BouncyCastle版本冲突,供应商不合作
[英]BouncyCastle version conflict, vendors not cooperating
问题描述
I am currently stuck in integrating Java packages because of a version conflict with BouncyCastle. 
我目前因为与BouncyCastle的版本冲突而陷入集成Java软件包的困境。
We have internally developed a component to handle data files sent to our local Revenue Service (not "the" IRS, but an equivalent tax authority in another European country) using official Java APIs provided and maintained by them. 我们内部开发了一个组件来处理使用由他们提供和维护的官方Java API发送到我们当地的税务局(不是“IRS,但在另一个欧洲国家的同等税务机构”)的数据文件。 Another module of our platform uses a component from a Certification Authority to perform certified timestamping of files. 我们平台的另一个模块使用来自证书颁发机构的组件来执行文件的认证时间戳。 Both have to be integrated into a single web application deployed at customer sites. 两者都必须集成到部署在客户站点的单个Web应用程序中。
As you may know, BouncyCastle packages, on which both packages depend, have undergone several public API changes, so that consequent versions are no more binary compatible. 您可能知道,两个软件包所依赖的BouncyCastle软件包已经过几次公共API更改,因此后续版本不再具有二进制兼容性。
Revenue Service provides "cryptotools.jar" package which depends on the following: Revenue Service提供“cryptotools.jar”包,具体取决于以下内容:
<dependency org="org.bouncycastle" name="bcprov-jdk15on" rev="1.49"/>
<dependency org="org.bouncycastle" name="bcpkix-jdk15on" rev="1.49"/>
Certification Authority's provides "jades-kernel" timestamping package which depends on 证书颁发机构提供的“jades-kernel”时间戳包依赖于
<dependency org="org.bouncycastle" name="bcmail-jdk15" rev="1.45"/>
<dependency org="org.bouncycastle" name="bcprov-jdk15" rev="1.45"/>
<dependency org="org.bouncycastle" name="bcprov-ext-jdk15" rev="1.45"/>
<dependency org="org.bouncycastle" name="bctsp-jdk15" rev="1.45"/>
Having both packages on classpath results in all BouncyCastle packages to be dumped into my WEB-INF/lib folder, which normally doesn't sound bad 在类路径上包含两个包会导致所有BouncyCastle包被转储到我的WEB-INF/lib文件夹中,这通常听起来不错
But if I try to start the web application with all of these packages inside I get an Error saying that a class extends a final method. 但是,如果我尝试使用所有这些软件包启动Web应用程序,我会得到一个Error ,表示类扩展了最终方法。 I won't post the stack trace, it's irrelevant for my question 我不会发布堆栈跟踪,这与我的问题无关
If I remove any of the two versions (1.45 or 1.49) of BC, one of the modules won't compile. 如果我删除BC的两个版本(1.45或1.49)中的任何一个,则其中一个模块将无法编译。 Well, they are both already compiled, so they won't simply link to their referenced classes/methods. 好吧,它们都已经编译好了,所以它们不会简单地链接到它们引用的类/方法。
I have reported this situation to the CA (with which we have a maintenance contract for the Java APIs), using the older BC version (which has security vulnerabilities found by Black Duck, so that my customer is making my life painful). 我已经向CA报告了这种情况(我们与Java API签订了维护合同),使用较旧的BC版本(Black Duck发现了安全漏洞,因此我的客户让我的生活变得痛苦)。 The CA is not cooperating yet. CA尚未合作。 They would need to release a new version of their cryptography APIs compatible with more recent versions of BouncyCastle. 他们需要发布与更新版本的BouncyCastle兼容的新版本的加密API。
Me and my boss (C-level boss) are escalating the issue to CA hierarchy, and, according to our local humour, soon we will be escalating up to Francis 我和我的老板(C级老板)正在将问题升级到CA等级,根据我们当地的幽默,很快我们将升级到弗朗西斯
Mentioning humour, please allow me to share my current feeling in a visual fashion 提到幽默,请允许我以视觉方式分享我目前的感受
Question time, now back to serious discussion 质疑时间,现在回到认真讨论
Suppose our vendor does not cooperate, or at least not timely for our regulatory deadlines. 假设我们的供应商不合作,或者至少不及时完成我们的监管期限。 Revenue Service will not obviously downgrade their Java APIs to an older BC version. Revenue Service不会明显将其Java API降级为较旧的BC版本。
How do we get out of this dependency hell? 我们如何摆脱这种依赖地狱? I know, for example, that log4j had a "bridge" package to mitigate breaking API changes between 1.x and 2.x versions for those packages who haven't upgraded yet. 我知道,例如,log4j有一个“桥接”软件包,可以缓解那些尚未升级的软件包在1.x和2.x版本之间的API更改。 How do we make two modules coexist when they depend on different BC versions? 当它们依赖于不同的BC版本时,我们如何使两个模块共存?
I will post a possible workaround but it's not our preferred solution. 我将发布一个可能的解决方法,但它不是我们的首选解决方案。
2 个解决方案
解决方案1
3 已采纳 2017-05-26 09:09:03
Essentially Java is not built for this and Maven certainly isn't (as there is an underlying assumption that any newer version is a perfectly fine replacement for an older version when resolving these kind of conflicts). 基本上Java并不是为此而构建的,Maven肯定不是(因为有一个潜在的假设,即在解决这些冲突时,任何较新的版本都是旧版本的完美替代品)。
It is my understanding that you have a monolithic application, so as you cannot physically split up the classpaths you can do it logically. 我的理解是你有一个单一的应用程序,所以你不能在物理上拆分类路径,你可以在逻辑上做到这一点。
A way to handle this could be to run your application in multiple classloaders so that the jar files never "touch". 处理此问题的一种方法是在多个类加载器中运行应用程序,以便jar文件永远不会“触摸”。 I asked a "how to run in multiple classloaders" question earlier - Want to run non-threadsafe library in parallel - can it be done using multiple classloaders? 我之前问过“如何运行多个类加载器”问题 - 想要并行运行非线程安全库 - 可以使用多个类加载器吗? - and this approach combined with loading a jar which is not on the classpath may be doable. - 这种方法结合加载不在类路径上的jar可能是可行的。
解决方案2
1 2017-05-26 08:36:50
A workaround may be to split up the web application into multiple applications each deployed in a different context and communicating via web service. 解决方法可能是将Web应用程序拆分为多个应用程序,每个应用程序部署在不同的上下文中并通过Web服务进行通信。 The secondary applications will be just private. 二级应用程序将是私有的。
The timestamping module will have its classpath with older BC version, and the tax service module will have a different classpath. 时间戳模块的类路径具有较旧的BC版本,税务服务模块将具有不同的类路径。 The "main" front end web application won't have any dependency to BC at all. “主要”前端Web应用程序根本不依赖于BC。
This doesn't solve the Black Duck issue because the customer will mandate an upgrade or require a lot of paperwork to allow a policy exception. 这并不能解决Black Duck问题,因为客户会要求升级或需要大量文书工作来允许政策例外。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.