[
https://issues.apache.org/jira/browse/HADOOP-10847?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14082238#comment-14082238
]
pascal oliva commented on HADOOP-10847:
---------------------------------------
diff --git hadoop-common-project/hadoop-common/pom.xml
hadoop-common-project/hadoop-common/pom.xml
index c48bb8e..e633bce 100644
--- hadoop-common-project/hadoop-common/pom.xml
+++ hadoop-common-project/hadoop-common/pom.xml
@@ -250,6 +250,12 @@
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk16</artifactId>
+ <version>1.46</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
diff --git
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
index a07faeb..9a68b30 100644
---
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
+++
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
@@ -19,17 +19,6 @@
package org.apache.hadoop.security.ssl;
import org.apache.hadoop.conf.Configuration;
-import sun.security.x509.AlgorithmId;
-import sun.security.x509.CertificateAlgorithmId;
-import sun.security.x509.CertificateIssuerName;
-import sun.security.x509.CertificateSerialNumber;
-import sun.security.x509.CertificateSubjectName;
-import sun.security.x509.CertificateValidity;
-import sun.security.x509.CertificateVersion;
-import sun.security.x509.CertificateX509Key;
-import sun.security.x509.X500Name;
-import sun.security.x509.X509CertImpl;
-import sun.security.x509.X509CertInfo;
import java.io.File;
import java.io.FileOutputStream;
@@ -52,6 +41,16 @@
import java.util.HashMap;
import java.util.Map;
+import java.security.InvalidKeyException;
+import java.security.NoSuchProviderException;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import javax.security.auth.x500.X500Principal;
+import org.bouncycastle.x509.X509V1CertificateGenerator;
+
+
public class KeyStoreTestUtil {
public static String getClasspathDir(Class klass) throws Exception {
@@ -63,52 +62,40 @@ public static String getClasspathDir(Class klass) throws
Exception {
return baseDir;
}
+@SuppressWarnings("deprecation")
/**
* Create a self-signed X.509 Certificate.
- * From
http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
*
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param pair the KeyPair
* @param days how many days from now the Certificate is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
* @return the self-signed certificate
- * @throws IOException thrown if an IO error ocurred.
- * @throws GeneralSecurityException thrown if an Security error ocurred.
*/
- public static X509Certificate generateCertificate(String dn, KeyPair pair,
- int days, String algorithm)
- throws GeneralSecurityException, IOException {
- PrivateKey privkey = pair.getPrivate();
- X509CertInfo info = new X509CertInfo();
- Date from = new Date();
- Date to = new Date(from.getTime() + days * 86400000l);
- CertificateValidity interval = new CertificateValidity(from, to);
- BigInteger sn = new BigInteger(64, new SecureRandom());
- X500Name owner = new X500Name(dn);
-
- info.set(X509CertInfo.VALIDITY, interval);
- info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
- info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
- info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
- info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
- info
- .set(X509CertInfo.VERSION, new
CertificateVersion(CertificateVersion.V3));
- AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
- info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
-
- // Sign the cert to identify the algorithm that's used.
- X509CertImpl cert = new X509CertImpl(info);
- cert.sign(privkey, algorithm);
-
- // Update the algorith, and resign.
- algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
- info
- .set(CertificateAlgorithmId.NAME + "." +
CertificateAlgorithmId.ALGORITHM,
- algo);
- cert = new X509CertImpl(info);
- cert.sign(privkey, algorithm);
- return cert;
- }
+ public static X509Certificate generateCertificate(String dn, KeyPair pair,
int days, String algorithm)
+ throws CertificateEncodingException,
+ InvalidKeyException,
+ IllegalStateException,
+ NoSuchProviderException, NoSuchAlgorithmException, SignatureException{
+
+ Date from = new Date();
+ Date to = new Date(from.getTime() + days * 86400000l);
+ BigInteger sn = new BigInteger(64, new SecureRandom());
+ KeyPair keyPair = pair;
+ X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
+ X500Principal dnName = new X500Principal(dn);
+
+ certGen.setSerialNumber(sn);
+ certGen.setIssuerDN(dnName);
+ certGen.setNotBefore(from);
+ certGen.setNotAfter(to);
+ certGen.setSubjectDN(dnName);
+ certGen.setPublicKey(keyPair.getPublic());
+ certGen.setSignatureAlgorithm(algorithm);
+
+ X509Certificate cert = certGen.generate(pair.getPrivate());
+ return cert;
+ }
public static KeyPair generateKeyPair(String algorithm)
throws NoSuchAlgorithmException {
> Cleanup calling of sun.security.x509
> -------------------------------------
>
> Key: HADOOP-10847
> URL: https://issues.apache.org/jira/browse/HADOOP-10847
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Kai Zheng
> Priority: Minor
>
> As was told by Max (Oracle), JDK9 is likely to block all accesses to sun.*
> classes.
> Below is from email of Andrew Purtell:
> {quote}
> The use of sun.* APIs to create a certificate in Hadoop and HBase test code
> can be removed. Someone (Intel? Oracle?) can submit a JIRA that replaces the
> programmatic construction with a stringified binary cert for use in the
> relevant unit tests.
> {quote}
> In Hadoop, the calls in question are below:
> {code}
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:24:import
> sun.security.x509.CertificateIssuerName;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:25:import
> sun.security.x509.CertificateSerialNumber;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:26:import
> sun.security.x509.CertificateSubjectName;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:27:import
> sun.security.x509.CertificateValidity;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:28:import
> sun.security.x509.CertificateVersion;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:29:import
> sun.security.x509.CertificateX509Key;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:30:import
> sun.security.x509.X500Name;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:31:import
> sun.security.x509.X509CertImpl;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:32:import
> sun.security.x509.X509CertInfo;
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
