Description
bcpkix-fips 2.0.11 has reintroduced the same module access issue that was fixed in bcpkix-fips 2.0.8 (ref: #1997).
When bc-fips 2.0.1 is on the module path (as org.bouncycastle.fips.core) and bcpkix-fips 2.0.11 is on the classpath (unnamed module), the following error occurs at runtime:
java.lang.IllegalAccessError: class org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder
(in unnamed module @0x...) cannot access class org.bouncycastle.asn1.isara.IsaraObjectIdentifiers
(in module org.bouncycastle.fips.core) because module org.bouncycastle.fips.core does not export
org.bouncycastle.asn1.isara to unnamed module @0x...
Root Cause
org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder in bcpkix-fips 2.0.11 directly imports org.bouncycastle.asn1.isara.IsaraObjectIdentifiers from bc-fips. However, the module-info of bc-fips 2.0.1 lists org.bouncycastle.asn1.isara as contains (internal) — it is
not exported.
This is the same class of bug fixed in #1997 for bcpkix-fips 2.0.8 and bcpg-fips 2.0.11, where the solution was to copy the needed interface into the consuming package to avoid cross-module access.
Environment
- Java 17 (module path for bc-fips, classpath for bcpkix-fips)
- bc-fips 2.0.1
- bcpkix-fips 2.0.11
Expected Behavior
bcpkix-fips 2.0.11 should work with bc-fips 2.0.1 without requiring --add-exports, consistent with its declared POM dependency range [2.0.0, 2.1.0).
Workaround
--add-exports org.bouncycastle.fips.core/org.bouncycastle.asn1.isara=ALL-UNNAMED
Suggested Fix
Apply the same pattern as #1997: copy IsaraObjectIdentifiers into the org.bouncycastle.operator package within bcpkix-fips, removing the cross-module import.
Description
bcpkix-fips 2.0.11 has reintroduced the same module access issue that was fixed in bcpkix-fips 2.0.8 (ref: #1997).
When bc-fips 2.0.1 is on the module path (as org.bouncycastle.fips.core) and bcpkix-fips 2.0.11 is on the classpath (unnamed module), the following error occurs at runtime:
java.lang.IllegalAccessError: class org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder
(in unnamed module @0x...) cannot access class org.bouncycastle.asn1.isara.IsaraObjectIdentifiers
(in module org.bouncycastle.fips.core) because module org.bouncycastle.fips.core does not export
org.bouncycastle.asn1.isara to unnamed module @0x...
Root Cause
org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder in bcpkix-fips 2.0.11 directly imports org.bouncycastle.asn1.isara.IsaraObjectIdentifiers from bc-fips. However, the module-info of bc-fips 2.0.1 lists org.bouncycastle.asn1.isara as contains (internal) — it is
not exported.
This is the same class of bug fixed in #1997 for bcpkix-fips 2.0.8 and bcpg-fips 2.0.11, where the solution was to copy the needed interface into the consuming package to avoid cross-module access.
Environment
Expected Behavior
bcpkix-fips 2.0.11 should work with bc-fips 2.0.1 without requiring --add-exports, consistent with its declared POM dependency range [2.0.0, 2.1.0).
Workaround
--add-exports org.bouncycastle.fips.core/org.bouncycastle.asn1.isara=ALL-UNNAMED
Suggested Fix
Apply the same pattern as #1997: copy IsaraObjectIdentifiers into the org.bouncycastle.operator package within bcpkix-fips, removing the cross-module import.