Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate from sun.security.* to Bouncycastle #2316

Merged
merged 1 commit into from Jun 1, 2016
Merged

Migrate from sun.security.* to Bouncycastle #2316

merged 1 commit into from Jun 1, 2016

Conversation

@mikkolehtisalo
Copy link
Contributor

@mikkolehtisalo mikkolehtisalo commented May 31, 2016

Fixes issue #2132

sun.security.* will probably not be available by default on Java 9, and Oracle does not seem to be going to provide replacement for all functionality. Java.security.cert is not able to perform certificate creation and signing. It is meant just for parsing already existing certificates.

Quick research shows that most projects depending on sun.security.x509.* have switched, or are in progress of switching, to Bouncycastle. Here's a quick implementation of that. I don't think it has to be really fancy, because self signed certificates should be used only for light testing.

Btw, running jdeps on Graylog shows that these were the only JDK internal classes used, excluding 3rd party libraries.

@joschi joschi added this to the 2.1.0 milestone Jun 1, 2016
@joschi joschi self-assigned this Jun 1, 2016
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.*;

This comment has been minimized.

@joschi

joschi Jun 1, 2016
Contributor

Please don't use wildcard imports.

If you're using IntelliJ IDEA, here are instructions how to (almost) disable wildcard imports: http://stackoverflow.com/a/3348855

This comment has been minimized.

@mikkolehtisalo

mikkolehtisalo Jun 1, 2016
Author Contributor

Yeah, IDEA wanted to use wildcards. Sorry about that.

import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.*;

This comment has been minimized.

@joschi

joschi Jun 1, 2016
Contributor

Same here, please don't use wildcard imports.

@@ -57,6 +56,8 @@
* </p>
*/
public final class SelfSignedCertificate {


This comment has been minimized.

@joschi

joschi Jun 1, 2016
Contributor

Useless whitespace change.

info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger(64, random)));
private static SubjectKeyIdentifier createSubjectKeyIdentifier(Key publicKey) throws IOException {
ASN1InputStream is = null;
try {

This comment has been minimized.

@joschi

joschi Jun 1, 2016
Contributor

I think we can use try-with-resources here to avoid the finally block: https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html

This comment has been minimized.

@mikkolehtisalo

mikkolehtisalo Jun 1, 2016
Author Contributor

Ooh shiny.

@joschi
Copy link
Contributor

@joschi joschi commented Jun 1, 2016

LGTM except for those minor nitpicks. 👍

Fix header mangled by JIdea

Minor fixes
@joschi
Copy link
Contributor

@joschi joschi commented Jun 1, 2016

Bouncycastle's take on U. S. export restrictions: What is Bouncy Castle's export classification in the United States of America?

At the time of writing (16 May 2007) Bouncy Castle is approved classified under ECCN code 5D002 and approved for export under License Exception TSU. If you also need to list algorithms available in the provider and the strengths supported, you can find the information in the specifications.html file provided with the distribution you are using. See The Bureau of Industry and Security website for further details.

@joschi
Copy link
Contributor

@joschi joschi commented Jun 1, 2016

@mikkolehtisalo Thanks!

@joschi joschi merged commit 7e6d98c into Graylog2:master Jun 1, 2016
3 checks passed
3 checks passed
@garybot2
ci-server-integration Jenkins build graylog2-server-integration-pr 964 has succeeded
Details
@garybot2
ci-web-linter Jenkins build graylog-pr-linter-check 451 has succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@mikkolehtisalo mikkolehtisalo deleted the mikkolehtisalo:issue-2132 branch Jun 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants