This is an automated email from the ASF dual-hosted git repository.
smalenfant pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new b1fdb16 Remove dependencies on internal-only Sun packages (#5080)
b1fdb16 is described below
commit b1fdb164d937c2ceaebf56b76ebad2ae74134874
Author: Joshua Zenn <[email protected]>
AuthorDate: Tue Oct 6 09:59:42 2020 -0400
Remove dependencies on internal-only Sun packages (#5080)
* Update to latest version
Updated all references to Tomcat packages to 8.5.57 (newest 8.5.x as of
8/24/2020).
* Remove all references to internal Sun packages
* Remove all references to internal Sun packages
---
traffic_router/connector/pom.xml | 10 +++
.../secure/CertificateDataConverter.java | 12 +--
.../traffic_router/secure/CertificateRegistry.java | 99 ++++++++++++++--------
traffic_router/pom.xml | 5 ++
.../traffic_router/secure/Pkcs.java | 10 ++-
.../traffic_router/secure/Pkcs1KeySpecDecoder.java | 20 ++---
6 files changed, 102 insertions(+), 54 deletions(-)
diff --git a/traffic_router/connector/pom.xml b/traffic_router/connector/pom.xml
index 3637e94..ea59d59 100644
--- a/traffic_router/connector/pom.xml
+++ b/traffic_router/connector/pom.xml
@@ -118,5 +118,15 @@
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ <version>1.66</version>
+ </dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk15on</artifactId>
+ <version>1.66</version>
+ </dependency>
</dependencies>
</project>
diff --git
a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java
b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java
index cd1e48b..a6c7e9a 100644
---
a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java
+++
b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java
@@ -18,8 +18,6 @@ package com.comcast.cdn.traffic_control.traffic_router.secure;
import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData;
import org.apache.log4j.Logger;
import org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey;
-import sun.security.rsa.RSAPrivateCrtKeyImpl;
-import sun.security.rsa.RSAPublicKeyImpl;
import java.math.BigInteger;
import java.security.PrivateKey;
@@ -27,6 +25,8 @@ import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
+import java.security.spec.RSAPrivateCrtKeySpec;
+import java.security.spec.RSAPublicKeySpec;
import java.util.ArrayList;
import java.util.List;
@@ -128,15 +128,15 @@ public class CertificateDataConverter {
BigInteger privModulus = null;
if (privateKey instanceof BCRSAPrivateCrtKey) {
privModulus = ((BCRSAPrivateCrtKey)
privateKey).getModulus();
- } else if (privateKey instanceof RSAPrivateCrtKeyImpl) {
- privModulus = ((RSAPrivateCrtKeyImpl)
privateKey).getModulus();
+ } else if (privateKey instanceof RSAPrivateCrtKeySpec) {
+ privModulus = ((RSAPrivateCrtKeySpec)
privateKey).getModulus();
} else {
return false;
}
BigInteger pubModulus = null;
final PublicKey publicKey = certificate.getPublicKey();
- if ((publicKey instanceof RSAPublicKeyImpl)) {
- pubModulus = ((RSAPublicKeyImpl)
publicKey).getModulus();
+ if ((publicKey instanceof RSAPublicKeySpec)) {
+ pubModulus = ((RSAPublicKeySpec)
publicKey).getModulus();
} else {
final String[] keyparts =
publicKey.toString().split(System.getProperty("line.separator"));
for (final String part : keyparts) {
diff --git
a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
index 3dd1f3c..948ba73 100644
---
a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
+++
b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
@@ -19,37 +19,45 @@ import
com.comcast.cdn.traffic_control.traffic_router.protocol.RouterNioEndpoint
import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData;
import com.comcast.cdn.traffic_control.traffic_router.utils.HttpsProperties;
import org.apache.log4j.Logger;
-import sun.security.tools.keytool.CertAndKeyGen;
-import sun.security.util.ObjectIdentifier;
-import sun.security.x509.BasicConstraintsExtension;
-import sun.security.x509.CertificateExtensions;
-import sun.security.x509.ExtendedKeyUsageExtension;
-import sun.security.x509.KeyUsageExtension;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.asn1.x509.Extension;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
+import java.math.BigInteger;
import java.net.InetAddress;
+import java.security.KeyPairGenerator;
+import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
-import java.security.cert.CertificateFactory;
+import java.security.Security;
import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
-import java.util.List;
+import java.util.Calendar;
+import java.util.Date;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
-import java.util.Vector;
-
-import sun.security.x509.X500Name;
-import java.util.Date;
public class CertificateRegistry {
public static final String DEFAULT_SSL_KEY = "default.invalid";
private static final Logger log =
Logger.getLogger(CertificateRegistry.class);
private CertificateDataConverter certificateDataConverter = new
CertificateDataConverter();
- volatile private Map<String, HandshakeData> handshakeDataMap = new
HashMap<>();
+ volatile private Map<String, HandshakeData> handshakeDataMap = new
HashMap<>();
private RouterNioEndpoint sslEndpoint = null;
final private Map<String, CertificateData> previousData = new
HashMap<>();
public String defaultAlias;
@@ -68,34 +76,55 @@ public class CertificateRegistry {
return CertificateRegistryHolder.DELIVERY_SERVICE_CERTIFICATES;
}
- @SuppressWarnings("PMD.UseArrayListInsteadOfVector")
+ @SuppressWarnings({"PMD.UseArrayListInsteadOfVector",
"PMD.AvoidUsingHardCodedIP"})
private static HandshakeData createDefaultSsl() {
try {
- final CertificateExtensions extensions = new
CertificateExtensions();
- final KeyUsageExtension keyUsageExtension = new
KeyUsageExtension();
-
keyUsageExtension.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
-
keyUsageExtension.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
- keyUsageExtension.set(KeyUsageExtension.KEY_CERTSIGN,
true);
-
extensions.set(keyUsageExtension.getExtensionId().toString(),
keyUsageExtension);
- final Vector<ObjectIdentifier> objectIdentifiers = new
Vector<>();
- objectIdentifiers.add(new
ObjectIdentifier("1.3.6.1.5.5.7.3.1"));
- objectIdentifiers.add(new
ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
- final ExtendedKeyUsageExtension
extendedKeyUsageExtension = new ExtendedKeyUsageExtension( true,
- objectIdentifiers);
-
extensions.set(extendedKeyUsageExtension.getExtensionId().toString(),
extendedKeyUsageExtension);
- extensions.set(BasicConstraintsExtension.NAME, new
BasicConstraintsExtension(true,
- new
BasicConstraintsExtension(true,-1).getExtensionValue()));
- final CertAndKeyGen certGen = new CertAndKeyGen("RSA",
"SHA1WithRSA", null);
- certGen.generate(2048);
+ final KeyPairGenerator keyPairGenerator =
KeyPairGenerator.getInstance("RSA");
+ keyPairGenerator.initialize(2048);
+ final KeyPair keyPair =
keyPairGenerator.generateKeyPair();
//Generate self signed certificate
final X509Certificate[] chain = new X509Certificate[1];
- chain[0] = certGen.getSelfCertificate(new
X500Name("C=US; ST=CO; L=Denver; " +
+
+ // Select provider
+ Security.addProvider(new BouncyCastleProvider());
+
+ // Generate cert details
+ final long now = System.currentTimeMillis();
+ final Date startDate = new
Date(System.currentTimeMillis());
+
+ final X500Name dnName = new X500Name("C=US; ST=CO;
L=Denver; " +
"O=Apache Traffic Control; OU=Apache
Foundation; OU=Hosted by Traffic Control; " +
- "OU=CDNDefault; CN="+DEFAULT_SSL_KEY),
new Date(System.currentTimeMillis() - 1000L * 60 ),
- (long) 3 * 365 * 24 * 3600, extensions);
- final PrivateKey serverPrivateKey =
certGen.getPrivateKey();
- return new HandshakeData(DEFAULT_SSL_KEY,
DEFAULT_SSL_KEY, chain, serverPrivateKey);
+ "OU=CDNDefault; CN="+DEFAULT_SSL_KEY);
+ final BigInteger certSerialNumber = new
BigInteger(Long.toString(now));
+
+ final Calendar calendar = Calendar.getInstance();
+ calendar.setTime(startDate);
+ calendar.add(Calendar.YEAR, 3);
+
+ final Date endDate = calendar.getTime();
+
+ // Build certificate
+ final ContentSigner contentSigner = new
JcaContentSignerBuilder("SHA1WithRSA").build(keyPair.getPrivate());
+
+ final JcaX509v3CertificateBuilder certBuilder = new
JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate,
dnName, keyPair.getPublic());
+
+ // Attach extensions
+ certBuilder.addExtension(Extension.basicConstraints,
true, new BasicConstraints(true));
+ certBuilder.addExtension(Extension.keyUsage, true, new
KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment |
KeyUsage.keyCertSign));
+ certBuilder.addExtension(Extension.extendedKeyUsage,
true, new ExtendedKeyUsage(new KeyPurposeId[] {
+ KeyPurposeId.id_kp_clientAuth,
+ KeyPurposeId.id_kp_serverAuth
+ }));
+
+ // Generate final certificate
+ final X509CertificateHolder certHolder =
certBuilder.build(contentSigner);
+
+ final JcaX509CertificateConverter converter = new
JcaX509CertificateConverter();
+ converter.setProvider(new BouncyCastleProvider());
+ chain[0] = converter.getCertificate(certHolder);
+
+ return new HandshakeData(DEFAULT_SSL_KEY,
DEFAULT_SSL_KEY, chain, keyPair.getPrivate());
}
catch (Exception e) {
log.error("Could not generate the default certificate:
"+e.getMessage(),e);
diff --git a/traffic_router/pom.xml b/traffic_router/pom.xml
index 77d5a93..86a9b76 100644
--- a/traffic_router/pom.xml
+++ b/traffic_router/pom.xml
@@ -104,6 +104,11 @@
<version>4.12</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ <version>1.66</version>
+ </dependency>
</dependencies>
</dependencyManagement>
<profiles>
diff --git
a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/Pkcs.java
b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/Pkcs.java
index e69e039..f39807f 100644
---
a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/Pkcs.java
+++
b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/Pkcs.java
@@ -15,11 +15,14 @@
package com.comcast.cdn.traffic_control.traffic_router.secure;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.PublicKey;
+import java.security.Security;
import java.security.spec.KeySpec;
@SuppressWarnings("PMD.AbstractNaming")
@@ -33,15 +36,16 @@ public abstract class Pkcs {
public Pkcs(final String data) throws IOException,
GeneralSecurityException {
this.data = data;
keySpec = toKeySpec(data);
- privateKey =
KeyFactory.getInstance("RSA").generatePrivate(keySpec);
+ Security.addProvider(new BouncyCastleProvider());
+ privateKey = KeyFactory.getInstance("RSA",
"BC").generatePrivate(keySpec);
}
public Pkcs(final String privateData, final String publicData) throws
IOException, GeneralSecurityException {
this.data = privateData;
keySpec = toKeySpec(data);
- privateKey =
KeyFactory.getInstance("RSA").generatePrivate(keySpec);
+ privateKey = KeyFactory.getInstance("RSA",
"BC").generatePrivate(keySpec);
publicKeySpec = toKeySpec(publicData);
- publicKey =
KeyFactory.getInstance("RSA").generatePublic(publicKeySpec);
+ publicKey = KeyFactory.getInstance("RSA",
"BC").generatePublic(publicKeySpec);
}
public String getData() {
diff --git
a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/Pkcs1KeySpecDecoder.java
b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/Pkcs1KeySpecDecoder.java
index 6dba718..351ad3e 100644
---
a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/Pkcs1KeySpecDecoder.java
+++
b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/Pkcs1KeySpecDecoder.java
@@ -16,8 +16,9 @@
package com.comcast.cdn.traffic_control.traffic_router.secure;
import org.apache.log4j.Logger;
-import sun.security.util.DerInputStream;
-import sun.security.util.DerValue;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.ASN1SequenceParser;
+import org.bouncycastle.asn1.ASN1Integer;
import java.io.IOException;
import java.math.BigInteger;
@@ -40,16 +41,15 @@ public class Pkcs1KeySpecDecoder {
public KeySpec decode(final String data) throws IOException,
GeneralSecurityException {
final String pemData = data.replaceAll(HEADER,
"").replaceAll(FOOTER, "").replaceAll("\\s", "");
- final DerInputStream derInputStream = new
DerInputStream(Base64.getDecoder().decode(pemData));
- final DerValue[] derSequence = derInputStream.getSequence(0);
-
- if (derSequence.length != PUBLIC_SEQUENCE_LENGTH &&
derSequence.length != PRIVATE_SEQUENCE_LENGTH) {
+ final ASN1Sequence asn1Sequence =
ASN1Sequence.getInstance(Base64.getDecoder().decode(pemData));
+ final int sequenceLength = asn1Sequence.toArray().length;
+ if(sequenceLength != PUBLIC_SEQUENCE_LENGTH && sequenceLength
!= PRIVATE_SEQUENCE_LENGTH) {
throw new GeneralSecurityException("Invalid PKCS1 key!
Missing Key Data, incorrect number of DER values for either public or private
key");
}
-
- if (derSequence.length == PUBLIC_SEQUENCE_LENGTH) {
- final BigInteger n = derSequence[0].getBigInteger();
- final BigInteger e = derSequence[1].getBigInteger();
+ if (asn1Sequence.toArray().length == PUBLIC_SEQUENCE_LENGTH) {
+ final ASN1SequenceParser asn1Parser =
asn1Sequence.parser();
+ final BigInteger n = ((ASN1Integer)
asn1Parser.readObject()).getValue();
+ final BigInteger e = ((ASN1Integer)
asn1Parser.readObject()).getValue();
return new RSAPublicKeySpec(n, e);
}
