javaspring-bootcryptographybouncycastlejca

Bouncy Castle JCA Provider Version In Classpath Ignored by Java


I am getting a wrong keystore version error on my spring boot application when I attempt to instantiate my keystore that relies on bouncy castle 1.46. I added the right version 1.46 on pom.xml and even on my classpath but when I execute the spring-boot application, a version check on the Bouncy Castle provider at runtime indicates version 1.51.

How do I ensure the spring-boot application runs Bouncy Castle 1.46 defined on my pom.xml.

<dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-jdk15on</artifactId>
        <version>1.46</version>
</dependency>

private void installJCAProvider() {
    BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();

    System.err.println("Bouncy Catle Provider Version " + bouncyCastleProvider.getVersion() + " \nName " + bouncyCastleProvider.getName() + " | \n" + bouncyCastleProvider.getInfo());


    Security.addProvider(bouncyCastleProvider);

    Provider[] providers = Security.getProviders();

    for (Provider provider : providers) {
        System.err.println("Installed security providers" + 

        provider.getInfo() + "\n");
    }
}

Logs

Bouncy Castle Provider Version 1.51 
Name SC | 
BouncyCastle Security Provider v1.51

Solution

  • Run mvn dependency:tree to see where version 1.51 came from and exclude it from dependencies.

    Also spring-boot has a set of properties declared in its POMs defining versions of dependencies. So look up into a POM of a spring-boot starter using Bouncy Castle lib for the property defining version and redefine its value in your POM.

    According to this https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html You can try to trick Maven with placing your dependency declaration above of the spring-boot starter in dependencies list.