Switch to jdk18on bouncycastle jars

[harikrishna-patnala]

Description

This PR fixes #10954

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Updated my environment with the newer jars and everything seems fine

How did you try to break this feature and the system with this change?

[harikrishna-patnala]

@blueorangutan package

[blueorangutan]

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 17.60%. Comparing base (286e406) to head (64d2dce).

Additional details and impacted files

@@            Coverage Diff            @@
##               4.22   #11201   +/-   ##
=========================================
  Coverage     17.60%   17.60%           
- Complexity    15624    15626    +2     
=========================================
  Files          5911     5911           
  Lines        530169   530169           
  Branches      64785    64785           
=========================================
+ Hits          93322    93344   +22     
+ Misses       426342   426319   -23     
- Partials      10505    10506    +1     

Flag	Coverage Δ
uitests	3.60% <ø> (ø)
unittests	18.67% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14192

[DaanHoogland]

@blueorangutan test matrix

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-13786)

[blueorangutan]

[SF] Trillian Build Failed (tid-13784)

[blueorangutan]

[SF] Trillian Build Failed (tid-13785)

[blueorangutan]

[SF] Trillian Build Failed (tid-13783)

[harikrishna-patnala]

@blueorangutan test matrix

[blueorangutan]

@harikrishna-patnala a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-13806)

[blueorangutan]

[SF] Trillian Build Failed (tid-13808)

[blueorangutan]

[SF] Trillian Build Failed (tid-13807)

[blueorangutan]

[SF] Trillian Build Failed (tid-13805)

[harikrishna-patnala]

@blueorangutan package

[blueorangutan]

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[harikrishna-patnala]

@weizhouapache @DaanHoogland

The available versions for bouncy castle provider supporting jdk18 starts from 1.71 to 1.81 (https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on)

If we use 1.81 as the provider version

<cs.bcprov.version>1.81</cs.bcprov.version>

SystemVMs have trouble starting with the error

Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.bouncycastle.operator.jcajce.OperatorHelper
        at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.<init>(Unknown Source)
        at org.apache.cloudstack.utils.security.CertUtils.generateV3Certificate(CertUtils.java:241)
        at org.apache.cloudstack.ca.provider.RootCAProvider.generateCertificate(RootCAProvider.java:152)

The last version that worked with our code is

<cs.bcprov.version>1.72</cs.bcprov.version>

At the moment I don't know the reason for "OperatorHelper" class not being found, so I adjusted the code to use 1.72 version. I'm not sure how the mentioned vulnerabilities effects us https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on/1.72

Please review and see if this is fine.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✖️ debian ✔️ suse15. SL-JID 14254

[vishesh92]

clgtm

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✖️ debian ✔️ suse15. SL-JID 14256

[weizhouapache]

According to central mvn repo, 1.72 has 5 vulnerabilities, 1.81 is the latest

It seems here are some imcompatibility issue with 1.81, I think it can be fixed

[sureshanaparti]

@harikrishna-patnala check if the issues with 1.81 can be fixed or not

[harikrishna-patnala]

I've tried multiple ways to use 1.81 and rewriting code for getting X509Certificate but still facing the same issue. Can someone of you help me here @weizhouapache @sureshanaparti

[Copilot]

Pull request overview

Updates Apache CloudStack’s BouncyCastle dependencies to the jdk18on artifact line and bumps the shared BouncyCastle version to address the security concern in #10954.

Changes:

• Replace bcprov/bcpkix/bctls -jdk15on artifacts with -jdk18on across affected modules.
• Bump ${cs.bcprov.version} from 1.70 to 1.82 and align dependencyManagement entries accordingly.
• Update client build/shade/dependency-copy references and exclusions to match the new artifact IDs.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pom.xml	Bumps BouncyCastle version property and updates dependencyManagement to -jdk18on artifacts.
utils/pom.xml	Switches direct BouncyCastle dependencies to bcprov/bcpkix/bctls-jdk18on.
services/console-proxy/rdpconsole/pom.xml	Switches RDP console BouncyCastle dependencies to bcprov/bctls-jdk18on.
plugins/integrations/kubernetes-service/pom.xml	Updates Kubernetes plugin BouncyCastle dependencies to bcprov/bctls-jdk18on.
client/pom.xml	Updates Jetty plugin deps, dependency-plugin copies, and shade exclusions to -jdk18on artifacts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[harikrishna-patnala]

@blueorangutan package

[blueorangutan]

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[harikrishna-patnala]

@borisstoyanov last time we had issues in deploying the system VMs, we need to check if that is still the case

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16609

[harikrishna-patnala]

@blueorangutan test

[blueorangutan]

@harikrishna-patnala a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[harikrishna-patnala]

This PR still has issues with systemVMs and host additions cc @DaanHoogland

[blueorangutan]

[SF] Trillian Build Failed (tid-15333)