From c0dc62540d40494f392bb252fc3a9e7938cb41a5 Mon Sep 17 00:00:00 2001
From: Sergey Beryozkin <sberyozkin@gmail.com>
Date: Mon, 24 Jan 2022 16:56:34 +0000
Subject: [PATCH] Support BouncyCastle ECDSA KeyPairGenerator and
 AES/CBC/PKCS7Padding Cipher

---
 .../nativeimage/AutoFeatureAugmentor.java     |  7 +++
 ...iveImageAutoFeatureAugmentorBuildItem.java | 19 ++++++++
 .../steps/NativeImageAutoFeatureStep.java     |  7 +++
 .../deployment/SecurityProcessor.java         | 44 ++++++++++++++++++-
 .../bouncycastle/BouncyCastleJsseITCase.java  |  2 -
 .../it/bouncycastle/BouncyCastleEndpoint.java | 16 +++++++
 .../it/bouncycastle/BouncyCastleTestCase.java | 20 +++++++++
 7 files changed, 111 insertions(+), 4 deletions(-)
 create mode 100644 core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/AutoFeatureAugmentor.java
 create mode 100644 core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/NativeImageAutoFeatureAugmentorBuildItem.java

diff --git a/core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/AutoFeatureAugmentor.java b/core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/AutoFeatureAugmentor.java
new file mode 100644
index 00000000000000..c7a9fdf9861965
--- /dev/null
+++ b/core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/AutoFeatureAugmentor.java
@@ -0,0 +1,7 @@
+package io.quarkus.deployment.builditem.nativeimage;
+
+import io.quarkus.gizmo.TryBlock;
+
+public interface AutoFeatureAugmentor {
+    void augment(TryBlock overallCatch);
+}
diff --git a/core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/NativeImageAutoFeatureAugmentorBuildItem.java b/core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/NativeImageAutoFeatureAugmentorBuildItem.java
new file mode 100644
index 00000000000000..0b5c5efb3e42f6
--- /dev/null
+++ b/core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/NativeImageAutoFeatureAugmentorBuildItem.java
@@ -0,0 +1,19 @@
+package io.quarkus.deployment.builditem.nativeimage;
+
+import io.quarkus.builder.item.MultiBuildItem;
+import io.quarkus.gizmo.TryBlock;
+
+/**
+ * A build item that can be used to augment the generated AutoFeature
+ */
+public final class NativeImageAutoFeatureAugmentorBuildItem extends MultiBuildItem {
+    AutoFeatureAugmentor autoFeatureAugmentor;
+
+    public NativeImageAutoFeatureAugmentorBuildItem(AutoFeatureAugmentor autoFeatureAugmentor) {
+        this.autoFeatureAugmentor = autoFeatureAugmentor;
+    }
+
+    public void augment(TryBlock overallCatch) {
+        autoFeatureAugmentor.augment(overallCatch);
+    }
+}
diff --git a/core/deployment/src/main/java/io/quarkus/deployment/steps/NativeImageAutoFeatureStep.java b/core/deployment/src/main/java/io/quarkus/deployment/steps/NativeImageAutoFeatureStep.java
index 9e7a72807f66ef..7ad83d20a3b97d 100644
--- a/core/deployment/src/main/java/io/quarkus/deployment/steps/NativeImageAutoFeatureStep.java
+++ b/core/deployment/src/main/java/io/quarkus/deployment/steps/NativeImageAutoFeatureStep.java
@@ -28,6 +28,7 @@
 import io.quarkus.deployment.builditem.GeneratedResourceBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ForceNonWeakReflectiveClassBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.JniRuntimeAccessBuildItem;
+import io.quarkus.deployment.builditem.nativeimage.NativeImageAutoFeatureAugmentorBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.NativeImageProxyDefinitionBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.NativeImageResourceBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.NativeImageResourceBundleBuildItem;
@@ -114,6 +115,7 @@ void generateFeature(BuildProducer<GeneratedNativeImageClassBuildItem> nativeIma
             List<NativeImageProxyDefinitionBuildItem> proxies,
             List<NativeImageResourcePatternsBuildItem> resourcePatterns,
             List<NativeImageResourceBundleBuildItem> resourceBundles,
+            List<NativeImageAutoFeatureAugmentorBuildItem> augmentors,
             List<ReflectiveMethodBuildItem> reflectiveMethods,
             List<ReflectiveFieldBuildItem> reflectiveFields,
             List<ReflectiveClassBuildItem> reflectiveClassBuildItems,
@@ -337,6 +339,11 @@ public void write(String s, byte[] bytes) {
                 //c.invokeVirtualMethod(ofMethod(Throwable.class, "printStackTrace", void.class), c.getCaughtException());
             }
         }
+
+        for (NativeImageAutoFeatureAugmentorBuildItem augmentor : augmentors) {
+            augmentor.augment(overallCatch);
+        }
+
         int count = 0;
 
         final Map<String, ReflectionInfo> reflectiveClasses = new LinkedHashMap<>();
diff --git a/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java b/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java
index 657a8f65f898aa..179b446a2ab2f0 100644
--- a/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java
+++ b/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java
@@ -1,5 +1,7 @@
 package io.quarkus.security.deployment;
 
+import static io.quarkus.security.runtime.SecurityProviderUtils.findProviderIndex;
+
 import java.io.IOException;
 import java.lang.reflect.Modifier;
 import java.net.MalformedURLException;
@@ -42,12 +44,15 @@
 import io.quarkus.deployment.annotations.Record;
 import io.quarkus.deployment.builditem.ApplicationClassPredicateBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
+import io.quarkus.deployment.builditem.nativeimage.AutoFeatureAugmentor;
 import io.quarkus.deployment.builditem.nativeimage.JPMSExportBuildItem;
+import io.quarkus.deployment.builditem.nativeimage.NativeImageAutoFeatureAugmentorBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.NativeImageSecurityProviderBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.RuntimeReinitializedClassBuildItem;
 import io.quarkus.gizmo.MethodDescriptor;
 import io.quarkus.gizmo.ResultHandle;
+import io.quarkus.gizmo.TryBlock;
 import io.quarkus.runtime.RuntimeValue;
 import io.quarkus.security.runtime.IdentityProviderManagerCreator;
 import io.quarkus.security.runtime.SecurityBuildTimeConfig;
@@ -149,10 +154,15 @@ private static void prepareBouncyCastleProvider(BuildProducer<ReflectiveClassBui
                 isFipsMode ? SecurityProviderUtils.BOUNCYCASTLE_FIPS_PROVIDER_CLASS_NAME
                         : SecurityProviderUtils.BOUNCYCASTLE_PROVIDER_CLASS_NAME));
         reflection.produce(new ReflectiveClassBuildItem(true, true,
+                "org.bouncycastle.jcajce.provider.symmetric.AES",
+                "org.bouncycastle.jcajce.provider.symmetric.AES$CBC",
+                "org.bouncycastle.crypto.paddings.PKCS7Padding",
                 "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi",
                 "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi$EC",
+                "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi$ECDSA",
                 "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi",
                 "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC",
+                "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$ECDSA",
                 "org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyFactorySpi",
                 "org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi",
                 "org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi",
@@ -222,16 +232,36 @@ void recordBouncyCastleProviders(SecurityProviderRecorder recorder,
 
     @BuildStep
     void addBouncyCastleProvidersToNativeImage(BuildProducer<NativeImageSecurityProviderBuildItem> additionalProviders,
+            BuildProducer<NativeImageAutoFeatureAugmentorBuildItem> autoFeatureAugmentors,
             List<BouncyCastleProviderBuildItem> bouncyCastleProviders,
             List<BouncyCastleJsseProviderBuildItem> bouncyCastleJsseProviders) {
         Optional<BouncyCastleJsseProviderBuildItem> bouncyCastleJsseProvider = getOne(bouncyCastleJsseProviders);
         if (bouncyCastleJsseProvider.isPresent()) {
             additionalProviders.produce(
                     new NativeImageSecurityProviderBuildItem(SecurityProviderUtils.BOUNCYCASTLE_JSSE_PROVIDER_CLASS_NAME));
-            final String providerName = bouncyCastleJsseProvider.get().isInFipsMode()
+            final String commonProviderName = bouncyCastleJsseProvider.get().isInFipsMode()
                     ? SecurityProviderUtils.BOUNCYCASTLE_FIPS_PROVIDER_CLASS_NAME
                     : SecurityProviderUtils.BOUNCYCASTLE_PROVIDER_CLASS_NAME;
-            additionalProviders.produce(new NativeImageSecurityProviderBuildItem(providerName));
+            additionalProviders.produce(new NativeImageSecurityProviderBuildItem(commonProviderName));
+
+            autoFeatureAugmentors.produce(new NativeImageAutoFeatureAugmentorBuildItem(new AutoFeatureAugmentor() {
+                @Override
+                public void augment(TryBlock overallCatch) {
+                    final int sunJsseIndex = findProviderIndex(SecurityProviderUtils.SUN_JSSE_PROVIDER_NAME);
+
+                    ResultHandle bcCommonProvider = overallCatch
+                            .newInstance(MethodDescriptor.ofConstructor(commonProviderName));
+                    ResultHandle bcJsseProvider = overallCatch.newInstance(
+                            MethodDescriptor.ofConstructor(SecurityProviderUtils.BOUNCYCASTLE_JSSE_PROVIDER_CLASS_NAME));
+
+                    overallCatch.invokeStaticMethod(
+                            MethodDescriptor.ofMethod(Security.class, "insertProviderAt", int.class, Provider.class, int.class),
+                            bcCommonProvider, overallCatch.load(sunJsseIndex));
+                    overallCatch.invokeStaticMethod(
+                            MethodDescriptor.ofMethod(Security.class, "insertProviderAt", int.class, Provider.class, int.class),
+                            bcJsseProvider, overallCatch.load(sunJsseIndex + 1));
+                }
+            }));
         } else {
             Optional<BouncyCastleProviderBuildItem> bouncyCastleProvider = getOne(bouncyCastleProviders);
             if (bouncyCastleProvider.isPresent()) {
@@ -239,6 +269,16 @@ void addBouncyCastleProvidersToNativeImage(BuildProducer<NativeImageSecurityProv
                         ? SecurityProviderUtils.BOUNCYCASTLE_FIPS_PROVIDER_CLASS_NAME
                         : SecurityProviderUtils.BOUNCYCASTLE_PROVIDER_CLASS_NAME;
                 additionalProviders.produce(new NativeImageSecurityProviderBuildItem(providerName));
+
+                autoFeatureAugmentors.produce(new NativeImageAutoFeatureAugmentorBuildItem(new AutoFeatureAugmentor() {
+                    @Override
+                    public void augment(TryBlock overallCatch) {
+                        ResultHandle bcProvider = overallCatch.newInstance(MethodDescriptor.ofConstructor(providerName));
+                        overallCatch.invokeStaticMethod(
+                                MethodDescriptor.ofMethod(Security.class, "addProvider", int.class, Provider.class),
+                                bcProvider);
+                    }
+                }));
             }
         }
     }
diff --git a/integration-tests/bouncycastle-jsse/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleJsseITCase.java b/integration-tests/bouncycastle-jsse/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleJsseITCase.java
index dc7f16cc2e4541..370e9ba9334750 100644
--- a/integration-tests/bouncycastle-jsse/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleJsseITCase.java
+++ b/integration-tests/bouncycastle-jsse/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleJsseITCase.java
@@ -2,13 +2,11 @@
 
 import org.junit.jupiter.api.Test;
 
-import io.quarkus.test.junit.DisabledOnNativeImage;
 import io.quarkus.test.junit.QuarkusIntegrationTest;
 
 @QuarkusIntegrationTest
 public class BouncyCastleJsseITCase extends BouncyCastleJsseTestCase {
     @Test
-    @DisabledOnNativeImage
     @Override
     public void testListProviders() {
         doTestListProviders();
diff --git a/integration-tests/bouncycastle/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleEndpoint.java b/integration-tests/bouncycastle/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleEndpoint.java
index 51bfeda246ac76..1fd1a0850548b3 100644
--- a/integration-tests/bouncycastle/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleEndpoint.java
+++ b/integration-tests/bouncycastle/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleEndpoint.java
@@ -10,6 +10,7 @@
 import java.util.Arrays;
 import java.util.stream.Collectors;
 
+import javax.crypto.Cipher;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 
@@ -45,6 +46,14 @@ public String generateEcKeyPair() throws Exception {
         return "success";
     }
 
+    @GET
+    @Path("generateEcDsaKeyPair")
+    public String generateEcDsaKeyPair() throws Exception {
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("ECDSA", "BC");
+        keyPairGenerator.generateKeyPair();
+        return "success";
+    }
+
     @GET
     @Path("generateRsaKeyPair")
     public String generateRsaKeyPair() throws Exception {
@@ -53,6 +62,13 @@ public String generateRsaKeyPair() throws Exception {
         return "success";
     }
 
+    @GET
+    @Path("checkAesCbcPKCS7PaddingCipher")
+    public String checkAesCbcPKCS7PaddingCipher() throws Exception {
+        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
+        return cipher.getAlgorithm();
+    }
+
     @GET
     @Path("readEcPrivatePemKey")
     public String readEcPrivatePemKey() throws Exception {
diff --git a/integration-tests/bouncycastle/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleTestCase.java b/integration-tests/bouncycastle/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleTestCase.java
index de70dbe2986331..283e11d8505195 100644
--- a/integration-tests/bouncycastle/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleTestCase.java
+++ b/integration-tests/bouncycastle/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleTestCase.java
@@ -40,6 +40,16 @@ public void testGenerateEcKeyPair() {
                 .body(equalTo("success"));
     }
 
+    @Test
+    public void testGenerateEcDsaKeyPair() {
+        RestAssured.given()
+                .when()
+                .get("/jca/generateEcDsaKeyPair")
+                .then()
+                .statusCode(200)
+                .body(equalTo("success"));
+    }
+
     @Test
     public void testGenerateRsaKeyPair() {
         RestAssured.given()
@@ -50,6 +60,16 @@ public void testGenerateRsaKeyPair() {
                 .body(equalTo("success"));
     }
 
+    @Test
+    public void testAesCbcPKCS7PaddingCipher() {
+        RestAssured.given()
+                .when()
+                .get("/jca/checkAesCbcPKCS7PaddingCipher")
+                .then()
+                .statusCode(200)
+                .body(equalTo("AES/CBC/PKCS7Padding"));
+    }
+
     @Test
     public void readEcPrivatePemKey() {
         RestAssured.given()