyCastleJCAProvider.on()

Version 1.648.1 (Jun 14, 2016)

BugfixJENKINS-35661 - When reading PCKS8 PrivateKey it should be possible to obtain a KeyPair with toKeyPair

Version 1.648 (Jun 8, 2016)

Release for Jenkins versions >= 1.648 with BC 1.54


Version 1.0.3 (Jun 17, 2014)

BugfixJENKINS-36035 - Register Bouncy Castle before any plugin is started

Version 1.0.2 (Jun 15, 2014)

ImprovementJENKINS-35696 - Provide a mechanism to register Bouncy Castle on the build agents. 

Registration can be performed by calling InstallBouncyCastleJCAProvider.on()

Version 1.0.1 (Jun 14, 2016)

BugfixJENKINS-35661 - When reading PCKS8 PrivateKey it should be possible to obtain a KeyPair with toKeyPair

Version 1 (Jun 7, 2016)

First release of the API supporting Jenkins versions >= 1.609 and < 1.648 with BC 1.47

Motivation

JENKINS-35291

Dependency to multiple Bouncy Castle versions from Jenkins core and plugins is causing problems due to the binary incompatibility between versions, the different supported algorithms, etc.

On Jenkins core 1.648, Bouncy Castle was bumped from version 1.47 to 1.54 as a result of a change in instance-identity module

Problems found:

  • Plugins running in Jenkins < 1.648 get 1.47 from the parent class loader (in the default class loading strategy). If they include a later version in their own classpath, only "new" classes are seen from their referenced JAR.
  • Plugins running in Jenkins >= 1.648 get 1.54 from the parent class loader (in the default class loading strategy). If they include an earlier version in their own classpath, only "removed" classes are seen from their referenced JAR.
  • If the plugin is using JCA instead of BC classes directly usually the plugin works, but if ran in an BC 1.47 Jenkins core, there will be missing algorithms.
  • Plugins are introducing different versions of BC which adds to de mix, potentially producing unpredictable results

Some considerations:

  • Many plugins are only introducing BC dependency to do PEM encoding/decoding. This API got changed by the BC bump.
  • instance-identity-module is using BC only for PEM encoding/decoding, removing this dependency from the core is possible

Proposed solution A possible solution to this problem would to create a plugin (this plugin) from which plugins using BC will depend. Responsible for:

  • Load BC into uber class loader.
  • Register BC as a JVM security provider in order to allow other plugins to use JCA API with BC algorithms.
  • Provide an API to do common tasks like PEM Encoding/Decoding ensuring its stability among BC versions.

The implementation of this plugin does not expose any classes from BC, only JCA, allowing plugins to not depend on the specifics of BC.

Later some other actions would have to be taken in order to fully solve this situation, like having one version of the plugin for each version of BC, etc.

This plugin provides an stable API to Bouncy Castle related tasks. Plugins using Bouncy Castle should depend on this plugin and not directly on Bouncy Castle.