No announcement yet.
  • Filter
  • Time
Clear All
new posts

    Question about isomorphic-content-export dependencies

    Hello, I just spent a couple of hours debugging a very strange SSL issue.

    To make a long story short:
    Having BouncyCastle jars on the class path makes ActiveMQ add the BC SecurityProvider to the providers list. This causes the Google Firebase push service to not being able to make SSL connections. Crazy stuff!

    After I got to that root issue, I tried to find why I had it on the class path in the first place. Turns out the dependency chain is:

    [INFO] +-
    [INFO] | \-
    [INFO] | +- org.xhtmlrenderer:core-renderer:jar:R8:compile
    [INFO] | | \- com.lowagie:itext:jar:2.0.8:compile
    >>> [INFO] | | +- bouncycastle:bcmail-jdk14:jar:138:compile
    >>> [INFO] | | \- bouncycastle:bcprov-jdk14:jar:138:compile
    So, the xhtmlrenderer needs BouncyCastle for some reason, and it apparently has a SecurityProvider class in its jar...

    We of course use the pdfexport to generate PDF's.

    So, I basically have one question: What would break if I don't include those jars?
    I don't understand why an XHTMLRenderer needs bcmail and pcprov, haven't read up on the details though.

    (As a sidetone, I think this problem would go away if the dependency had been to jdk15 and not jdk14, but I haven't tested.)

    Last edited by mathias; 9 Aug 2023, 05:28.

    From a look around, iText uses BouncyCastle is used for cryptographic features like signed PDFs, which you likely aren't using.

    Unfortunately, because of the way that Java's runtime dependency management works, if the BouncyCastle classes are never actually called, they still have to be there. This is true unless iText used special techniques (such as Java Reflection, or a "Provider" design pattern) to isolate BouncyCastle, but it does not appear that iText did this.

    Assuming that BouncyCastle cannot be removed, here are some other possible workarounds (from ChatGPT). We'd recommend using ChatGPT to dive into the details of these workarounds if they seem appealing. Just be aware, while it's an amazing knowledge trove, it can "hallucinate".
    1. Explicitly Specify the Security Provider: If Google Firebase is having problems with the BouncyCastle provider, you may be able to specify a different provider for SSL connections. You can explicitly set the security provider in your code before making the SSL connection. For example, you might use:

      Security.insertProviderAt(new, 1);
    2. Reorder or Remove the BouncyCastle Provider Programmatically: You can manipulate the order of security providers at runtime or remove a provider altogether. Here's an example code snippet to remove the BouncyCastle provider:


      This should be done with caution, as it might affect other parts of your system that rely on BouncyCastle.
    3. Configure ActiveMQ to Not Use BouncyCastle: Depending on the version and configuration of ActiveMQ, there might be a way to configure it so that it does not add BouncyCastle as a security provider. This could involve configuration files or startup parameters. Consult the ActiveMQ documentation for details.


      Hi, of course, signed pdfs. Thanks for checking it out!

      I spent some more time looking in to it, and the problem is that ActiveMQ automatically adds the BC provider if it finds it on the class path. Not only that, but it's hardcoded at position 2. This is a topic that's been discussed on the forums, and apparently Apache has said they won't change it nor add some config to change it. Bummer.

      (The issue is related to prime number sizes - I think that Firebase requires a larger number than BC supports.)

      In any case, I did try add an exclusion for the jars isomorphic-content-export, I rebuilt and tried to export pdfs, and it seems to work! so, problem solved I guess:

      Again, thanks for replying. Cheers