[fix][sec] Upgrade Bouncycastle to 1.75 to address CVE-2023-33201

bouncy-castle/bc/LICENSE

@@ -205,6 +205,6 @@
 This projects includes binary packages with the following licenses:
 Bouncy Castle License
  * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
-    - org.bouncycastle-bcpkix-jdk15on-1.60.jar
-    - org.bouncycastle-bcprov-jdk15on-1.60.jar
-    - org.bouncycastle-bcprov-ext-jdk15on-1.60.jar
+    - org.bouncycastle-bcpkix-jdk18on-1.75.jar
+    - org.bouncycastle-bcprov-jdk18on-1.75.jar
+    - org.bouncycastle-bcprov-ext-jdk18on-1.75.jar

bouncy-castle/bc/pom.xml

@@ -42,13 +42,13 @@
 
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcpkix-jdk15on</artifactId>
+      <artifactId>bcpkix-jdk18on</artifactId>
       <version>${bouncycastle.version}</version>
     </dependency>
 
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-ext-jdk15on</artifactId>
+      <artifactId>bcprov-ext-jdk18on</artifactId>
       <version>${bouncycastle.version}</version>
     </dependency>
   </dependencies>

distribution/server/pom.xml

@@ -253,6 +253,10 @@
       <groupId>io.grpc</groupId>
       <artifactId>grpc-all</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
+    </dependency>
 
     <dependency>
       <groupId>io.perfmark</groupId>

distribution/server/src/assemble/LICENSE.bin.txt

@@ -574,10 +574,10 @@ Creative Commons Attribution License
 
 Bouncy Castle License
  * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
-    - org.bouncycastle-bcpkix-jdk15on-1.69.jar
-    - org.bouncycastle-bcprov-ext-jdk15on-1.69.jar
-    - org.bouncycastle-bcprov-jdk15on-1.69.jar
-    - org.bouncycastle-bcutil-jdk15on-1.69.jar
+    - org.bouncycastle-bcpkix-jdk18on-1.75.jar
+    - org.bouncycastle-bcprov-ext-jdk18on-1.75.jar
+    - org.bouncycastle-bcprov-jdk18on-1.75.jar
+    - org.bouncycastle-bcutil-jdk18on-1.75.jar
 
 ------------------------
 

distribution/shell/src/assemble/LICENSE.bin.txt

@@ -470,10 +470,10 @@ Creative Commons Attribution License
 
 Bouncy Castle License
  * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
-    - bcpkix-jdk15on-1.69.jar
-    - bcprov-ext-jdk15on-1.69.jar
-    - bcprov-jdk15on-1.69.jar
-    - bcutil-jdk15on-1.69.jar
+    - bcpkix-jdk18on-1.75.jar
+    - bcprov-ext-jdk18on-1.75.jar
+    - bcprov-jdk18on-1.75.jar
+    - bcutil-jdk18on-1.75.jar
 
 ------------------------
 

pom.xml

@@ -152,7 +152,7 @@ flexible messaging model and an intuitive client API.</description>
     <slf4j.version>1.7.32</slf4j.version>
     <commons.collections4.version>4.4</commons.collections4.version>
     <log4j2.version>2.18.0</log4j2.version>
-    <bouncycastle.version>1.69</bouncycastle.version>
+    <bouncycastle.version>1.75</bouncycastle.version>
     <bouncycastle.bcpkix-fips.version>1.0.6</bouncycastle.bcpkix-fips.version>
     <bouncycastle.bc-fips.version>1.0.2.3</bouncycastle.bc-fips.version>
     <jackson.version>2.14.2</jackson.version>
@@ -817,9 +817,15 @@ flexible messaging model and an intuitive client API.</description>
       </dependency>
 
       <dependency>
-         <groupId>com.github.docker-java</groupId>
-         <artifactId>docker-java-core</artifactId>
-         <version>${docker-java.version}</version>
+        <groupId>com.github.docker-java</groupId>
+        <artifactId>docker-java-core</artifactId>
+        <version>${docker-java.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>*</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>com.github.docker-java</groupId>
@@ -885,7 +891,7 @@ flexible messaging model and an intuitive client API.</description>
 
       <dependency>
         <groupId>org.bouncycastle</groupId>
-        <artifactId>bcpkix-jdk15on</artifactId>
+        <artifactId>bcpkix-jdk18on</artifactId>
         <version>${bouncycastle.version}</version>
       </dependency>
 
@@ -917,6 +923,24 @@ flexible messaging model and an intuitive client API.</description>
         <groupId>com.yahoo.athenz</groupId>
         <artifactId>athenz-cert-refresher</artifactId>
         <version>${athenz.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>*</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
+
+      <dependency>
+        <groupId>com.yahoo.athenz</groupId>
+        <artifactId>athenz-auth-core</artifactId>
+        <version>${athenz.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>*</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
 
       <dependency>
@@ -1061,6 +1085,18 @@ flexible messaging model and an intuitive client API.</description>
         </exclusions>
       </dependency>
 
+      <dependency>
+        <groupId>io.grpc</groupId>
+        <artifactId>grpc-xds</artifactId>
+        <version>${grpc.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>*</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
+
       <dependency>
         <groupId>com.google.http-client</groupId>
         <artifactId>google-http-client</artifactId>

pulsar-broker-auth-athenz/pom.xml

@@ -53,6 +53,11 @@
       <artifactId>athenz-zpe-java-client</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
+    </dependency>
+
   </dependencies>
 
   <build>

pulsar-client-auth-athenz/pom.xml

@@ -52,6 +52,11 @@
       <artifactId>athenz-cert-refresher</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>

pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java

@@ -35,6 +35,7 @@
 import java.security.PublicKey;
 import java.security.SecureRandom;
 import java.security.Security;
+import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.InvalidKeySpecException;
 import java.util.HashMap;
 import java.util.List;
@@ -73,6 +74,7 @@
 import org.bouncycastle.jce.spec.ECParameterSpec;
 import org.bouncycastle.jce.spec.ECPrivateKeySpec;
 import org.bouncycastle.jce.spec.ECPublicKeySpec;
+import org.bouncycastle.jce.spec.IESParameterSpec;
 import org.bouncycastle.openssl.PEMException;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
@@ -172,6 +174,7 @@ public SecretKey load(ByteBuffer key) {
         dataKey = keyGenerator.generateKey();
 
         iv = new byte[IV_LEN];
+
     }
 
     private PublicKey loadPublicKey(byte[] keyBytes) throws Exception {
@@ -322,29 +325,41 @@ private void addPublicKeyCipher(String keyName, CryptoKeyReader keyReader) throw
         byte[] encryptedKey;
 
         try {
-
+            AlgorithmParameterSpec params = null;
             // Encrypt data key using public key
             if (RSA.equals(pubKey.getAlgorithm())) {
                 dataKeyCipher = Cipher.getInstance(RSA_TRANS, BouncyCastleProvider.PROVIDER_NAME);
             } else if (ECDSA.equals(pubKey.getAlgorithm())) {
                 dataKeyCipher = Cipher.getInstance(ECIES, BouncyCastleProvider.PROVIDER_NAME);
+                params = createIESParameterSpec();
             } else {
                 String msg = logCtx + "Unsupported key type " + pubKey.getAlgorithm() + " for key " + keyName;
                 log.error(msg);
                 throw new PulsarClientException.CryptoException(msg);
             }
-            dataKeyCipher.init(Cipher.ENCRYPT_MODE, pubKey);
+            if (params != null) {
+                dataKeyCipher.init(Cipher.ENCRYPT_MODE, pubKey, params);
+            } else {
+                dataKeyCipher.init(Cipher.ENCRYPT_MODE, pubKey);
+            }
             encryptedKey = dataKeyCipher.doFinal(dataKey.getEncoded());
 
         } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | NoSuchProviderException
-                | NoSuchPaddingException | InvalidKeyException e) {
+                 | NoSuchPaddingException | InvalidKeyException | InvalidAlgorithmParameterException e) {
             log.error("{} Failed to encrypt data key {}. {}", logCtx, keyName, e.getMessage());
             throw new PulsarClientException.CryptoException(e.getMessage());
         }
         EncryptionKeyInfo eki = new EncryptionKeyInfo(encryptedKey, keyInfo.getMetadata());
         encryptedDataKeyMap.put(keyName, eki);
     }
 
+    // required since Bouncycastle 1.72 when using ECIES, it is required to pass in an IESParameterSpec
+    private IESParameterSpec createIESParameterSpec() {
+        // the IESParameterSpec to use was discovered by debugging BouncyCastle 1.69 and running the
+        // test org.apache.pulsar.client.api.SimpleProducerConsumerTest#testCryptoWithChunking
+        return new IESParameterSpec(null, null, 128);
+    }
+
     /*
      * Remove a key <p> Remove the key identified by the keyName from the list of keys.<p>
      *
@@ -474,23 +489,28 @@ private boolean decryptDataKey(String keyName, byte[] encryptedDataKey, List<Key
         byte[] keyDigest = null;
 
         try {
-
+            AlgorithmParameterSpec params = null;
             // Decrypt data key using private key
             if (RSA.equals(privateKey.getAlgorithm())) {
                 dataKeyCipher = Cipher.getInstance(RSA_TRANS, BouncyCastleProvider.PROVIDER_NAME);
             } else if (ECDSA.equals(privateKey.getAlgorithm())) {
                 dataKeyCipher = Cipher.getInstance(ECIES, BouncyCastleProvider.PROVIDER_NAME);
+                params = createIESParameterSpec();
             } else {
                 log.error("Unsupported key type {} for key {}.", privateKey.getAlgorithm(), keyName);
                 return false;
             }
-            dataKeyCipher.init(Cipher.DECRYPT_MODE, privateKey);
+            if (params != null) {
+                dataKeyCipher.init(Cipher.DECRYPT_MODE, privateKey, params);
+            } else {
+                dataKeyCipher.init(Cipher.DECRYPT_MODE, privateKey);
+            }
             dataKeyValue = dataKeyCipher.doFinal(encryptedDataKey);
 
             keyDigest = digest.digest(encryptedDataKey);
 
         } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | NoSuchProviderException
-                | NoSuchPaddingException | InvalidKeyException e) {
+                | NoSuchPaddingException | InvalidKeyException | InvalidAlgorithmParameterException e) {
             log.error("{} Failed to decrypt data key {} to decrypt messages {}", logCtx, keyName, e.getMessage());
             return false;
         }

pulsar-io/aerospike/pom.xml

@@ -52,6 +52,16 @@
       <groupId>com.aerospike</groupId>
       <artifactId>aerospike-client-bc</artifactId>
       <version>${aerospike-client.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>*</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
     </dependency>
 
   </dependencies>

pulsar-sql/presto-distribution/LICENSE

@@ -592,7 +592,7 @@ Creative Commons Attribution License
 
 Bouncy Castle License
  * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
-   - bcpkix-jdk15on-1.69.jar
-   - bcprov-ext-jdk15on-1.69.jar
-   - bcprov-jdk15on-1.69.jar
-   - bcutil-jdk15on-1.69.jar
+   - bcpkix-jdk18on-1.75.jar
+   - bcprov-ext-jdk18on-1.75.jar
+   - bcprov-jdk18on-1.75.jar
+   - bcutil-jdk18on-1.75.jar

tests/integration/pom.xml

@@ -126,6 +126,11 @@
       <artifactId>docker-java-core</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
+      <scope>test</scope>
+    </dependency>
 
     <dependency>
       <groupId>org.apache.pulsar</groupId>

tiered-storage/file-system/pom.xml

@@ -110,13 +110,23 @@
             <version>${hdfs-offload-version3}</version>
             <scope>test</scope>
             <exclusions>
-              <exclusion>
-                <groupId>io.netty</groupId>
-                <artifactId>netty-all</artifactId>
-              </exclusion>
+                <exclusion>
+                    <groupId>io.netty</groupId>
+                    <artifactId>netty-all</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+            <scope>test</scope>
+        </dependency>
+
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-codec-http</artifactId>