SDK includes BouncyCastle tests

[tmtrademarked]

Summary

After updating to 16.0.1, our instrumentation tests fail with a newly included BouncyCastle test. It appears that this test is incorrectly included in the BouncyCastle library itself. The specific test that fails is org.bouncycastle.pqc.crypto.qtesla.QTeslaKeyEncodingTests.testDecodeEncodePrivateKeyQT3P.

SDK version

16.0.1

Other information

As pointed out by BouncyCastle, I believe the fix is simply to update this dependency to 1.65+: bcgit/bc-java#661

[mshafrir-stripe]

@tmtrademarked thanks for filing. What version of stripe-android did you upgrade from?

[tmtrademarked]

We upgraded from a very old version - 10.4.2 to be exact.

[tmtrademarked]

To validate my suspicion, I was able to work around this for now by adding the following to our build.gradle:

configurations.all {
    resolutionStrategy {
        // Force upgrade bouncycastle to 1.65 to avoid extraneous tests.
        force 'org.bouncycastle:bcprov-jdk15on:1.65'
    }
}

[mshafrir-stripe]

Unfortunately BouncyCastle v1.65 introduced issues for some users. It also appears that v1.66 introduces its own issues. We'll need to investigate this further. For the time being, we'll need to continue using v1.64.

[tmtrademarked]

Ugh, yuck - that is unfortunate. :-/ Thanks for taking a look here! I'm not sure if there are better solutions here than my hack in the build file. I wonder if other users are experiencing anything similar, or if there's something unique in our setup that causes this. I'm sure we could change the command we use to run tests or some such, as a possibility, but that also feels potentially dangerous.

[mshafrir-stripe]

@tmtrademarked yeah agreed that this is unfortunate. BouncyCastle can clearly be finicky on Android. This is the first I've heard of this issue, so I don't have any prior art for the best way to resolve it. I haven't tested this approach, but could you try excluding BouncyCastle entirely just in your tests? This would work in theory unless you are somehow instrumenting the 3DS2 challenge flow (i.e. BouncyCastle is only needed for 3DS2).

testImplementation('com.stripe:stripe-android:16.0.1') {
    exclude(group: 'org.bouncycastle', module: 'bcprov-jdk15on')
}

[tmtrademarked]

Yeah, that's a good idea - I can give that a shot. If we don't use the 3DS2 features, is there any harm to just excluding the bcprov-jdk15on module from the library in our app in the first place? Ie, anything you can see that would be a problem with just:

implementation('com.stripe:stripe-android:16.0.1') {
    exclude(group: 'org.bouncycastle', module: 'bcprov-jdk15on')
}

[mshafrir-stripe]

@tmtrademarked I can't really recommend doing that without knowing more about your integration. Can you exclude in debug and include in release builds?

[tmtrademarked]

Hmm. Unfortunately, it looks like just excluding from the tests doesn't quite work, probably because the app's version of the library itself still pulls this dependency in. We could go with excluding in debug and not in release, but at that point, I think we're making things harder on ourselves later.

[gerbiljames]

I think the fix here is to upgrade to bouncycastle 1.66 but switch to using the JDK 1.5-1.8 library (bcprov-jdk15to18) instead of the 1.5 onwards library (bcprov-jdk15on). It seems 1.66 added support for Java 15 to the latter which causes Jetifier to crash as it doesn't have support for that bytecode version. I would offer a PR but the 3ds2 library appears to be closed source.

[mshafrir-stripe]

I just published v16.1.0. This upgrades BouncyCastle to 1.6.7. Let me know if this resolves the issue.

[tmtrademarked]

It looks like using BouncyCastle 1.6.7 does in fact fix this - I was able to remove my hack in the gradle file, and everything continued working as expected with no extraneous tests. Thanks for the update!