Gradle registers crypto provider without allowing configuration

Companies that use bouncy-castle FIPS ( for security/compliance cannot use Gradle signing, because Gradle signing calls “new BouncyCastleProvider()” directly:

./src/main/java/org/gradle/plugins/signing/signatory/pgp/ Security.addProvider(new BouncyCastleProvider());

This causes Gradle to blow up with:

java.lang.NoSuchFieldError: id_hmacWithSHA3_224
at org.bouncycastle.jcajce.provider.digest.SHA3$Mappings.configure(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.loadAlgorithms(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.setup(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.access$ 000 (Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider$ 1 .run(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.<init>(Unknown Source)
at org.gradle.plugins.signing.signatory.pgp.PgpSignatory.<init>( 45 )

That’s because bc-fips loads its classes ahead of the classes from the bouncy-castle included in gradle-all, and does not include a BouncyCastleProvider. Instead, it supplies BouncyCastleFipsProvider. So what happens is that Gradle tries to construct BouncyCastleProvider from a recent version of bouncy-castle, which has string names of digests, algorithms, etc. that are not supported by {JRE}/lib/ext/bc-fips. Then when it tries to reflect those strings into classes from bc-fips, they’re not there, and kaboom.

Gradle shouldn’t new a provider directly. It should allow the provider to be configured.