From 98f13a89eb7722fdc95d6dc7810f157fb8cfca6b Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sun, 9 Oct 2022 22:16:26 +0200 Subject: [PATCH] Update BouncyCastle to version 1.69 The version 1.69 is chosen instead of 1.70, because the moxie build would not download the jars, trying to download `...1.7.jar` instead. Three class deprecations are fixed. `PEMWriter` and `X509Extension` are replaced with their drop-in replacements `JcaPEMWriter` and `Extension`. The `PasswordFinder` deprecation note says that "it is no longer used". It also was never used in Gitblit's code, so it is removed from the key par provider class. --- .classpath | 7 ++-- build.moxie | 2 +- gitblit.iml | 29 +++++++++++----- .../transport/ssh/FileKeyPairProvider.java | 21 ------------ .../com/gitblit/transport/ssh/SshDaemon.java | 4 +-- .../java/com/gitblit/utils/X509Utils.java | 33 +++++++++---------- 6 files changed, 43 insertions(+), 53 deletions(-) diff --git a/.classpath b/.classpath index 7c32205b..394584d3 100644 --- a/.classpath +++ b/.classpath @@ -51,9 +51,10 @@ - - - + + + + diff --git a/build.moxie b/build.moxie index 026ab5bb..d78733bf 100644 --- a/build.moxie +++ b/build.moxie @@ -111,7 +111,7 @@ properties: { lucene.version : 5.5.2 jgit.version : 4.5.7.201904151645-r groovy.version : 2.4.4 - bouncycastle.version : 1.57 + bouncycastle.version : 1.69 selenium.version : 2.28.0 wikitext.version : 1.4 sshd.version: 1.7.0 diff --git a/gitblit.iml b/gitblit.iml index 694cd94f..e2ed5b0f 100644 --- a/gitblit.iml +++ b/gitblit.iml @@ -508,35 +508,46 @@ - + - + - + - + - + - + - + - + - + + + + + + + + + + + + diff --git a/src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java b/src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java index cc91bb8c..38618baf 100644 --- a/src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java +++ b/src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java @@ -31,7 +31,6 @@ import org.bouncycastle.openssl.PEMDecryptorProvider; import org.bouncycastle.openssl.PEMEncryptedKeyPair; import org.bouncycastle.openssl.PEMKeyPair; import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.PasswordFinder; import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder; @@ -46,7 +45,6 @@ import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder; public class FileKeyPairProvider extends AbstractKeyPairProvider { private String[] files; - private PasswordFinder passwordFinder; public FileKeyPairProvider() { } @@ -55,11 +53,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { this.files = files; } - public FileKeyPairProvider(String[] files, PasswordFinder passwordFinder) { - this.files = files; - this.passwordFinder = passwordFinder; - } - public String[] getFiles() { return files; } @@ -68,14 +61,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { this.files = files; } - public PasswordFinder getPasswordFinder() { - return passwordFinder; - } - - public void setPasswordFinder(PasswordFinder passwordFinder) { - this.passwordFinder = passwordFinder; - } - public Iterable loadKeys() { if (!SecurityUtils.isBouncyCastleRegistered()) { throw new IllegalStateException("BouncyCastle must be registered as a JCE provider"); @@ -130,12 +115,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter(); pemConverter.setProvider("BC"); - if (passwordFinder != null && o instanceof PEMEncryptedKeyPair) { - JcePEMDecryptorProviderBuilder decryptorBuilder = new JcePEMDecryptorProviderBuilder(); - PEMDecryptorProvider pemDecryptor = decryptorBuilder.build(passwordFinder.getPassword()); - o = pemConverter.getKeyPair(((PEMEncryptedKeyPair) o).decryptKeyPair(pemDecryptor)); - } - if (o instanceof PEMKeyPair) { o = pemConverter.getKeyPair((PEMKeyPair)o); return (KeyPair) o; diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java index 8bb880b0..7a31bc18 100644 --- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java +++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java @@ -34,7 +34,7 @@ import org.apache.sshd.common.util.security.bouncycastle.BouncyCastleSecurityPro import org.apache.sshd.common.util.security.eddsa.EdDSASecurityProviderRegistrar; import org.apache.sshd.server.SshServer; import org.apache.sshd.server.auth.pubkey.CachingPublicKeyAuthenticator; -import org.bouncycastle.openssl.PEMWriter; +import org.bouncycastle.openssl.jcajce.JcaPEMWriter; import org.eclipse.jgit.internal.JGitText; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -267,7 +267,7 @@ public class SshDaemon { } FileOutputStream os = new FileOutputStream(file); - PEMWriter w = new PEMWriter(new OutputStreamWriter(os)); + JcaPEMWriter w = new JcaPEMWriter(new OutputStreamWriter(os)); w.writeObject(kp); w.flush(); w.close(); diff --git a/src/main/java/com/gitblit/utils/X509Utils.java b/src/main/java/com/gitblit/utils/X509Utils.java index b661922d..4626622e 100644 --- a/src/main/java/com/gitblit/utils/X509Utils.java +++ b/src/main/java/com/gitblit/utils/X509Utils.java @@ -72,7 +72,7 @@ import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.GeneralNames; import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.cert.X509CRLHolder; import org.bouncycastle.cert.X509v2CRLBuilder; import org.bouncycastle.cert.X509v3CertificateBuilder; @@ -82,7 +82,6 @@ import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.jce.PrincipalUtil; import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; import org.bouncycastle.openssl.PEMEncryptor; -import org.bouncycastle.openssl.PEMWriter; import org.bouncycastle.openssl.jcajce.JcaPEMWriter; import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder; import org.bouncycastle.operator.ContentSigner; @@ -445,9 +444,9 @@ public class X509Utils { boolean asPem = targetFile.getName().toLowerCase().endsWith(".pem"); if (asPem) { // PEM encoded X509 - PEMWriter pemWriter = null; + JcaPEMWriter pemWriter = null; try { - pemWriter = new PEMWriter(new FileWriter(tmpFile)); + pemWriter = new JcaPEMWriter(new FileWriter(tmpFile)); pemWriter.writeObject(cert); pemWriter.flush(); } finally { @@ -560,9 +559,9 @@ public class X509Utils { pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); - certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); - certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); - certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); + certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); + certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); + certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); // support alternateSubjectNames for SSL certificates List altNames = new ArrayList(); @@ -571,7 +570,7 @@ public class X509Utils { } if (altNames.size() > 0) { GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName [altNames.size()])); - certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); + certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM) @@ -629,10 +628,10 @@ public class X509Utils { caPair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); - caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); - caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); - caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); - caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); + caBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); + caBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); + caBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true)); + caBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC); X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner)); @@ -862,14 +861,14 @@ public class X509Utils { pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); - certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); - certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); - certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); - certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); + certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); + certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); + certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); + certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); if (!StringUtils.isEmpty(clientMetadata.emailAddress)) { GeneralNames subjectAltName = new GeneralNames( new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); - certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); + certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey); -- 2.39.5