From bff798348953569858221c25428ea6d59758ffe7 Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@verizonmedia.com>
Date: Fri, 18 Feb 2022 15:22:38 +0100
Subject: Install BouncyCastle during jdisc startup

---
 .../yahoo/container/jdisc/ConfiguredApplication.java | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/ConfiguredApplication.java b/container-disc/src/main/java/com/yahoo/container/jdisc/ConfiguredApplication.java
index a27b082f014..2c25f38437a 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/ConfiguredApplication.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/ConfiguredApplication.java
@@ -48,7 +48,10 @@ import com.yahoo.net.HostName;
 import com.yahoo.vespa.config.ConfigKey;
 import com.yahoo.yolean.Exceptions;
 import com.yahoo.yolean.UncheckedInterruptedException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
+import java.security.Provider;
+import java.security.Security;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.IdentityHashMap;
@@ -108,6 +111,23 @@ public final class ConfiguredApplication implements Application {
     static {
         LogSetup.initVespaLogging("Container");
         log.log(Level.INFO, "Starting jdisc" + (Vtag.currentVersion.isEmpty() ? "" : " at version " + Vtag.currentVersion));
+        installBouncyCastleSecurityProvider();
+    }
+
+    /**
+     * Eagerly install BouncyCastle as security provider. It's done here to ensure no bundle is able install this security provider.
+     * If a bundle install this provider and the bundle is later uninstall,
+     * it will break havoc if the installed security provider tries to load new classes.
+     */
+    private static void installBouncyCastleSecurityProvider() {
+        BouncyCastleProvider bcProvider = new BouncyCastleProvider();
+        if (Security.addProvider(bcProvider) != -1) {
+            log.info("Installed '" + bcProvider.getInfo() + "' as Java Security Provider");
+        } else {
+            Provider alreadyInstalledBcProvider = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME);
+            log.warning("Unable to install '" + bcProvider.getInfo() + "' as Java Security Provider. " +
+                    "A provider '" + alreadyInstalledBcProvider.getInfo() + "' is already installed.");
+        }
     }
 
     /**
-- 
cgit v1.2.3