Merge pull request #1159 from flybyray/proposed-lighthouse-2089-missing-bouncycastle

[#2089 ] upgrade bouncycastle

Author: asolntsev

documentation/manual/production.textile

@@ -189,7 +189,8 @@ bc. # X509 certificates
 certificate.key.file=conf/host.key
 certificate.file=conf/host.cert
 # In case your key file is password protected
-certificate.password=secret
+# certificate.key.file=conf/host.pass.key
+# certificate.password=secret
 trustmanager.algorithm=JKS
 
 If you are using keystore:
@@ -202,8 +203,13 @@ Note that the values above are the default values.
 
 You can generate self-signed certificates using *openssl*: 
 
-bc. openssl genrsa 1024 > host.key
-openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
+bc. openssl genrsa -des3 -passout pass:secret -out host.pass.key 2048
+openssl rsa -passin pass:secret -in host.pass.key -out host.key
+openssl req -new -key host.key -out host.csr -subj '/C=GB/ST=Test State or Province/L=Test Locality/O=Organization Name/OU=Organizational Unit Name/CN=Common Name/emailAddress=test@email.address'
+openssl x509 -req -days 3650 -in host.csr -signkey host.key -out host.cert
+
+note. the first command creates a password-protected-key ('host.pass.key').
+the second command converts/writes the same key ('host.key') without password protection.
 
 If you are using the Java keystore mechanism, then the following properties can be configured in your @application.conf@ file:
 

framework/dependencies.yml

@@ -43,7 +43,8 @@ require:    &allDependencies
     - oauth.signpost -> signpost-core 1.2.1.2
     - org.apache.geronimo.specs -> geronimo-servlet_2.5_spec 1.2
     - org.apache.ivy -> ivy 2.4.0
-    - org.bouncycastle -> bcprov-jdk15 1.46
+    - org.bouncycastle -> bcprov-jdk15on 1.57
+    - org.bouncycastle -> bcpkix-jdk15on 1.57
     - org.codehaus.groovy -> groovy-all 2.4.11
     - org.eclipse.jdt.core 3.12.3
     - org.hibernate -> hibernate-core 5.2.10.patched

framework/lib/bcpkix-jdk15on-1.57.jar

@@ -2,7 +2,10 @@
 
 import java.io.PrintWriter;
 import java.io.StringWriter;
+import java.net.URISyntaxException;
 import java.net.URL;
+import java.nio.file.FileSystemNotFoundException;
+import java.nio.file.Paths;
 import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.List;
@@ -70,10 +73,11 @@ public static void init() {
             PropertyConfigurator.configure(shutUp);
         } else if (Logger.log4j == null) {
 
-            if (log4jConf.getFile().indexOf(Play.applicationPath.getAbsolutePath()) == 0) {
-                // The log4j configuration file is located somewhere in the application folder,
-                // so it's probably a custom configuration file
-                configuredManually = true;
+            try {
+                if (Paths.get(log4jConf.toURI()).startsWith(Play.applicationPath.toPath())) {
+                    configuredManually = true;
+                }
+            } catch (IllegalArgumentException | FileSystemNotFoundException | SecurityException | URISyntaxException e) {
             }
             if (isXMLConfig) {
                 DOMConfigurator.configure(log4jConf);

framework/lib/bcprov-jdk15-1.46.jar

@@ -1,19 +1,24 @@
 package play.server.ssl;
 
+import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.openssl.PEMReader;
-import org.bouncycastle.openssl.PasswordFinder;
+import org.bouncycastle.openssl.PEMDecryptorProvider;
+import org.bouncycastle.openssl.PEMEncryptedKeyPair;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
 import play.Logger;
 import play.Play;
 
 import javax.net.ssl.*;
+import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileReader;
 import java.net.Socket;
 import java.security.*;
 import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.List;
+import java.util.Collection;
 import java.util.Properties;
 
 public class SslHttpServerContextFactory {
@@ -84,18 +89,22 @@ public PEMKeyManager() {
             final Properties p = Play.configuration;
             String keyFile = p.getProperty("certificate.key.file", "conf/host.key");
 
-            try (PEMReader keyReader = new PEMReader(new FileReader(Play.getFile(keyFile)), new PEMPasswordFinder())) {
-                key = ((KeyPair) keyReader.readObject()).getPrivate();
-
-                try (PEMReader reader = new PEMReader(new FileReader(Play.getFile(p.getProperty("certificate.file", "conf/host.cert"))))) {
-                    X509Certificate cert;
-                    List<X509Certificate> chainVector = new ArrayList<>();
-
-                    while ((cert = (X509Certificate) reader.readObject()) != null) {
-                        chainVector.add(cert);
-                    }
-                    chain = chainVector.toArray(new X509Certificate[1]);
+            try (PEMParser keyReader = new PEMParser(new FileReader(Play.getFile(keyFile)))) {
+                final Object object = keyReader.readObject();
+                JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
+                final KeyPair keyPair;
+                if (object instanceof PEMEncryptedKeyPair) {
+                    PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder()
+                            .build(Play.configuration.getProperty("certificate.password", "secret").toCharArray());
+                    keyPair = converter.getKeyPair(((PEMEncryptedKeyPair) object).decryptKeyPair(decProv));
+                } else {
+                    keyPair = converter.getKeyPair((PEMKeyPair) object);
                 }
+                key = keyPair.getPrivate();
+
+                final File hostCertFile = Play.getFile(p.getProperty("certificate.file", "conf/host.cert"));
+                final Collection collection = new CertificateFactory().engineGenerateCertificates(new FileInputStream(hostCertFile));
+                chain = (X509Certificate[]) collection.toArray(new X509Certificate[collection.size()]);
             } catch (Exception e) {
                 Logger.error(e, "Failed to initialize PEMKeyManager from file %s", keyFile);
             }
@@ -136,12 +145,4 @@ public PrivateKey getPrivateKey(String s) {
             return key;
         }
     }
-    
-    private static class PEMPasswordFinder implements PasswordFinder {
-        @Override
-        public char[] getPassword() {
-            return Play.configuration.getProperty("certificate.password", "secret").toCharArray();
-        }
-    }
-
 }

framework/lib/bcprov-jdk15on-1.57.jar

@@ -1,6 +1,7 @@
 package play.templates;
 
 import groovy.lang.Closure;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import play.mvc.Http;
@@ -18,15 +19,27 @@
 public class FastTagsTest {
 
     private StringWriter out = new StringWriter();
+    final String backupSystemLineBreak = System.getProperty("line.separator");
 
     @Before
     public void setUp() throws Exception {
+        //if you render html into out
+        // and expect results with line breaks
+        // take into account that your tests will fail on other platforms
+        // force line.separator be the same on any platform
+        // or use String.format in expected code with the placeholder '%n' for any expected line separation.
+        System.setProperty("line.separator","\n");
         Http.Response.current.set(new Http.Response());
         Http.Response.current().encoding = "UTF-8";
 
         Scope.Session.current.set(new Scope.Session());
         Scope.Session.current().put("___AT", "1234");
     }
+    @After
+    public void tearDown() throws Exception {
+        // restore line.separator
+        System.setProperty("line.separator", backupSystemLineBreak);
+    }
 
     @Test
     public void _form_simple() throws Exception {