Update to bouncycastle jdk18on with version 1.78.1

The Jenkins update-center2 was still using a bouncycastle version from
September 2008. Even though I exactly followed the instructions from the
update-center2's README.adoc file, I was not able to generate an OpenSSL
key (and certificate) that would work with that bouncycastle version.
Debugging into the library revealed that the old bouncycastle version
doesn't support reading private keys starting with the line
`-----BEGIN PRIVATE KEY-----`.

Instead, bouncycastle only supported one of the following starting lines
for private keys:

- `-----BEGIN RSA PRIVATE KEY-----`
- `-----BEGIN DSA PRIVATE KEY-----`
- `-----BEGIN EC PRIVATE KEY-----`

In the case of a starting line of `BEGIN PRIVATE KEY`, the
`readObject()` method of the `PEMReader` would just return `null` and
cause the update-center2 to crash.

However, the documented command `openssl genrsa -out demo.key 4096` also
generates a key file starting with `BEGIN PRIVATE KEY` when using modern
versions of OpenSSL (version 3.0.13 in my case).

For this reason, this change updates the used bouncycastle library to
the most recent version, with which I was able to sign the files again.

pom.xml

@@ -202,9 +202,14 @@
       <version>1.10</version>
     </dependency>
     <dependency>
-      <groupId>bouncycastle</groupId>
-      <artifactId>bcprov-jdk15</artifactId>
-      <version>140</version>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk18on</artifactId>
+      <version>1.78.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
+      <version>1.78.1</version>
     </dependency>
     <dependency>
       <groupId>org.apache.ant</groupId>
@@ -269,6 +274,10 @@
   </dependencies>
 
   <repositories>
+    <repository>
+      <id>central</id>
+      <url>https://repo1.maven.org/maven2/</url>
+    </repository>
     <repository>
       <id>repo.jenkins-ci.org</id>
       <url>https://repo.jenkins-ci.org/public/</url>

src/main/java/io/jenkins/update_center/Signer.java

@@ -1,16 +1,17 @@
 package io.jenkins.update_center;
 
 import io.jenkins.update_center.json.JsonSignature;
-
 import io.jenkins.update_center.util.Environment;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.output.NullOutputStream;
 import org.apache.commons.io.output.TeeOutputStream;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.openssl.PEMReader;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.jvnet.hudson.crypto.CertificateUtil;
 import org.jvnet.hudson.crypto.SignatureOutputStream;
 import org.kohsuke.args4j.Option;
@@ -23,7 +24,6 @@
 import java.nio.file.Files;
 import java.security.DigestOutputStream;
 import java.security.GeneralSecurityException;
-import java.security.KeyPair;
 import java.security.MessageDigest;
 import java.security.PrivateKey;
 import java.security.Signature;
@@ -86,8 +86,9 @@ public JsonSignature sign(String json) throws GeneralSecurityException, IOExcept
         X509Certificate signer = certs.get(0); // the first one is the signer, and the rest is the chain to a root CA.
 
         PrivateKey key;
-        try (PEMReader pem = new PEMReader(Files.newBufferedReader(privateKey.toPath(), StandardCharsets.UTF_8))) {
-             key = ((KeyPair) pem.readObject()).getPrivate();
+        try (PEMParser pem = new PEMParser(Files.newBufferedReader(privateKey.toPath(), StandardCharsets.UTF_8))) {
+            PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) pem.readObject();
+            key = new JcaPEMKeyConverter().getPrivateKey(privateKeyInfo);
         }
 
         // the correct signature (since Jenkins 1.433); no longer generate wrong signatures for older releases.