Search code examples
javamavenbouncycastle

Maven dependency bcprov issue

I have bouncy castle dependency used in my application and I want this dependency to be excluded in the pom.xml file. Even after removing this dependency from the pom file, it is still appearing in the m2 repository folder. My application is a Spring-MVC 5 framework and running on Tomcat version 9. While deploying there are two different versions of "bcprov". I need to exclude both bcprov-jdk14 and bcprov-jdk15on from the pom.xml file.

Below is the dependency in the pom file.

<dependency>
<groupId>bouncycastle</groupId>
<artifactId>bcprov-jdk14</artifactId>
<version>140</version>
</dependency>

I also tried another link for the exclusion but it did not work - Maven Transitive Dependency issue

Please help how to exclude the above dependencies.

Solution

  • To exclude some transitive dependencies you just have to add <exclusion> tags in your POM file. You need to remove the bcprov-jdk14 artifact from every dependency that uses it (check the dependency tree), e.g.:

        <dependency>
      <groupId>com.lowagie</groupId>
      <artifactId>itext</artifactId>
      <version>2.1.7</version>
      <exclusions>
        <exclusion>
          <groupId>bouncycastle</groupId>
          <artifactId>bcmail-jdk14</artifactId>
        </exclusion>
        <exclusion>
          <groupId>bouncycastle</groupId>
          <artifactId>bcprov-jdk14</artifactId>
        </exclusion>
        <exclusion>
          <groupId>org.bouncycastle</groupId>
          <artifactId>bcmail-jdk14</artifactId>
        </exclusion>
        <exclusion>
          <groupId>org.bouncycastle</groupId>
          <artifactId>bcprov-jdk14</artifactId>
        </exclusion>
        <exclusion>
          <groupId>org.bouncycastle</groupId>
          <artifactId>bctsp-jdk14</artifactId>
        </exclusion>
      </exclusions>
    </dependency>

    Remember however to add the correct versions of those dependencies:

      <properties>
    ...
    <bc.version>1.69</bc.version>
  </properties>
  <dependencies>
    <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcprov-jdk15on</artifactId>
      <version>${bc.version}</version>
    </dependency>
    <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcmail-jdk15on</artifactId>
      <version>${bc.version}</version>
    </dependency>
  </dependencies>

    Alternatively don't use the features of the libraries that depend on BouncyCastle (signature verification/encryption).