[BUG] azure-security-keyvault-jca 2.11 JAR publishes (multirelease) classes under `org.bouncycastle` package

[guillaumepichenot]

Describe the bug
Azure-security-keyvault-JCA pom.xml declares its intention to shade BouncyCastle classes into an internal azure package (com.azure.security.keyvault.jca.implementation.shaded.org.bouncycastle).

azure-sdk-for-java/sdk/keyvault/azure-security-keyvault-jca/pom.xml

Lines 143 to 168 in 0ad6db6

	<configuration>
	<shadeTestJar>false</shadeTestJar>
	<createSourcesJar>${createSourcesJar}</createSourcesJar>
	<shadeSourcesContent>true</shadeSourcesContent>
	<minimizeJar>true</minimizeJar>
	<artifactSet>
	<includes>
	<include>org.bouncycastle:*</include>
	</includes>
	</artifactSet>
	<filters>
	<filter>
	<artifact>org.bouncycastle:*</artifact>
	<excludes>
	<exclude>META-INF/*.SF</exclude>
	<exclude>META-INF/*.DSA</exclude>
	<exclude>META-INF/*.RSA</exclude>
	<exclude>META-INF/services/java.security.Provider</exclude>
	</excludes>
	</filter>
	</filters>
	<relocations>
	<relocation>
	<pattern>org.bouncycastle</pattern>
	<shadedPattern>com.azure.security.keyvault.jca.implementation.shaded.org.bouncycastle</shadedPattern>
	</relocation>

While most of the classes from BouncyCastle are shaded :

There seems to be left-over classes, namely, those that BouncyCastle publishes through a multirelease JAR.

It seems maven shade plugin does not relocate multirelease-specific classes that live under META-INF/versions/{jdkVersion} :

Which in turns means that probably the shaded JAR does not behave as it should regarding BouncyCastle implementations. IMO, although it's hard to trace, the shaded JAR never loads classes from META-INF/version while the non shaded JAR does. If that's the case, there might even be security implications the executed code is not the one expected by BouncyCastle's authors.

Maybe more importantly or at least unexpectedly : it means Azure JAR publishes classes under org.bouncycastle package.

Exception or Stack Trace
No stack trace per se, but my eye-brow raised with maven enforcer + ban duplicate classes turned on :

[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.5.0:enforce (enforce) on project encryption: 
[ERROR] Rule 6: org.codehaus.mojo.extraenforcer.dependencies.BanDuplicateClasses failed with message:
[ERROR] Duplicate classes found:
[ERROR] 
[ERROR]   Found in:
[ERROR]     com.azure:azure-security-keyvault-jca:jar:2.10.0:compile
[ERROR]     org.bouncycastle:bcprov-jdk18on:jar:1.80:compile
[ERROR]   Duplicate classes:
[ERROR]     META-INF/versions/9/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves$14.class
...

To Reproduce
None at this point

Code Snippet
Not applicable.

Expected behavior
The output JAR should not publish classes inside org.bouncycastle package.

Screenshots
If applicable, add screenshots to help explain your problem.

Setup (please complete the following information):

• OS: macOS
• IDE: IntelliJ
• Library/Libraries: com.azure:azure-security-keyvault-jca:jar:2.10.0
• Java version: 21
• App Server/Environment: IDE
• Frameworks: Spring Boot

If you suspect a dependency version mismatch (e.g. you see NoClassDefFoundError, NoSuchMethodError or similar), please check out Troubleshoot dependency version conflict article first. If it doesn't provide solution for the problem, please provide:

• verbose dependency tree (mvn dependency:tree -Dverbose)
• exception message, full stack trace, and any available logs

Additional context
Add any other context about the problem here.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Bug Description Added
• Repro Steps Added
• Setup information Added

[joshfree]

@saragluna @vcolin7 can you follow up on this github issue?