New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate from sun.security.* to Bouncycastle #2316

Merged
merged 1 commit into from Jun 1, 2016

Conversation

Projects
None yet
2 participants
@mikkolehtisalo
Contributor

mikkolehtisalo commented May 31, 2016

Fixes issue #2132

sun.security.* will probably not be available by default on Java 9, and Oracle does not seem to be going to provide replacement for all functionality. Java.security.cert is not able to perform certificate creation and signing. It is meant just for parsing already existing certificates.

Quick research shows that most projects depending on sun.security.x509.* have switched, or are in progress of switching, to Bouncycastle. Here's a quick implementation of that. I don't think it has to be really fancy, because self signed certificates should be used only for light testing.

Btw, running jdeps on Graylog shows that these were the only JDK internal classes used, excluding 3rd party libraries.

@joschi joschi added the improvement label Jun 1, 2016

@joschi joschi added this to the 2.1.0 milestone Jun 1, 2016

@joschi joschi self-assigned this Jun 1, 2016

import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.*;

This comment has been minimized.

@joschi

joschi Jun 1, 2016

Contributor

Please don't use wildcard imports.

If you're using IntelliJ IDEA, here are instructions how to (almost) disable wildcard imports: http://stackoverflow.com/a/3348855

This comment has been minimized.

@mikkolehtisalo

mikkolehtisalo Jun 1, 2016

Contributor

Yeah, IDEA wanted to use wildcards. Sorry about that.

import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.*;

This comment has been minimized.

@joschi

joschi Jun 1, 2016

Contributor

Same here, please don't use wildcard imports.

@@ -57,6 +56,8 @@
* </p>
*/
public final class SelfSignedCertificate {


This comment has been minimized.

@joschi

joschi Jun 1, 2016

Contributor

Useless whitespace change.

info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger(64, random)));
private static SubjectKeyIdentifier createSubjectKeyIdentifier(Key publicKey) throws IOException {
ASN1InputStream is = null;
try {

This comment has been minimized.

@joschi

joschi Jun 1, 2016

Contributor

I think we can use try-with-resources here to avoid the finally block: https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html

This comment has been minimized.

@mikkolehtisalo

mikkolehtisalo Jun 1, 2016

Contributor

Ooh shiny.

@joschi

This comment has been minimized.

Contributor

joschi commented Jun 1, 2016

LGTM except for those minor nitpicks. 👍

Migrate from sun.security.* to Bouncycastle
Fix header mangled by JIdea

Minor fixes
@joschi

This comment has been minimized.

Contributor

joschi commented Jun 1, 2016

Bouncycastle's take on U. S. export restrictions: What is Bouncy Castle's export classification in the United States of America?

At the time of writing (16 May 2007) Bouncy Castle is approved classified under ECCN code 5D002 and approved for export under License Exception TSU. If you also need to list algorithms available in the provider and the strengths supported, you can find the information in the specifications.html file provided with the distribution you are using. See The Bureau of Industry and Security website for further details.

@joschi

This comment has been minimized.

Contributor

joschi commented Jun 1, 2016

@mikkolehtisalo Thanks!

@joschi joschi merged commit 7e6d98c into Graylog2:master Jun 1, 2016

3 checks passed

ci-server-integration Jenkins build graylog2-server-integration-pr 964 has succeeded
Details
ci-web-linter Jenkins build graylog-pr-linter-check 451 has succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@mikkolehtisalo mikkolehtisalo deleted the mikkolehtisalo:issue-2132 branch Jun 1, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment