Bouncy Castle NullpointerException with ECDHE and Java 11.0.5

Environment

• Red Hat JBoss Enterprise Application Platform (JBoss EAP)
  • 7.2
• Picketlink STS
• Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) keys
• Built-in Bouncy Castle registered as Java Cryptography Extension (JCE) provider
• Java 11.0.5 or later

Issue

• Null Pointer Exception shows up in log
• TLS connections fail

Resolution

This issue has been filed: This content is not included.JBEAP-18531 to apply a patch to the issue.

Replacing the implementation with a manually patch version would also correct the issue. See Bouncy Castle Requirements and Changes and the patch for Content from github.com is not included.Bouncy Castle

Root Cause

The Bouncy Castle Crypto provider breaks during TLS handshakes when ECDHE key exchange is used. The Java sometimes returns null random values that cause the error, see Content from github.com is not included.BC-java 633

The problem only occurs since OpenJDK 11.0.5 due to a regression introduced in OpenJDK by Content from bugs.openjdk.java.net is not included.JDK-8216039, which was fixing another compatibility issue with bounce castle. Because the issue called by Java 11.0.5 fixes another compatibility issue with the very same algorithm, downgrading the Java version may not be a solution.

The fix in Bouncy Castle has been merged into the mainline, but has not, as of writing this solution, been integrated into a released version.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.