Browse Source
Update BouncyCastle to version 1.69
The version 1.69 is chosen instead of 1.70, because the moxie build would not download the jars, trying to download `...1.7.jar` instead. Three class deprecations are fixed. `PEMWriter` and `X509Extension` are replaced with their drop-in replacements `JcaPEMWriter` and `Extension`. The `PasswordFinder` deprecation note says that "it is no longer used". It also was never used in Gitblit's code, so it is removed from the key par provider class.pull/1429/head
Florian Zschocke
1 year ago
6 changed files with 43 additions and 53 deletions
+ 4
- 3
.classpath
View File
| @@ -51,9 +51,10 @@ | |||
| <classpathentry kind="lib" path="ext/commons-logging-1.1.3.jar" sourcepath="ext/src/commons-logging-1.1.3.jar" /> | |||
| <classpathentry kind="lib" path="ext/commons-codec-1.7.jar" sourcepath="ext/src/commons-codec-1.7.jar" /> | |||
| <classpathentry kind="lib" path="ext/org.eclipse.jgit.http.server-4.5.7.201904151645-r.jar" sourcepath="ext/src/org.eclipse.jgit.http.server-4.5.7.201904151645-r.jar" /> | |||
| <classpathentry kind="lib" path="ext/bcprov-jdk15on-1.57.jar" sourcepath="ext/src/bcprov-jdk15on-1.57.jar" /> | |||
| <classpathentry kind="lib" path="ext/bcmail-jdk15on-1.57.jar" sourcepath="ext/src/bcmail-jdk15on-1.57.jar" /> | |||
| <classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.57.jar" sourcepath="ext/src/bcpkix-jdk15on-1.57.jar" /> | |||
| <classpathentry kind="lib" path="ext/bcprov-jdk15on-1.69.jar" sourcepath="ext/src/bcprov-jdk15on-1.69.jar" /> | |||
| <classpathentry kind="lib" path="ext/bcmail-jdk15on-1.69.jar" sourcepath="ext/src/bcmail-jdk15on-1.69.jar" /> | |||
| <classpathentry kind="lib" path="ext/bcutil-jdk15on-1.69.jar" sourcepath="ext/src/bcutil-jdk15on-1.69.jar" /> | |||
| <classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.69.jar" sourcepath="ext/src/bcpkix-jdk15on-1.69.jar" /> | |||
| <classpathentry kind="lib" path="ext/eddsa-0.2.0.jar" sourcepath="ext/src/eddsa-0.2.0.jar" /> | |||
| <classpathentry kind="lib" path="ext/sshd-core-1.7.0.jar" sourcepath="ext/src/sshd-core-1.7.0.jar" /> | |||
| <classpathentry kind="lib" path="ext/mina-core-2.0.21.jar" sourcepath="ext/src/mina-core-2.0.21.jar" /> | |||
+ 1
- 1
build.moxie
View File
| @@ -111,7 +111,7 @@ properties: { | |||
| lucene.version : 5.5.2 | |||
| jgit.version : 4.5.7.201904151645-r | |||
| groovy.version : 2.4.4 | |||
| bouncycastle.version : 1.57 | |||
| bouncycastle.version : 1.69 | |||
| selenium.version : 2.28.0 | |||
| wikitext.version : 1.4 | |||
| sshd.version: 1.7.0 | |||
+ 20
- 9
gitblit.iml
View File
| @@ -508,35 +508,46 @@ | |||
| </library> | |||
| </orderEntry> | |||
| <orderEntry type="module-library"> | |||
| <library name="bcprov-jdk15on-1.57.jar"> | |||
| <library name="bcprov-jdk15on-1.69.jar"> | |||
| <CLASSES> | |||
| <root url="jar://$MODULE_DIR$/ext/bcprov-jdk15on-1.57.jar!/" /> | |||
| <root url="jar://$MODULE_DIR$/ext/bcprov-jdk15on-1.69.jar!/" /> | |||
| </CLASSES> | |||
| <JAVADOC /> | |||
| <SOURCES> | |||
| <root url="jar://$MODULE_DIR$/ext/src/bcprov-jdk15on-1.57.jar!/" /> | |||
| <root url="jar://$MODULE_DIR$/ext/src/bcprov-jdk15on-1.69.jar!/" /> | |||
| </SOURCES> | |||
| </library> | |||
| </orderEntry> | |||
| <orderEntry type="module-library"> | |||
| <library name="bcmail-jdk15on-1.57.jar"> | |||
| <library name="bcmail-jdk15on-1.69.jar"> | |||
| <CLASSES> | |||
| <root url="jar://$MODULE_DIR$/ext/bcmail-jdk15on-1.57.jar!/" /> | |||
| <root url="jar://$MODULE_DIR$/ext/bcmail-jdk15on-1.69.jar!/" /> | |||
| </CLASSES> | |||
| <JAVADOC /> | |||
| <SOURCES> | |||
| <root url="jar://$MODULE_DIR$/ext/src/bcmail-jdk15on-1.57.jar!/" /> | |||
| <root url="jar://$MODULE_DIR$/ext/src/bcmail-jdk15on-1.69.jar!/" /> | |||
| </SOURCES> | |||
| </library> | |||
| </orderEntry> | |||
| <orderEntry type="module-library"> | |||
| <library name="bcpkix-jdk15on-1.57.jar"> | |||
| <library name="bcutil-jdk15on-1.69.jar"> | |||
| <CLASSES> | |||
| <root url="jar://$MODULE_DIR$/ext/bcpkix-jdk15on-1.57.jar!/" /> | |||
| <root url="jar://$MODULE_DIR$/ext/bcutil-jdk15on-1.69.jar!/" /> | |||
| </CLASSES> | |||
| <JAVADOC /> | |||
| <SOURCES> | |||
| <root url="jar://$MODULE_DIR$/ext/src/bcpkix-jdk15on-1.57.jar!/" /> | |||
| <root url="jar://$MODULE_DIR$/ext/src/bcutil-jdk15on-1.69.jar!/" /> | |||
| </SOURCES> | |||
| </library> | |||
| </orderEntry> | |||
| <orderEntry type="module-library"> | |||
| <library name="bcpkix-jdk15on-1.69.jar"> | |||
| <CLASSES> | |||
| <root url="jar://$MODULE_DIR$/ext/bcpkix-jdk15on-1.69.jar!/" /> | |||
| </CLASSES> | |||
| <JAVADOC /> | |||
| <SOURCES> | |||
| <root url="jar://$MODULE_DIR$/ext/src/bcpkix-jdk15on-1.69.jar!/" /> | |||
| </SOURCES> | |||
| </library> | |||
| </orderEntry> | |||
+ 0
- 21
src/main/java/com/gitblit/transport/ssh/FileKeyPairProvider.java
View File
| @@ -31,7 +31,6 @@ import org.bouncycastle.openssl.PEMDecryptorProvider; | |||
| import org.bouncycastle.openssl.PEMEncryptedKeyPair; | |||
| import org.bouncycastle.openssl.PEMKeyPair; | |||
| import org.bouncycastle.openssl.PEMParser; | |||
| import org.bouncycastle.openssl.PasswordFinder; | |||
| import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; | |||
| import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder; | |||
| @@ -46,7 +45,6 @@ import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder; | |||
| public class FileKeyPairProvider extends AbstractKeyPairProvider { | |||
| private String[] files; | |||
| private PasswordFinder passwordFinder; | |||
| public FileKeyPairProvider() { | |||
| } | |||
| @@ -55,11 +53,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { | |||
| this.files = files; | |||
| } | |||
| public FileKeyPairProvider(String[] files, PasswordFinder passwordFinder) { | |||
| this.files = files; | |||
| this.passwordFinder = passwordFinder; | |||
| } | |||
| public String[] getFiles() { | |||
| return files; | |||
| } | |||
| @@ -68,14 +61,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { | |||
| this.files = files; | |||
| } | |||
| public PasswordFinder getPasswordFinder() { | |||
| return passwordFinder; | |||
| } | |||
| public void setPasswordFinder(PasswordFinder passwordFinder) { | |||
| this.passwordFinder = passwordFinder; | |||
| } | |||
| public Iterable<KeyPair> loadKeys() { | |||
| if (!SecurityUtils.isBouncyCastleRegistered()) { | |||
| throw new IllegalStateException("BouncyCastle must be registered as a JCE provider"); | |||
| @@ -130,12 +115,6 @@ public class FileKeyPairProvider extends AbstractKeyPairProvider { | |||
| JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter(); | |||
| pemConverter.setProvider("BC"); | |||
| if (passwordFinder != null && o instanceof PEMEncryptedKeyPair) { | |||
| JcePEMDecryptorProviderBuilder decryptorBuilder = new JcePEMDecryptorProviderBuilder(); | |||
| PEMDecryptorProvider pemDecryptor = decryptorBuilder.build(passwordFinder.getPassword()); | |||
| o = pemConverter.getKeyPair(((PEMEncryptedKeyPair) o).decryptKeyPair(pemDecryptor)); | |||
| } | |||
| if (o instanceof PEMKeyPair) { | |||
| o = pemConverter.getKeyPair((PEMKeyPair)o); | |||
| return (KeyPair) o; | |||
+ 2
- 2
src/main/java/com/gitblit/transport/ssh/SshDaemon.java
View File
| @@ -34,7 +34,7 @@ import org.apache.sshd.common.util.security.bouncycastle.BouncyCastleSecurityPro | |||
| import org.apache.sshd.common.util.security.eddsa.EdDSASecurityProviderRegistrar; | |||
| import org.apache.sshd.server.SshServer; | |||
| import org.apache.sshd.server.auth.pubkey.CachingPublicKeyAuthenticator; | |||
| import org.bouncycastle.openssl.PEMWriter; | |||
| import org.bouncycastle.openssl.jcajce.JcaPEMWriter; | |||
| import org.eclipse.jgit.internal.JGitText; | |||
| import org.slf4j.Logger; | |||
| import org.slf4j.LoggerFactory; | |||
| @@ -267,7 +267,7 @@ public class SshDaemon { | |||
| } | |||
| FileOutputStream os = new FileOutputStream(file); | |||
| PEMWriter w = new PEMWriter(new OutputStreamWriter(os)); | |||
| JcaPEMWriter w = new JcaPEMWriter(new OutputStreamWriter(os)); | |||
| w.writeObject(kp); | |||
| w.flush(); | |||
| w.close(); | |||
+ 16
- 17
src/main/java/com/gitblit/utils/X509Utils.java
View File
| @@ -72,7 +72,7 @@ import org.bouncycastle.asn1.x509.BasicConstraints; | |||
| import org.bouncycastle.asn1.x509.GeneralName; | |||
| import org.bouncycastle.asn1.x509.GeneralNames; | |||
| import org.bouncycastle.asn1.x509.KeyUsage; | |||
| import org.bouncycastle.asn1.x509.X509Extension; | |||
| import org.bouncycastle.asn1.x509.Extension; | |||
| import org.bouncycastle.cert.X509CRLHolder; | |||
| import org.bouncycastle.cert.X509v2CRLBuilder; | |||
| import org.bouncycastle.cert.X509v3CertificateBuilder; | |||
| @@ -82,7 +82,6 @@ import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; | |||
| import org.bouncycastle.jce.PrincipalUtil; | |||
| import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; | |||
| import org.bouncycastle.openssl.PEMEncryptor; | |||
| import org.bouncycastle.openssl.PEMWriter; | |||
| import org.bouncycastle.openssl.jcajce.JcaPEMWriter; | |||
| import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder; | |||
| import org.bouncycastle.operator.ContentSigner; | |||
| @@ -445,9 +444,9 @@ public class X509Utils { | |||
| boolean asPem = targetFile.getName().toLowerCase().endsWith(".pem"); | |||
| if (asPem) { | |||
| // PEM encoded X509 | |||
| PEMWriter pemWriter = null; | |||
| JcaPEMWriter pemWriter = null; | |||
| try { | |||
| pemWriter = new PEMWriter(new FileWriter(tmpFile)); | |||
| pemWriter = new JcaPEMWriter(new FileWriter(tmpFile)); | |||
| pemWriter.writeObject(cert); | |||
| pemWriter.flush(); | |||
| } finally { | |||
| @@ -560,9 +559,9 @@ public class X509Utils { | |||
| pair.getPublic()); | |||
| JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |||
| certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |||
| certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); | |||
| certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |||
| certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |||
| certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); | |||
| certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |||
| // support alternateSubjectNames for SSL certificates | |||
| List<GeneralName> altNames = new ArrayList<GeneralName>(); | |||
| @@ -571,7 +570,7 @@ public class X509Utils { | |||
| } | |||
| if (altNames.size() > 0) { | |||
| GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName [altNames.size()])); | |||
| certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); | |||
| certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltName); | |||
| } | |||
| ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM) | |||
| @@ -629,10 +628,10 @@ public class X509Utils { | |||
| caPair.getPublic()); | |||
| JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |||
| caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); | |||
| caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); | |||
| caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); | |||
| caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); | |||
| caBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); | |||
| caBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); | |||
| caBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true)); | |||
| caBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); | |||
| JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC); | |||
| X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner)); | |||
| @@ -862,14 +861,14 @@ public class X509Utils { | |||
| pair.getPublic()); | |||
| JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |||
| certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |||
| certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); | |||
| certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |||
| certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); | |||
| certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |||
| certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); | |||
| certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |||
| certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); | |||
| if (!StringUtils.isEmpty(clientMetadata.emailAddress)) { | |||
| GeneralNames subjectAltName = new GeneralNames( | |||
| new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); | |||
| certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); | |||
| certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltName); | |||
| } | |||
| ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey); | |||
Loading…