Illegal reflective access

[tobiashort]

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.drbg.DRBG (file:/app-1.0.0/lib/bcprov-jdk15on-1.60.jar) to constructor sun.security.provider.Sun()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.drbg.DRBG
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

I think this needs fix. Probably a Java 12 / 13 issue?

[bcgit]

Which version of the APIs did you see this with?

[tobiashort]

I came across this issue when using sshj version 0.27.0, which uses org.bouncycastle:bcpkix-jdk15on:1.60 and org.bouncycastle:bcprov-jdk15on:1.60.

See also hierynomus/sshj#568

Does this answer your question?

I think the problem is that the class DRGB.java access an internal API, which might be dangerous

bc-java/prov/src/main/java/org/bouncycastle/jcajce/provider/drbg/DRBG.java

Line 38 in f7710a2

{"sun.security.provider.Sun", "sun.security.provider.SecureRandom"},

[bcgit]

They just need to move to a more recent version of bcprov - Java 1.8 (eventually) introduced getInstanceStrong() the BC provider will call that preferentially to get access to the JVM's entropy source.