Description
HAP-Java is incompatible with Bouncycastle's BC-Prov dependency version 1.60.
While correctly specified in the pom.xml file, other dependencies in the same project can still cause a version bump, in my case it was Spring-Cloud Greenwich.SR1.
It updates the dependency to version 1.60 and then HAP-Java is raising the following, very confusing error during pairing:
org.bouncycastle.crypto.tls.TlsFatalAlert: bad_record_mac(20)
at com.beowulfe.hap.impl.crypto.ChachaDecoder.decodeCiphertext(ChachaDecoder.java:31) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.crypto.ChachaDecoder.decodeCiphertext(ChachaDecoder.java:41) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.pairing.FinalPairHandler.decrypt(FinalPairHandler.java:44) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.pairing.FinalPairHandler.handle(FinalPairHandler.java:39) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.pairing.PairingManager.handle(PairingManager.java:59) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.connections.HttpSession.handlePairSetup(HttpSession.java:109) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.connections.HttpSession.handleRequest(HttpSession.java:53) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.connections.ConnectionImpl.doHandleRequest(ConnectionImpl.java:54) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.connections.ConnectionImpl.handleRequest(ConnectionImpl.java:47) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.http.impl.AccessoryHandler.channelRead0(AccessoryHandler.java:52) ~[hap-1.1.5.jar:na]
at com.beowulfe.hap.impl.http.impl.AccessoryHandler.channelRead0(AccessoryHandler.java:17) ~[hap-1.1.5.jar:na]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) ~[netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) ~[netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) ~[netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:350) ~[netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:905) ~[netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-all-4.1.34.Final.jar:4.1.34.Final]
at java.base/java.lang.Thread.run(Thread.java:835) ~[na:na]
I'm not an expert in this area, but the following note one the bouncycastle page looks promising:
The PEM Parser now returns an X509TrustedCertificate block when parsing an openssl trusted certificate, the new object was required to allow the proper return of the trusted certificate's attribute block
I've now "fixed" it by enforcing version 1.51 like this, but it would, of course, break Spring Cloud, if it's using that particular part of the code.
implementation("org.bouncycastle:bcprov-jdk15on:1.51") {
isForce = true
}A proper fix to support the latest version of bcprov would be nice, but until then it's at least documented and others can find it. Took me hours to finally figure this out and Google doesn't help in this case.