[
https://issues.apache.org/jira/browse/NIFI-1753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15240396#comment-15240396
]
ASF subversion and git services commented on NIFI-1753:
-------------------------------------------------------
Commit 378ccf53c26ef40ca56512247c93243546fefa8b in nifi's branch
refs/heads/master from [~alopresto]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=378ccf5 ]
NIFI-1753 Replaced usage of javax.security.cert.X509Certificate with
java.security.cert.X509Certificate and resolved user-reported
ClassCastException when handling client certificates during TLS mutual
authentication.
Fixed nifi-utils pom.xml comment about additional dependencies. (+5 squashed
commits)
Squashed commits:
[965b766] NIFI-1753 Removed temporary work-around of duplicate certificate
conversion util method and added nifi-security-utils as dependency of
nifi-utils.
[cd35f9b] NIFI-1753 Replaced legacy X.509 certificate declarations with new
declarations in SSLSocketChannel and EndpointConnectionPool.
Temporary work-around of duplicate certificate conversion util method because
nifi-utils cannot depend on nifi-security-utils.
[6420897] NIFI-1753 Replaced legacy X.509 certificate declarations with new
declarations in PostHTTP.
[b9868ef] NIFI-1753 Added convenience method for extracting DN from peer
certificate chain in SSL socket (canonical implementation to reduce code
duplication and references to legacy certificate implementations).
Refactored logic retrieving legacy X.509 certificates with reference to
convenience method in NodeProtocolSenderImpl.
Replaced logic retrieving legacy X.509 certificates with reference to
convenience method in SocketProtocolListener.
Cleaned up exception handling in SocketProtocolListener.
Replaced legacy X.509 certificate declarations with new declarations in
HandleHttpRequest (needs manual test).
[e2d1c35] NIFI-1753 Added convenience methods for converting legacy X.509
certificates and abstract certificates to correct X.509 format.
Added unit tests for certificate manipulation.
Replaced logic retrieving legacy X.509 certificates with new logic in
NodeProtocolSenderImpl.
Added bcpkix (Bouncy Castle PKI implementation) dependency to
nifi-standard-processors pom.
This closes #346.
Signed-off-by: Andy LoPresto <[email protected]>
> Legacy X.509 certificate handling code should be upgraded
> ---------------------------------------------------------
>
> Key: NIFI-1753
> URL: https://issues.apache.org/jira/browse/NIFI-1753
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 0.6.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Fix For: 1.0.0, 0.7.0
>
>
> There are multiple instances throughout the codebase [1][2] where legacy
> {{javax.security.cert.X509Certificate}} class is used rather than the current
> (Java SE 6) {{java.security.cert.X509Certificate}}. The {{javax.*}} classes
> are provided for legacy compatibility with JSSE [3][4]. This can manifest as
> an exception:
> {{java.lang.ClassCastException: [Ljava.security.cert.X509Certificate; cannot
> be cast to [Ljavax.security.cert.X509Certificate}}
> The {{CertificateFactory}} class allows conversion to the new format.
> [1]
> https://git1-us-west.apache.org/repos/asf?p=nifi.git;a=blob;f=nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.java;hb=ffbfffce
> [2
> ]https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java#L40
> [3] http://stackoverflow.com/a/24600621/70465
> [4]
> https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificates%28%29
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
