[releng] OSGi: Ensure the BC security provider can be found

tomaswolf · tomaswolf · commit f06217f62651 · 2023-04-15T16:47:15.000+02:00
BouncyCastleSecurityProviderRegistrar references the BC security
provider only reflectively. It lives in a package that is not
referenced explicitly anywhere.

To be able to find org.bouncycastle.jce.provider.BouncyCastleProvider,
the package must be on the bundle classpath in OSGi. It wasn't, since
there was no "normal" reference to it.

Add an optional dependency explicitly in the generated MANIFEST.MF of
sshd-osgi.
diff --git a/pom.xml b/pom.xml
@@ -134,6 +134,7 @@
         <sshd.tests.rerun.count>2</sshd.tests.rerun.count>
 
         <dependency.download.silent>true</dependency.download.silent>
+        <bnd.extraImports># A comment indicates 'none'</bnd.extraImports>
     </properties>
 
     <profiles>
@@ -1476,6 +1477,7 @@
                                 <Import-Package><![CDATA[
                                   org.apache.sshd*;version="$<range;[===,=+);$<maven_version;${project.version}>>",
                                   org.slf4j*;version="$<range;[==,${slf4j.upper.bound})>",
+                                  ${bnd.extraImports}
                                   *
                                 ]]></Import-Package>
                                 <Export-Package>*;-noimport:=true</Export-Package>
diff --git a/sshd-osgi/pom.xml b/sshd-osgi/pom.xml
@@ -34,6 +34,19 @@
 
     <properties>
         <projectRoot>${project.basedir}/..</projectRoot>
+        <!--
+          The BC security provider class resides in a package that is referenced nowhere, except reflectively in the BouncyCastleSecurityRegistrar.
+          The (optional) package import will thus be missing in the generated MANIFEST.MF. However, the BouncyCastleSecurityRegistrar expects to find
+          class org.bouncycastle.jce.provider.BouncyCastleProvider on the classpath; otherwise its isSupported() returns false and Bouncycastle is
+          considered not available.
+          
+          However, in OSGi the package will not be on the bundle classpath if there is no Import-Package for it. (And using a Require-Bundle would restrict
+          bundle wiring too much.)
+          
+          Arguably this is a shortcoming of the BouncyCastleSecurityRegistrar. For the EdDSASecurityProviderRegistrar, this problem does not exist
+          since the security provider is in a package that is also referenced elsewhere.
+        -->
+        <bnd.extraImports>org.bouncycastle.jce.provider;version="$$&lt;range;[==,+);${bouncycastle.version}>";resolution:=optional,</bnd.extraImports>
     </properties>
 
     <dependencies>
