Update BouncyCastle to version 1.69

The version 1.69 is chosen instead of 1.70, because the moxie build would not download the jars, trying to download `...1.7.jar` instead. Three class deprecations are fixed. `PEMWriter` and `X509Extension` are replaced with their drop-in replacements `JcaPEMWriter` and `Extension`. The `PasswordFinder` deprecation note says that "it is no longer used". It also was never used in Gitblit's code, so it is removed from the key par provider class.
author: Florian Zschocke <f.zschocke+git@gmail.com> 2022-10-09 22:16:26 +0200
committer: Florian Zschocke <f.zschocke+git@gmail.com> 2022-10-25 00:01:01 +0200
commit: 98f13a89eb7722fdc95d6dc7810f157fb8cfca6b (patch)
tree: d4205d6d34c7a8cd85e86210fb77d478f8739adb /src
parent: 32b1e66805f4e924f5fb72de61f99941967ab125 (diff)
download: gitblit-98f13a89eb7722fdc95d6dc7810f157fb8cfca6b.tar.gz
gitblit-98f13a89eb7722fdc95d6dc7810f157fb8cfca6b.zip
3 files changed, 18 insertions, 40 deletions
diff --git a/src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java b/src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java
index cc91bb8c..38618baf 100644
--- a/src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java
+++ b/src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java
@@ -31,7 +31,6 @@ import org.bouncycastle.openssl.PEMDecryptorProvider;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.PasswordFinder;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
 
@@ -46,7 +45,6 @@ import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
 public class FileKeyPairProvider extends AbstractKeyPairProvider {
 
     private String[] files;
-    private PasswordFinder passwordFinder;
 
     public FileKeyPairProvider() {
     }
@@ -55,11 +53,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider {
         this.files = files;
     }
 
-    public FileKeyPairProvider(String[] files, PasswordFinder passwordFinder) {
-        this.files = files;
-        this.passwordFinder = passwordFinder;
-    }
-
     public String[] getFiles() {
         return files;
     }
@@ -68,14 +61,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider {
         this.files = files;
     }
 
-    public PasswordFinder getPasswordFinder() {
-        return passwordFinder;
-    }
-
-    public void setPasswordFinder(PasswordFinder passwordFinder) {
-        this.passwordFinder = passwordFinder;
-    }
-
     public Iterable<KeyPair> loadKeys() {
         if (!SecurityUtils.isBouncyCastleRegistered()) {
             throw new IllegalStateException("BouncyCastle must be registered as a JCE provider");
@@ -130,12 +115,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider {
 
                 JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter();
                 pemConverter.setProvider("BC");
-                if (passwordFinder != null && o instanceof PEMEncryptedKeyPair) {
-                    JcePEMDecryptorProviderBuilder decryptorBuilder = new JcePEMDecryptorProviderBuilder();
-                    PEMDecryptorProvider pemDecryptor = decryptorBuilder.build(passwordFinder.getPassword());
-                    o = pemConverter.getKeyPair(((PEMEncryptedKeyPair) o).decryptKeyPair(pemDecryptor));
-                }
-
                 if (o instanceof PEMKeyPair) {
                     o = pemConverter.getKeyPair((PEMKeyPair)o);
                     return (KeyPair) o;
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
index 8bb880b0..7a31bc18 100644
--- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
@@ -34,7 +34,7 @@ import org.apache.sshd.common.util.security.bouncycastle.BouncyCastleSecurityPro
 import org.apache.sshd.common.util.security.eddsa.EdDSASecurityProviderRegistrar;
 import org.apache.sshd.server.SshServer;
 import org.apache.sshd.server.auth.pubkey.CachingPublicKeyAuthenticator;
-import org.bouncycastle.openssl.PEMWriter;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.eclipse.jgit.internal.JGitText;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -267,7 +267,7 @@ public class SshDaemon {
             }
 
             FileOutputStream os = new FileOutputStream(file);
-            PEMWriter w = new PEMWriter(new OutputStreamWriter(os));
+            JcaPEMWriter w = new JcaPEMWriter(new OutputStreamWriter(os));
             w.writeObject(kp);
             w.flush();
             w.close();
diff --git a/src/main/java/com/gitblit/utils/X509Utils.java b/src/main/java/com/gitblit/utils/X509Utils.java
index b661922d..4626622e 100644
--- a/src/main/java/com/gitblit/utils/X509Utils.java
+++ b/src/main/java/com/gitblit/utils/X509Utils.java
@@ -72,7 +72,7 @@ import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.asn1.x509.KeyUsage;
-import org.bouncycastle.asn1.x509.X509Extension;
+import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.cert.X509CRLHolder;
 import org.bouncycastle.cert.X509v2CRLBuilder;
 import org.bouncycastle.cert.X509v3CertificateBuilder;
@@ -82,7 +82,6 @@ import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.jce.PrincipalUtil;
 import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
 import org.bouncycastle.openssl.PEMEncryptor;
-import org.bouncycastle.openssl.PEMWriter;
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder;
 import org.bouncycastle.operator.ContentSigner;
@@ -445,9 +444,9 @@ public class X509Utils {
 			boolean asPem = targetFile.getName().toLowerCase().endsWith(".pem");
 			if (asPem) {
 				// PEM encoded X509
-				PEMWriter pemWriter = null;
+				JcaPEMWriter pemWriter = null;
 				try {
-					pemWriter = new PEMWriter(new FileWriter(tmpFile));
+					pemWriter = new JcaPEMWriter(new FileWriter(tmpFile));
 					pemWriter.writeObject(cert);
 					pemWriter.flush();
 				} finally {
@@ -560,9 +559,9 @@ public class X509Utils {
 					pair.getPublic());
 
 			JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
-			certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
-			certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
-			certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
+			certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
+			certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
+			certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
 
 			// support alternateSubjectNames for SSL certificates
 			List<GeneralName> altNames = new ArrayList<GeneralName>();
@@ -571,7 +570,7 @@ public class X509Utils {
 			}
 			if (altNames.size() > 0) {
 				GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName [altNames.size()]));
-				certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
+				certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltName);
 			}
 
 			ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM)
@@ -629,10 +628,10 @@ public class X509Utils {
 					caPair.getPublic());
 
 			JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
-			caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic()));
-			caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic()));
-			caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true));
-			caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
+			caBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic()));
+			caBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic()));
+			caBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
+			caBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
 
 			JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC);
 			X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner));
@@ -862,14 +861,14 @@ public class X509Utils {
 					pair.getPublic());
 
 			JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
-			certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
-			certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
-			certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
-			certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature));
+			certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
+			certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
+			certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
+			certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature));
 			if (!StringUtils.isEmpty(clientMetadata.emailAddress)) {
 				GeneralNames subjectAltName = new GeneralNames(
                     new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress));
-				certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
+				certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltName);
 			}
 
 			ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);
author	Florian Zschocke <f.zschocke+git@gmail.com>	2022-10-09 22:16:26 +0200
committer	Florian Zschocke <f.zschocke+git@gmail.com>	2022-10-25 00:01:01 +0200
commit	98f13a89eb7722fdc95d6dc7810f157fb8cfca6b (patch)
tree	d4205d6d34c7a8cd85e86210fb77d478f8739adb /src
parent	32b1e66805f4e924f5fb72de61f99941967ab125 (diff)
download	gitblit-98f13a89eb7722fdc95d6dc7810f157fb8cfca6b.tar.gz gitblit-98f13a89eb7722fdc95d6dc7810f157fb8cfca6b.zip