bouncycastle dependencies outdated

This project relies on bouncycastle depencies provided by spring-security-rsa.
The last release of spring-security-rsa was already 2 years ago.
It relies on a dependencies to bcpkix-jdk15on, which itself is not maintained anymore:

Packaging Change (users of 1.70 or earlier): BC 1.71 changed the jdk15on jars to jdk18on so the base has now moved to Java 8. For earlier JVMs, or containers/applications that cannot cope with multi-release jars, you should now use the jdk15to18 jars.

[ https://www.bouncycastle.org/latest_releases.html ]

Since spring doesn't support < Java8 anymore, changing to jdk18on would be the logical decision.

I understand, that dropping the dependency to spring-security-rsa would be a breaking change.
But at least this project can maintain and update the dependencies of spring-security-rsa directly.

See https://github.com/dsyer/spring-security-rsa/blob/main/pom.xml for dependencies:

• The Two spring dependencies are circular (irrelevant) and inconsistent (different versions).
• Test dependencies can be ignored
• Dependency to unmaintained bcpkix-jdk15on remains as only relevant dependency

I suggest therefore to replace

spring-cloud-commons/spring-cloud-starter/pom.xml

Lines 32 to 35 in 8238abd

	<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-rsa</artifactId>
	</dependency>

with

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-rsa</artifactId>
    <exclusions>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcpkix-jdk15on</artifactId>
    <exclusion>
</dependency>
<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk18on</artifactId>
    <version>1.73</version>
</dependency>

Can be closed with the update to spring-security-rsa 1.0.12

[DerKanzler]

Isn't this fixed with e090bd2 respectively with ce379d5?

https://github.com/dsyer/spring-security-rsa/blob/v1.1.1/pom.xml includes bcprov-jdk18on 1.74 now.

Only question remains when 4.1.0 will be released.

... while bcprov-jdk18on is already 1.76 since Jul 31, 2023.

[OlgaMaciaszek]

The issue has been fixed upstream. For now, we're not planning to manage this dependency directly in spring-cloud-commons. 4.1.0 should be released later this week.

[juliojgd]

Hello @OlgaMaciaszek spring-security-rsa artifact is currently managed with 1.1.1 version (released June 2023) here:
https://github.com/spring-cloud/spring-cloud-commons/blob/main/spring-cloud-commons-dependencies/pom.xml#L22-L36

and it (spring-security-rsa) brings the already outdated org.bouncycastle:bcprov-jdk18on:1.74 https://github.com/dsyer/spring-security-rsa/blob/v1.1.1/pom.xml#L46-L49 as well as org.springframework.security:spring-security-crypto:5.8.4 (outdated, uses previous major Spring Security version).

Any plans to either get rid of spring-security-rsa artifact or upgrade its transitive dependencies? We are finding collisions with other artifacts using updated bouncy castle version.