Drop Bouncy Castle as a dependency.

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -61,7 +61,6 @@ import java.util.concurrent.TimeUnit;
 import javax.servlet.DispatcherType;
 import javax.servlet.FilterRegistration;
 import javax.servlet.ServletRegistration;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.eclipse.jetty.servlets.CrossOriginFilter;
 import org.jdbi.v3.core.Jdbi;
 import org.signal.zkgroup.ServerSecretParams;
@@ -194,10 +193,6 @@ import org.whispersystems.websocket.setup.WebSocketEnvironment;
 
 public class WhisperServerService extends Application<WhisperServerConfiguration> {
 
-  static {
-    Security.addProvider(new BouncyCastleProvider());
-  }
-
   @Override
   public void initialize(Bootstrap<WhisperServerConfiguration> bootstrap) {
     bootstrap.addCommand(new VacuumCommand());

service/src/main/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV3.java

@@ -23,6 +23,7 @@ import javax.ws.rs.core.MediaType;
 import java.io.IOException;
 import java.security.InvalidKeyException;
 import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
 import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
 import java.util.Base64;
@@ -45,7 +46,7 @@ public class AttachmentControllerV3 extends AttachmentControllerBase {
   private final SecureRandom secureRandom;
 
   public AttachmentControllerV3(@Nonnull RateLimiters rateLimiters, @Nonnull String domain, @Nonnull String email, int maxSizeInBytes, @Nonnull String pathPrefix, @Nonnull String rsaSigningKey)
-          throws IOException, InvalidKeyException {
+      throws IOException, InvalidKeyException, InvalidKeySpecException {
     this.rateLimiter               = rateLimiters.getAttachmentLimiter();
     this.canonicalRequestGenerator = new CanonicalRequestGenerator(domain, email, maxSizeInBytes, pathPrefix);
     this.canonicalRequestSigner    = new CanonicalRequestSigner(rsaSigningKey);

service/src/main/java/org/whispersystems/textsecuregcm/gcp/CanonicalRequestSigner.java

@@ -5,26 +5,32 @@
 
 package org.whispersystems.textsecuregcm.gcp;
 
-import org.apache.commons.codec.binary.Hex;
-import org.bouncycastle.openssl.PEMReader;
-
-import javax.annotation.Nonnull;
 import java.io.IOException;
-import java.io.StringReader;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
+import java.security.KeyFactory;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.Signature;
 import java.security.SignatureException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.annotation.Nonnull;
+import org.apache.commons.codec.binary.Hex;
+import org.whispersystems.websocket.util.Base64;
 
 public class CanonicalRequestSigner {
 
   @Nonnull
   private final PrivateKey rsaSigningKey;
 
-  public CanonicalRequestSigner(@Nonnull String rsaSigningKey) throws IOException, InvalidKeyException {
+  private static final Pattern PRIVATE_KEY_PATTERN =
+      Pattern.compile("(?m)(?s)^-+BEGIN PRIVATE KEY-+$(.+)^-+END PRIVATE KEY-+.*$");
+
+  public CanonicalRequestSigner(@Nonnull String rsaSigningKey) throws IOException, InvalidKeyException, InvalidKeySpecException {
     this.rsaSigningKey = initializeRsaSigningKey(rsaSigningKey);
   }
 
@@ -64,11 +70,23 @@ public class CanonicalRequestSigner {
     return Hex.encodeHexString(signature);
   }
 
-  private static PrivateKey initializeRsaSigningKey(String rsaSigningKey) throws IOException, InvalidKeyException {
-    final PEMReader pemReader          = new PEMReader(new StringReader(rsaSigningKey));
-    final PrivateKey key               = (PrivateKey) pemReader.readObject();
-    testKeyIsValidForSigning(key);
-    return key;
+  private static PrivateKey initializeRsaSigningKey(String rsaSigningKey) throws IOException, InvalidKeyException, InvalidKeySpecException {
+    final Matcher matcher = PRIVATE_KEY_PATTERN.matcher(rsaSigningKey);
+
+    if (matcher.matches()) {
+      try {
+        final KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        final PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(Base64.decode(matcher.group(1)));
+        final PrivateKey key = keyFactory.generatePrivate(keySpec);
+
+        testKeyIsValidForSigning(key);
+        return key;
+      } catch (NoSuchAlgorithmException e) {
+        throw new AssertionError(e);
+      }
+    }
+
+    throw new IOException("Invalid RSA key");
   }
 
   private static void testKeyIsValidForSigning(PrivateKey key) throws InvalidKeyException {

service/src/main/java/org/whispersystems/textsecuregcm/util/CertificateUtil.java

@@ -5,15 +5,13 @@
 
 package org.whispersystems.textsecuregcm.util;
 
-import org.bouncycastle.openssl.PEMReader;
-
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStreamReader;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 
 public class CertificateUtil {
@@ -38,8 +36,10 @@ public class CertificateUtil {
     }
 
     public static X509Certificate getCertificate(final String certificatePem) throws CertificateException {
-        try (PEMReader reader = new PEMReader(new InputStreamReader(new ByteArrayInputStream(certificatePem.getBytes())))) {
-            return (X509Certificate) reader.readObject();
+        final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+
+        try (final ByteArrayInputStream pemInputStream = new ByteArrayInputStream(certificatePem.getBytes())) {
+          return (X509Certificate) certificateFactory.generateCertificate(pemInputStream);
         } catch (IOException e) {
             throw new CertificateException(e);
         }