The version 1.69 is chosen instead of 1.70, because the moxie build would not download the jars, trying to download `...1.7.jar` instead. Three class deprecations are fixed. `PEMWriter` and `X509Extension` are replaced with their drop-in replacements `JcaPEMWriter` and `Extension`. The `PasswordFinder` deprecation note says that "it is no longer used". It also was never used in Gitblit's code, so it is removed from the key par provider class.pull/1429/head
@@ -51,9 +51,10 @@ | |||
<classpathentry kind="lib" path="ext/commons-logging-1.1.3.jar" sourcepath="ext/src/commons-logging-1.1.3.jar" /> | |||
<classpathentry kind="lib" path="ext/commons-codec-1.7.jar" sourcepath="ext/src/commons-codec-1.7.jar" /> | |||
<classpathentry kind="lib" path="ext/org.eclipse.jgit.http.server-4.5.7.201904151645-r.jar" sourcepath="ext/src/org.eclipse.jgit.http.server-4.5.7.201904151645-r.jar" /> | |||
<classpathentry kind="lib" path="ext/bcprov-jdk15on-1.57.jar" sourcepath="ext/src/bcprov-jdk15on-1.57.jar" /> | |||
<classpathentry kind="lib" path="ext/bcmail-jdk15on-1.57.jar" sourcepath="ext/src/bcmail-jdk15on-1.57.jar" /> | |||
<classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.57.jar" sourcepath="ext/src/bcpkix-jdk15on-1.57.jar" /> | |||
<classpathentry kind="lib" path="ext/bcprov-jdk15on-1.69.jar" sourcepath="ext/src/bcprov-jdk15on-1.69.jar" /> | |||
<classpathentry kind="lib" path="ext/bcmail-jdk15on-1.69.jar" sourcepath="ext/src/bcmail-jdk15on-1.69.jar" /> | |||
<classpathentry kind="lib" path="ext/bcutil-jdk15on-1.69.jar" sourcepath="ext/src/bcutil-jdk15on-1.69.jar" /> | |||
<classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.69.jar" sourcepath="ext/src/bcpkix-jdk15on-1.69.jar" /> | |||
<classpathentry kind="lib" path="ext/eddsa-0.2.0.jar" sourcepath="ext/src/eddsa-0.2.0.jar" /> | |||
<classpathentry kind="lib" path="ext/sshd-core-1.7.0.jar" sourcepath="ext/src/sshd-core-1.7.0.jar" /> | |||
<classpathentry kind="lib" path="ext/mina-core-2.0.21.jar" sourcepath="ext/src/mina-core-2.0.21.jar" /> |
@@ -111,7 +111,7 @@ properties: { | |||
lucene.version : 5.5.2 | |||
jgit.version : 4.5.7.201904151645-r | |||
groovy.version : 2.4.4 | |||
bouncycastle.version : 1.57 | |||
bouncycastle.version : 1.69 | |||
selenium.version : 2.28.0 | |||
wikitext.version : 1.4 | |||
sshd.version: 1.7.0 |
@@ -508,35 +508,46 @@ | |||
</library> | |||
</orderEntry> | |||
<orderEntry type="module-library"> | |||
<library name="bcprov-jdk15on-1.57.jar"> | |||
<library name="bcprov-jdk15on-1.69.jar"> | |||
<CLASSES> | |||
<root url="jar://$MODULE_DIR$/ext/bcprov-jdk15on-1.57.jar!/" /> | |||
<root url="jar://$MODULE_DIR$/ext/bcprov-jdk15on-1.69.jar!/" /> | |||
</CLASSES> | |||
<JAVADOC /> | |||
<SOURCES> | |||
<root url="jar://$MODULE_DIR$/ext/src/bcprov-jdk15on-1.57.jar!/" /> | |||
<root url="jar://$MODULE_DIR$/ext/src/bcprov-jdk15on-1.69.jar!/" /> | |||
</SOURCES> | |||
</library> | |||
</orderEntry> | |||
<orderEntry type="module-library"> | |||
<library name="bcmail-jdk15on-1.57.jar"> | |||
<library name="bcmail-jdk15on-1.69.jar"> | |||
<CLASSES> | |||
<root url="jar://$MODULE_DIR$/ext/bcmail-jdk15on-1.57.jar!/" /> | |||
<root url="jar://$MODULE_DIR$/ext/bcmail-jdk15on-1.69.jar!/" /> | |||
</CLASSES> | |||
<JAVADOC /> | |||
<SOURCES> | |||
<root url="jar://$MODULE_DIR$/ext/src/bcmail-jdk15on-1.57.jar!/" /> | |||
<root url="jar://$MODULE_DIR$/ext/src/bcmail-jdk15on-1.69.jar!/" /> | |||
</SOURCES> | |||
</library> | |||
</orderEntry> | |||
<orderEntry type="module-library"> | |||
<library name="bcpkix-jdk15on-1.57.jar"> | |||
<library name="bcutil-jdk15on-1.69.jar"> | |||
<CLASSES> | |||
<root url="jar://$MODULE_DIR$/ext/bcpkix-jdk15on-1.57.jar!/" /> | |||
<root url="jar://$MODULE_DIR$/ext/bcutil-jdk15on-1.69.jar!/" /> | |||
</CLASSES> | |||
<JAVADOC /> | |||
<SOURCES> | |||
<root url="jar://$MODULE_DIR$/ext/src/bcpkix-jdk15on-1.57.jar!/" /> | |||
<root url="jar://$MODULE_DIR$/ext/src/bcutil-jdk15on-1.69.jar!/" /> | |||
</SOURCES> | |||
</library> | |||
</orderEntry> | |||
<orderEntry type="module-library"> | |||
<library name="bcpkix-jdk15on-1.69.jar"> | |||
<CLASSES> | |||
<root url="jar://$MODULE_DIR$/ext/bcpkix-jdk15on-1.69.jar!/" /> | |||
</CLASSES> | |||
<JAVADOC /> | |||
<SOURCES> | |||
<root url="jar://$MODULE_DIR$/ext/src/bcpkix-jdk15on-1.69.jar!/" /> | |||
</SOURCES> | |||
</library> | |||
</orderEntry> |
@@ -31,7 +31,6 @@ import org.bouncycastle.openssl.PEMDecryptorProvider; | |||
import org.bouncycastle.openssl.PEMEncryptedKeyPair; | |||
import org.bouncycastle.openssl.PEMKeyPair; | |||
import org.bouncycastle.openssl.PEMParser; | |||
import org.bouncycastle.openssl.PasswordFinder; | |||
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; | |||
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder; | |||
@@ -46,7 +45,6 @@ import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder; | |||
public class FileKeyPairProvider extends AbstractKeyPairProvider { | |||
private String[] files; | |||
private PasswordFinder passwordFinder; | |||
public FileKeyPairProvider() { | |||
} | |||
@@ -55,11 +53,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { | |||
this.files = files; | |||
} | |||
public FileKeyPairProvider(String[] files, PasswordFinder passwordFinder) { | |||
this.files = files; | |||
this.passwordFinder = passwordFinder; | |||
} | |||
public String[] getFiles() { | |||
return files; | |||
} | |||
@@ -68,14 +61,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { | |||
this.files = files; | |||
} | |||
public PasswordFinder getPasswordFinder() { | |||
return passwordFinder; | |||
} | |||
public void setPasswordFinder(PasswordFinder passwordFinder) { | |||
this.passwordFinder = passwordFinder; | |||
} | |||
public Iterable<KeyPair> loadKeys() { | |||
if (!SecurityUtils.isBouncyCastleRegistered()) { | |||
throw new IllegalStateException("BouncyCastle must be registered as a JCE provider"); | |||
@@ -130,12 +115,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { | |||
JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter(); | |||
pemConverter.setProvider("BC"); | |||
if (passwordFinder != null && o instanceof PEMEncryptedKeyPair) { | |||
JcePEMDecryptorProviderBuilder decryptorBuilder = new JcePEMDecryptorProviderBuilder(); | |||
PEMDecryptorProvider pemDecryptor = decryptorBuilder.build(passwordFinder.getPassword()); | |||
o = pemConverter.getKeyPair(((PEMEncryptedKeyPair) o).decryptKeyPair(pemDecryptor)); | |||
} | |||
if (o instanceof PEMKeyPair) { | |||
o = pemConverter.getKeyPair((PEMKeyPair)o); | |||
return (KeyPair) o; |
@@ -34,7 +34,7 @@ import org.apache.sshd.common.util.security.bouncycastle.BouncyCastleSecurityPro | |||
import org.apache.sshd.common.util.security.eddsa.EdDSASecurityProviderRegistrar; | |||
import org.apache.sshd.server.SshServer; | |||
import org.apache.sshd.server.auth.pubkey.CachingPublicKeyAuthenticator; | |||
import org.bouncycastle.openssl.PEMWriter; | |||
import org.bouncycastle.openssl.jcajce.JcaPEMWriter; | |||
import org.eclipse.jgit.internal.JGitText; | |||
import org.slf4j.Logger; | |||
import org.slf4j.LoggerFactory; | |||
@@ -267,7 +267,7 @@ public class SshDaemon { | |||
} | |||
FileOutputStream os = new FileOutputStream(file); | |||
PEMWriter w = new PEMWriter(new OutputStreamWriter(os)); | |||
JcaPEMWriter w = new JcaPEMWriter(new OutputStreamWriter(os)); | |||
w.writeObject(kp); | |||
w.flush(); | |||
w.close(); |
@@ -72,7 +72,7 @@ import org.bouncycastle.asn1.x509.BasicConstraints; | |||
import org.bouncycastle.asn1.x509.GeneralName; | |||
import org.bouncycastle.asn1.x509.GeneralNames; | |||
import org.bouncycastle.asn1.x509.KeyUsage; | |||
import org.bouncycastle.asn1.x509.X509Extension; | |||
import org.bouncycastle.asn1.x509.Extension; | |||
import org.bouncycastle.cert.X509CRLHolder; | |||
import org.bouncycastle.cert.X509v2CRLBuilder; | |||
import org.bouncycastle.cert.X509v3CertificateBuilder; | |||
@@ -82,7 +82,6 @@ import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; | |||
import org.bouncycastle.jce.PrincipalUtil; | |||
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; | |||
import org.bouncycastle.openssl.PEMEncryptor; | |||
import org.bouncycastle.openssl.PEMWriter; | |||
import org.bouncycastle.openssl.jcajce.JcaPEMWriter; | |||
import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder; | |||
import org.bouncycastle.operator.ContentSigner; | |||
@@ -445,9 +444,9 @@ public class X509Utils { | |||
boolean asPem = targetFile.getName().toLowerCase().endsWith(".pem"); | |||
if (asPem) { | |||
// PEM encoded X509 | |||
PEMWriter pemWriter = null; | |||
JcaPEMWriter pemWriter = null; | |||
try { | |||
pemWriter = new PEMWriter(new FileWriter(tmpFile)); | |||
pemWriter = new JcaPEMWriter(new FileWriter(tmpFile)); | |||
pemWriter.writeObject(cert); | |||
pemWriter.flush(); | |||
} finally { | |||
@@ -560,9 +559,9 @@ public class X509Utils { | |||
pair.getPublic()); | |||
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |||
certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |||
certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); | |||
certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |||
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |||
certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); | |||
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |||
// support alternateSubjectNames for SSL certificates | |||
List<GeneralName> altNames = new ArrayList<GeneralName>(); | |||
@@ -571,7 +570,7 @@ public class X509Utils { | |||
} | |||
if (altNames.size() > 0) { | |||
GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName [altNames.size()])); | |||
certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); | |||
certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltName); | |||
} | |||
ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM) | |||
@@ -629,10 +628,10 @@ public class X509Utils { | |||
caPair.getPublic()); | |||
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |||
caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); | |||
caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); | |||
caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); | |||
caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); | |||
caBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); | |||
caBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); | |||
caBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true)); | |||
caBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); | |||
JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC); | |||
X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner)); | |||
@@ -862,14 +861,14 @@ public class X509Utils { | |||
pair.getPublic()); | |||
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |||
certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |||
certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); | |||
certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |||
certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); | |||
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |||
certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); | |||
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |||
certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); | |||
if (!StringUtils.isEmpty(clientMetadata.emailAddress)) { | |||
GeneralNames subjectAltName = new GeneralNames( | |||
new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); | |||
certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); | |||
certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltName); | |||
} | |||
ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey); |