[refactor] review deprecated APIs on certificate sign

kares · kares · commit 4b2968b3fd2e · 2022-05-09T12:53:30.000+02:00
diff --git a/src/main/java/org/jruby/ext/openssl/X509Cert.java b/src/main/java/org/jruby/ext/openssl/X509Cert.java
@@ -32,7 +32,6 @@
 import java.io.StringWriter;
 import java.math.BigInteger;
 
-import java.security.GeneralSecurityException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
@@ -60,6 +59,12 @@
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
 
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.joda.time.DateTime;
 import org.jruby.Ruby;
 import org.jruby.RubyArray;
@@ -593,60 +598,70 @@ else if (digest instanceof RubyString) {
             throw newCertificateError(runtime, "signature_algorithm not supported");
         }
 
-        org.bouncycastle.x509.X509V3CertificateGenerator builder = getCertificateBuilder();
-
+        final X509v3CertificateBuilder builder = newCertificateBuilder();
         for ( X509Extension ext : uniqueExtensions() ) {
             try {
                 final byte[] bytes = ext.getRealValueEncoded();
-                builder.addExtension(ext.getRealObjectID().getId(), ext.isRealCritical(), bytes);
+                builder.addExtension(ext.getRealObjectID(), ext.isRealCritical(), bytes);
             }
-            catch (IOException ioe) {
-                throw runtime.newIOErrorFromException(ioe);
+            catch (IOException e) {
+                throw newCertificateError(runtime, "invalid extension (" + e.getMessage() + ")", e);
             }
         }
 
-        builder.setSignatureAlgorithm(digAlg + "WITH" + keyAlg); // "SHA1WITHRSA"
-
+        final X509CertificateHolder certHolder;
         try {
-            cert = builder.generate( ((PKey) key).getPrivateKey() );
-        }
-        catch (GeneralSecurityException e) {
-            throw newCertificateError(runtime, e);
-        }
-        catch (IllegalStateException e) {
+            ContentSigner signer =
+                    new JcaContentSignerBuilder(digAlg + "WITH" + keyAlg).
+                            build(((PKey) key).getPrivateKey());
+            certHolder = builder.build(signer);
+        } catch (OperatorCreationException e) {
+            Exception cause = (Exception) e.getCause(); // GeneralSecurityException
+            if (cause == null) cause = e;
+            throw newCertificateError(runtime, "cannot create signer: " + cause.getMessage(), cause);
+        } catch (IllegalStateException e) {
             // e.g. "not all mandatory fields set in V3 TBScertificate generator"
             throw newCertificateError(runtime, "could not generate certificate", e);
+        } catch (RuntimeException e) {
+            throw newCertificateError(runtime, e);
         }
 
-        if (cert == null) throw newCertificateError(runtime, (String) null);
+        try {
+            this.cert = (X509Certificate)
+                    SecurityHelper.getCertificateFactory("X.509").
+                            generateCertificate(new ByteArrayInputStream(certHolder.getEncoded()));
+        } catch (IOException|CertificateException e) {
+            throw newCertificateError(runtime, "could not re-generate certificate", e);
+        }
 
-        String name = ASN1Registry.o2a(cert.getSigAlgOID());
+        String name = ASN1Registry.o2a(certHolder.getSignatureAlgorithm().getAlgorithm());
         if ( name == null ) name = cert.getSigAlgOID();
         this.sig_alg = runtime.newString(name);
         this.changed = false;
         return this;
     }
 
-    private org.bouncycastle.x509.X509V3CertificateGenerator getCertificateBuilder() {
-        org.bouncycastle.x509.X509V3CertificateGenerator generator =
-            new org.bouncycastle.x509.X509V3CertificateGenerator();
-        if ( serial.equals(BigInteger.ZERO) ) { // NOTE: diversion from MRI (OpenSSL allows not setting serial)
-            throw newCertificateError(getRuntime(), "Certificate#serial needs to be set (to > 0)");
-        }
-        generator.setSerialNumber( serial.abs() );
-
-        if ( subject != null ) generator.setSubjectDN( ((X509Name) subject).getRealName() );
-        if ( issuer != null ) generator.setIssuerDN( ((X509Name) issuer).getRealName() );
+    private X509v3CertificateBuilder newCertificateBuilder() {
+        //if ( serial.equals(BigInteger.ZERO) ) { // NOTE: diversion from MRI (OpenSSL allows not setting serial)
+        //    throw newCertificateError(getRuntime(), "Certificate#serial needs to be set (to > 0)");
+        //}
 
-        generator.setNotBefore( not_before.getJavaDate() );
-        generator.setNotAfter( not_after.getJavaDate() );
-        generator.setPublicKey( getPublicKey() );
+        SubjectPublicKeyInfo publicKeyInfo;
+        try {
+            publicKeyInfo = SubjectPublicKeyInfo.getInstance(public_key.getPublicKey().getEncoded());
+        } catch (Exception e) {
+            throw newCertificateError(getRuntime(), "invalid public key data", e);
+        }
 
-        return generator;
+        return new X509v3CertificateBuilder(
+                issuer == null ? null : ((X509Name) issuer).getX500Name(),
+                serial.abs(),
+                not_before.getJavaDate(), not_after.getJavaDate(),
+                subject == null ? null : ((X509Name) subject).getX500Name(),
+                publicKeyInfo
+        );
     }
 
-    //private transient org.bouncycastle.x509.X509V3CertificateGenerator generator;
-
     @JRubyMethod
     public RubyBoolean verify(final IRubyObject key) {
         final Ruby runtime = getRuntime();
diff --git a/src/main/java/org/jruby/ext/openssl/X509Name.java b/src/main/java/org/jruby/ext/openssl/X509Name.java
@@ -526,16 +526,6 @@ private static String name(final Ruby runtime, final ASN1ObjectIdentifier oid) {
         return ASN1.oid2name(runtime, oid, true);
     }
 
-    @Deprecated
-    @SuppressWarnings("unchecked")
-    org.bouncycastle.asn1.x509.X509Name getRealName() {
-        final java.util.Vector strValues = new java.util.Vector();
-        for ( ASN1Encodable value : values ) strValues.add( value.toString() );
-        return new org.bouncycastle.asn1.x509.X509Name(
-            new java.util.Vector<Object>(oids), strValues
-        );
-    }
-
     final X500Name getX500Name() {
         if ( name != null ) return name;
 
