hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "pascal oliva (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10847) Cleanup calling of sun.security.x509
Date Fri, 01 Aug 2014 13:33:39 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10847?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14082238#comment-14082238
] 

pascal oliva commented on HADOOP-10847:
---------------------------------------

diff --git hadoop-common-project/hadoop-common/pom.xml hadoop-common-project/hadoop-common/pom.xml
index c48bb8e..e633bce 100644
--- hadoop-common-project/hadoop-common/pom.xml
+++ hadoop-common-project/hadoop-common/pom.xml
@@ -250,6 +250,12 @@
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-compress</artifactId>
     </dependency>
+    <dependency>
+	<groupId>org.bouncycastle</groupId>
+	<artifactId>bcprov-jdk16</artifactId>
+	<version>1.46</version>
+        <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>
diff --git hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
index a07faeb..9a68b30 100644
--- hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
+++ hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java
@@ -19,17 +19,6 @@
 package org.apache.hadoop.security.ssl;
 
 import org.apache.hadoop.conf.Configuration;
-import sun.security.x509.AlgorithmId;
-import sun.security.x509.CertificateAlgorithmId;
-import sun.security.x509.CertificateIssuerName;
-import sun.security.x509.CertificateSerialNumber;
-import sun.security.x509.CertificateSubjectName;
-import sun.security.x509.CertificateValidity;
-import sun.security.x509.CertificateVersion;
-import sun.security.x509.CertificateX509Key;
-import sun.security.x509.X500Name;
-import sun.security.x509.X509CertImpl;
-import sun.security.x509.X509CertInfo;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -52,6 +41,16 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchProviderException;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import javax.security.auth.x500.X500Principal;
+import org.bouncycastle.x509.X509V1CertificateGenerator;
+
+
 public class KeyStoreTestUtil {
 
   public static String getClasspathDir(Class klass) throws Exception {
@@ -63,52 +62,40 @@ public static String getClasspathDir(Class klass) throws Exception {
     return baseDir;
   }
 
+@SuppressWarnings("deprecation")
   /**
    * Create a self-signed X.509 Certificate.
-   * From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
    *
    * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
    * @param pair the KeyPair
    * @param days how many days from now the Certificate is valid for
    * @param algorithm the signing algorithm, eg "SHA1withRSA"
    * @return the self-signed certificate
-   * @throws IOException thrown if an IO error ocurred.
-   * @throws GeneralSecurityException thrown if an Security error ocurred.
    */
-  public static X509Certificate generateCertificate(String dn, KeyPair pair,
-      int days, String algorithm)
-      throws GeneralSecurityException, IOException {
-    PrivateKey privkey = pair.getPrivate();
-    X509CertInfo info = new X509CertInfo();
-    Date from = new Date();
-    Date to = new Date(from.getTime() + days * 86400000l);
-    CertificateValidity interval = new CertificateValidity(from, to);
-    BigInteger sn = new BigInteger(64, new SecureRandom());
-    X500Name owner = new X500Name(dn);
-
-    info.set(X509CertInfo.VALIDITY, interval);
-    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
-    info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
-    info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
-    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
-    info
-        .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
-    AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
-    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
-
-    // Sign the cert to identify the algorithm that's used.
-    X509CertImpl cert = new X509CertImpl(info);
-    cert.sign(privkey, algorithm);
-
-    // Update the algorith, and resign.
-    algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
-    info
-        .set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,
-            algo);
-    cert = new X509CertImpl(info);
-    cert.sign(privkey, algorithm);
-    return cert;
-  }
+  public static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String
algorithm) 
+  throws CertificateEncodingException, 
+       InvalidKeyException,
+       IllegalStateException, 
+       NoSuchProviderException, NoSuchAlgorithmException, SignatureException{
+
+	Date from = new Date();
+	Date to = new Date(from.getTime() + days * 86400000l);
+	BigInteger sn = new BigInteger(64, new SecureRandom());
+	KeyPair keyPair = pair;
+        X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
+	X500Principal  dnName = new X500Principal(dn);
+
+	certGen.setSerialNumber(sn);
+	certGen.setIssuerDN(dnName);
+	certGen.setNotBefore(from);
+	certGen.setNotAfter(to);
+	certGen.setSubjectDN(dnName);
+	certGen.setPublicKey(keyPair.getPublic());
+	certGen.setSignatureAlgorithm(algorithm);
+
+	X509Certificate cert = certGen.generate(pair.getPrivate());
+	return cert;
+   }
 
   public static KeyPair generateKeyPair(String algorithm)
       throws NoSuchAlgorithmException {


> Cleanup calling of sun.security.x509 
> -------------------------------------
>
>                 Key: HADOOP-10847
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10847
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Kai Zheng
>            Priority: Minor
>
> As was told by Max (Oracle), JDK9 is likely to block all accesses to sun.* classes.
> Below is from email of Andrew Purtell:
> {quote}
> The use of sun.* APIs to create a certificate in Hadoop and HBase test code can be removed.
Someone (Intel? Oracle?) can submit a JIRA that replaces the programmatic construction with
a stringified binary cert for use in the relevant unit tests. 
> {quote}
> In Hadoop, the calls in question are below:
> {code}
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:24:import
sun.security.x509.CertificateIssuerName;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:25:import
sun.security.x509.CertificateSerialNumber;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:26:import
sun.security.x509.CertificateSubjectName;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:27:import
sun.security.x509.CertificateValidity;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:28:import
sun.security.x509.CertificateVersion;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:29:import
sun.security.x509.CertificateX509Key;
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:30:import
sun.security.x509.X500Name; 
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:31:import
sun.security.x509.X509CertImpl; 
> hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java:32:import
sun.security.x509.X509CertInfo;
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message