I've been trying to get RSA Private Key Encryption working in ColdFusion 10 and installed the BouncyCastle library since it supports the encryption mode that my application requires. Trying to load the library with JavaLoader resulted in errors ("Class is on the bootclasspath" and "JCE cannot authenticate the provider BC") so I had to install it statically...
Copy the jar to %CF_ROOT%/jre/lib/ext/ and add the following to %CF_ROOT%/jre/lib/security/java.security:
security.provider.<N>=org.bouncycastle.jce.provider.BouncyCastleProvider
Without realizing it at the time, I had also removed the library from the code but statements that use the library still worked:
var privateKey = createObject("java", "org.bouncycastle.util.io.pem.PemReader").init(
createObject("java", "java.io.FileReader").init(LOCAL.privateKeyPath)
).readPemObject().getContent();
So either I permanently installed BouncyCastle in my ColdFusion install, or it comes included in ColdFusion. I've since removed the static provider installation and encryption using the "BC" provider continues to work without modification. If BouncyCastle is bundled with CF then that's great, but on another machine running an equally updated version of ColdFusion (CF10 update 13), the createObject statement is failing because it can't find the PemReader class. I've googled my eyes bloody and cannot find any documentation on BouncyCastle being included in any version of CF - except for a clause about BouncyCastle in the CF10 EULA.
The question is this: Is BouncyCastle included in CF10 and if so, how do I make sure it's enabled?
While I'm still unclear why two machines with the same version of CF with the same version of the same java package would have a discrepancy in the classes included in that package, I did find a workaround.
The org.bouncycastle.util.io.pem.PemReader class in the BouncyCastle Provider package is a replacement for the deprecated org.bouncycastle.openssl.PEMReader class in the BouncyCastle PKIX/OpenSSL package. Since CF10 comes with a relatively old version of BC (v1.39-jdk1.4), it still includes the deprecated class. Replacing the code above with the following code corrected the issue...
var privateKeyFile = createObject("java", "java.io.FileReader").init("myPrivateKey.pem");
var privateKey = createObject("java", "org.bouncycastle.openssl.PEMReader").init( privateKeyFile ).readObject().getPrivate().getEncoded();
privateKeyFile.close();
It also has the benefit of explicitly closing the file (though that was always possible).
Note: The machines that had the earlier issue also weren't loading the BouncyCastle security provider. It seems to be available on every machine, but not always loaded so I had to explicitly load it if it wasn't already:
var securityProviders = createObject("java", "java.security.Security").getProviders();
var providerInstalled = false;
for( var provider IN securityProviders ){
if( provider.getName() eq "BC" ){
providerInstalled = true;
break;
}
}
if( not providerInstalled )
createObject("java", "java.security.Security")
.addProvider( createObject("java", "org.bouncycastle.jce.provider.BouncyCastleProvider").init() );
来源:https://stackoverflow.com/questions/25027957/bouncycastle-library-in-coldfusion-10