GitHub user alopresto reopened a pull request:
https://github.com/apache/nifi/pull/346
Nifi 1753 Removed legacy X.509 certificate implementation references
Various logic throughout the application referenced
`javax.security.cert.X509Certificate` which is a deprecated class and exists
only for legacy compatibility with older JSSE implementations. As of Java SE 6,
new development should use `java.security.cert.X509Certificate`. Most
references to the legacy classes were in similar logic blocks to retrieve the
distinguished name (DN) from the client certificate chain presented during TLS
mutual authentication.
I refactored this logic into a common utility method to deduplicate and
provided utility methods for converting legacy `X509Certificate`s and the
abstract `java.security.cert.Certificate` returned by the replacement method
(`javax.net.ssl.SSLSession#getPeerCertificateChain()` is succeeded by
`javax.net.ssl.SSLSession#getPeerCertificates()`) to the correct version of
`X509Certificate`.
The module `nifi-security-utils` was added as a dependency to `nifi-utils`
but contains only two utility classes with static helper methods and four
enums. This change may be reverted/expanded as part of the larger-scale work on
NIFI-1478, NIFI-1480, etc., but that is 1.0.0 refactor work, while this was a
surgical fix for both 0.7.0 and 1.0.0.
This will be rebased & squashed before merging.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi NIFI-1753
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/346.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #346
----
commit 2161d1e8123020e0846f6290f4f500bba84f6ef7
Author: Andy LoPresto <[email protected]>
Date: 2016-04-12T03:11:45Z
NIFI-1753 Replaced usage of javax.security.cert.X509Certificate with
java.security.cert.X509Certificate and resolved user-reported
ClassCastException when handling client certificates during TLS mutual
authentication.
Fixed nifi-utils pom.xml comment about additional dependencies. (+5
squashed commits)
Squashed commits:
[965b766] NIFI-1753 Removed temporary work-around of duplicate certificate
conversion util method and added nifi-security-utils as dependency of
nifi-utils.
[cd35f9b] NIFI-1753 Replaced legacy X.509 certificate declarations with new
declarations in SSLSocketChannel and EndpointConnectionPool.
Temporary work-around of duplicate certificate conversion util method
because nifi-utils cannot depend on nifi-security-utils.
[6420897] NIFI-1753 Replaced legacy X.509 certificate declarations with new
declarations in PostHTTP.
[b9868ef] NIFI-1753 Added convenience method for extracting DN from peer
certificate chain in SSL socket (canonical implementation to reduce code
duplication and references to legacy certificate implementations).
Refactored logic retrieving legacy X.509 certificates with reference to
convenience method in NodeProtocolSenderImpl.
Replaced logic retrieving legacy X.509 certificates with reference to
convenience method in SocketProtocolListener.
Cleaned up exception handling in SocketProtocolListener.
Replaced legacy X.509 certificate declarations with new declarations in
HandleHttpRequest (needs manual test).
[e2d1c35] NIFI-1753 Added convenience methods for converting legacy X.509
certificates and abstract certificates to correct X.509 format.
Added unit tests for certificate manipulation.
Replaced logic retrieving legacy X.509 certificates with new logic in
NodeProtocolSenderImpl.
Added bcpkix (Bouncy Castle PKI implementation) dependency to
nifi-standard-processors pom.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
