From de256adb1d804d3c2b9157f7ac35c3f08ab949e6 Mon Sep 17 00:00:00 2001
From: vcolin7 <victor.y.asi@gmail.com>
Date: Fri, 31 Oct 2025 13:59:03 -0700
Subject: [PATCH] Added workaround to move multi-release classes when shading
 BouncyCastle

---
 .../azure-security-keyvault-jca/CHANGELOG.md  |  1 +
 .../azure-security-keyvault-jca/pom.xml       | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md b/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md
index 8cdd8472c5d4..c406c10f73fb 100644
--- a/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md
+++ b/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md
@@ -8,6 +8,7 @@
 
 ### Bugs Fixed
 - Fixed the NPE where the token object was not returned when the credential information was incorrect.
+- Fixed an issue where release-specific classes from BouncyCastle were not properly shaded for Java 9 and above, leading to potential class loading issues in multi-release JARs. ([#47127](https://github.com/Azure/azure-sdk-for-java/pull/47127))
 
 ### Other Changes
 - Included the `org.brotli:dec` library in the list of shaded dependencies to avoid issues when generating and publishing docs to MSLearn.
diff --git a/sdk/keyvault/azure-security-keyvault-jca/pom.xml b/sdk/keyvault/azure-security-keyvault-jca/pom.xml
index c575d94605f5..b955be59cec9 100644
--- a/sdk/keyvault/azure-security-keyvault-jca/pom.xml
+++ b/sdk/keyvault/azure-security-keyvault-jca/pom.xml
@@ -162,6 +162,11 @@
                     <exclude>META-INF/*.DSA</exclude>
                     <exclude>META-INF/*.RSA</exclude>
                     <exclude>META-INF/services/java.security.Provider</exclude>
+                    <!-- Exclude OSGI metadata since it references original (unshaded) package names
+                         and is not applicable after relocation -->
+                    <exclude>**/OSGI-INF/**</exclude>
+                    <!-- Exclude Bouncy Castle's module-info since it references unshaded packages. -->
+                    <exclude>**/module-info.class</exclude>
                   </excludes>
                 </filter>
               </filters>
@@ -170,6 +175,21 @@
                   <pattern>org.bouncycastle</pattern>
                   <shadedPattern>com.azure.security.keyvault.jca.implementation.shaded.org.bouncycastle</shadedPattern>
                 </relocation>
+                <!-- Manually relocate Bouncy Castle multi-release classes to the correct shaded package.
+                     This workaround is needed because the maven-shade-plugin (as of 3.6.1) relocates the
+                     bytecode but does not move the class files to the shaded directory structure (MSHADE-406).
+                     This additional relocation rule matches the file path pattern and moves multi-release
+                     classes to preserve Java 9+ optimizations while preventing package leakage.
+                     Based on: https://github.com/datafaker-net/datafaker/pull/1008
+                     See:
+                       - https://github.com/apache/maven-shade-plugin/pull/202
+                       - https://issues.apache.org/jira/browse/MSHADE-406
+                       - https://github.com/Azure/azure-sdk-for-java/issues/45277 -->
+                <relocation>
+                  <pattern>META-INF/versions/(\d+)/org/bouncycastle</pattern>
+                  <shadedPattern>META-INF/versions/$1/com/azure/security/keyvault/jca/implementation/shaded/org/bouncycastle</shadedPattern>
+                  <rawString>true</rawString>
+                </relocation>
               </relocations>
               <transformers>
                 <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>