[feature] Switch from GNU Crypto to Bouncy Castle

adamretter · adamretter · commit 1e8a2d171ebe · 2018-11-06T17:19:41.000+08:00
diff --git a/.classpath b/.classpath
@@ -81,7 +81,7 @@
 	<classpathentry kind="lib" path="extensions/webdav/lib/mime-util-2.1.3.jar"/>
 	<classpathentry kind="lib" path="lib/optional/isorelax-20041111.jar"/>
 	<classpathentry kind="lib" path="lib/optional/xqjapi-1.0-fr.jar"/>
-	<classpathentry kind="lib" path="lib/core/gnu-crypto-2.0.1.jar"/>
+	<classpathentry kind="lib" path="lib/core/bcprov-jdk15on-1.60.jar"/>
 	<classpathentry kind="lib" path="tools/jetty/lib/existdb-favicon.jar"/>
 	<classpathentry kind="lib" path="tools/jetty/lib/asm-6.0.jar"/>
 	<classpathentry kind="lib" path="tools/jetty/lib/asm-commons-6.0.jar"/>
diff --git a/conf.xml.tmpl b/conf.xml.tmpl
@@ -211,7 +211,7 @@
 		<!--
 		    Trigger for registering the GNU Crypto JCE Provider with Java
 		-->
-		<trigger class="org.exist.security.GnuCryptoJceProviderStartupTrigger"/>
+		<trigger class="org.exist.security.BouncyCastleJceProviderStartupTrigger"/>
 
                 <!--
                     Trigger for registering eXists XML:DB URL handler with Java
diff --git a/lib/core/bcprov-jdk15on-1.60.jar b/lib/core/bcprov-jdk15on-1.60.jar
diff --git a/lib/core/bcprov-jdk15on-LICENSE.txt b/lib/core/bcprov-jdk15on-LICENSE.txt
@@ -0,0 +1,7 @@
+Copyright (c) 2000 - 2017 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/lib/core/gnu-crypto-2.0.1.jar b/lib/core/gnu-crypto-2.0.1.jar
diff --git a/lib/core/gnu-crypto-COPYING.txt b/lib/core/gnu-crypto-COPYING.txt
diff --git a/lib/core/gnu-crypto-LICENSE.txt b/lib/core/gnu-crypto-LICENSE.txt
diff --git a/nbproject/project.properties b/nbproject/project.properties
@@ -24,7 +24,7 @@ file.reference.javax.transaction-api-1.2.jar=tools/jetty/lib/javax.transaction-a
 file.reference.jcip-annotations-1.0.jar=lib/core/jcip-annotations-1.0.jar
 file.reference.cglib-nodep-3.2.6.jar=lib/core/cglib-nodep-3.2.6.jar
 file.reference.easymock-3.6.jar=lib/test/easymock-3.6.jar
-file.reference.gnu-crypto-2.0.1.jar=lib/core/gnu-crypto-2.0.1.jar
+file.reference.bcprov-jdk15on-1.60.jar=lib/core/bcprov-jdk15on-1.60.jar
 file.reference.jetty-jndi-9.4.10.v20180503.jar=tools/jetty/lib/jetty-jndi-9.4.10.v20180503.jar
 file.reference.jna-4.5.0.jar=tools/yajsw/lib/core/jna/jna-4.5.0.jar
 file.reference.jna-platform-4.5.0.jar=tools/yajsw/lib/core/jna/jna-platform-4.5.0.jar
@@ -297,7 +297,7 @@ javac.classpath=\
     ${file.reference.xmlrpc-common-3.1.3.jar}:\
     ${file.reference.xmlrpc-server-3.1.3.jar}:\
     ${file.reference.jackson-core-2.9.5.jar}:\
-    ${file.reference.gnu-crypto-2.0.1.jar}:\
+    ${file.reference.bcprov-jdk15on-1.60.jar}:\
     ${file.reference.cglib-nodep-3.2.6.jar}:\
     ${file.reference.jcip-annotations-1.0.jar}:\
     ${file.reference.commons-compress-1.17.jar}:\
diff --git a/src/org/exist/security/BouncyCastleJceProviderStartupTrigger.java b/src/org/exist/security/BouncyCastleJceProviderStartupTrigger.java
@@ -21,6 +21,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.exist.storage.DBBroker;
 import org.exist.storage.StartupTrigger;
 import org.exist.storage.txn.Txn;
@@ -29,21 +30,21 @@
 import java.util.Map;
 
 /**
- * Startup Trigger to register the GNU Crypto JCE Provider
+ * Startup Trigger to register the Bouncy Castle JCE Provider
  *
  * @author Adam Retter <adam@exist-db.org>
  */
-public class GnuCryptoJceProviderStartupTrigger implements StartupTrigger {
+public class BouncyCastleJceProviderStartupTrigger implements StartupTrigger {
 
     private final static Logger LOG = LogManager.getLogger(
-        GnuCryptoJceProviderStartupTrigger.class);
+        BouncyCastleJceProviderStartupTrigger.class);
 
     @Override
     public void execute(final DBBroker sysBroker, final Txn transaction,
-                        final Map<String, List<? extends Object>> params) {
+            final Map<String, List<? extends Object>> params) {
 
-      java.security.Security.addProvider(new gnu.crypto.jce.GnuCrypto());
+      java.security.Security.addProvider(new BouncyCastleProvider());
 
-      LOG.info("Registered JCE Security Provider: gnu.crypto.jce.GnuCrypto");
+      LOG.info("Registered JCE Security Provider: org.bouncycastle.jce.provider.BouncyCastleProvider");
     }
 }
diff --git a/src/org/exist/security/internal/Password.java b/src/org/exist/security/internal/Password.java
@@ -19,23 +19,24 @@
  */
 package org.exist.security.internal;
 
-import gnu.crypto.hash.MD5;
-import gnu.crypto.hash.RipeMD160;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.crypto.digests.GeneralDigest;
+import org.bouncycastle.crypto.digests.MD5Digest;
+import org.bouncycastle.crypto.digests.RIPEMD160Digest;
 import org.exist.security.Account;
 import org.exist.security.Credential;
 import org.exist.security.MessageDigester;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 /**
  * @author <a href="mailto:shabanovd@gmail.com">Dmitriy Shabanov</a>
  * @author <a href="mailto:adam.retter@gmail.com">Adam Retter</a>
  *
  */
 public class Password implements Credential {
-
-    //TODO switch over to using jBCrypt
     
     public enum Hash {
         MD5,
@@ -108,22 +109,22 @@ final byte[] hash(String p) {
         }
     }
     
-    final byte[] ripemd160Hash(String p) {
+    final byte[] ripemd160Hash(final String p) {
         //ripemd160 hash
-        final RipeMD160 ripemd160 = new RipeMD160();
-        final byte[] data = p.getBytes();
-        ripemd160.update(data, 0, data.length);
-        final byte[] hash = ripemd160.digest();
-        return hash;
+        return digest(p, new RIPEMD160Digest());
     }
     
-    final byte[] md5Hash(String p) {
-        //md5 hash
-        final MD5 md5 = new MD5();
-        final byte[] data = p.getBytes();
-        md5.update(data, 0, data.length);
-        final byte[] hash = md5.digest();
-        return hash;
+    final byte[] md5Hash(final String p) {
+        return digest(p, new MD5Digest());
+    }
+
+    private static byte[] digest(final String s, final GeneralDigest generalDigest) {
+        final byte[] data = s.getBytes();
+        generalDigest.update(data, 0, data.length);
+
+        final byte[] digest = new byte[generalDigest.getDigestSize()];
+        generalDigest.doFinal(digest, 0);
+        return digest;
     }
     
 
diff --git a/src/org/exist/start/start.config b/src/org/exist/start/start.config
@@ -35,7 +35,7 @@ exist-optional.jar                                 always
 test/classes                                       mode == other
 lib/endorsed/*                                     always
 lib/core/antlr-%latest%.jar                        always
-lib/core/gnu-crypto-%latest%.jar                   always
+lib/core/bcprov-jdk15on-%latest%.jar               always
 lib/core/caffeine-%latest%.jar                     always
 lib/core/commons-codec-%latest%.jar                always
 lib/core/commons-collections-%latest%.jar          always
diff --git a/test/src/org/exist/storage/ConcurrentBrokerPoolTest.conf.xml b/test/src/org/exist/storage/ConcurrentBrokerPoolTest.conf.xml
@@ -7,7 +7,7 @@
 
         <startup>
             <triggers>
-                <trigger class="org.exist.security.GnuCryptoJceProviderStartupTrigger"/>
+                <trigger class="org.exist.security.BouncyCastleJceProviderStartupTrigger"/>
             </triggers>
         </startup>
 
