feat: remove use of sun.security.x509.* to support Java 17

- Remove use of "sun.security.x509.*" and replace it with "org.bouncycastle.asn1". - Update policy with apim 3.20.22 dependencies - Fix Unit test on CRL validation - Adds integration tests (@GatewayTest)
gravitee-io · Oct 26, 2023 · 98cb397 · 98cb397
1 parent 50a43f3
commit 98cb397
Show file tree

Hide file tree

Showing 43 changed files with 1,525 additions and 134 deletions.
diff --git a/pom.xml b/pom.xml
@@ -30,14 +30,15 @@
     <parent>
         <groupId>io.gravitee</groupId>
         <artifactId>gravitee-parent</artifactId>
-        <version>17.2</version>
+        <version>20.4</version>
     </parent>
 
     <properties>
-        <gravitee-gateway.version>3.5.0</gravitee-gateway.version>
-        <gravitee-gateway-api.version>1.23.0</gravitee-gateway-api.version>
-        <gravitee-policy-api.version>1.10.0</gravitee-policy-api.version>
-        <gravitee-common.version>1.19.0</gravitee-common.version>
+        <gravitee-bom.version>2.9</gravitee-bom.version>
+        <gravitee-apim.version>3.20.21</gravitee-apim.version>
+        <gravitee-gateway-api.version>2.0.1</gravitee-gateway-api.version>
+        <gravitee-policy-api.version>1.11.0</gravitee-policy-api.version>
+        <gravitee-common.version>2.3.0</gravitee-common.version>
         <jjwt.version>0.9.1</jjwt.version>
 
         <json-schema-generator-maven-plugin.version>1.1.0</json-schema-generator-maven-plugin.version>
@@ -47,6 +48,19 @@
         <publish-folder-path>graviteeio-apim/plugins/policies</publish-folder-path>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.gravitee</groupId>
+                <artifactId>gravitee-bom</artifactId>
+                <version>${gravitee-bom.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+        </dependencies>
+
+    </dependencyManagement>
+
     <dependencies>
         <!-- Provided scope -->
         <dependency>
@@ -71,9 +85,9 @@
         </dependency>
 
         <dependency>
-            <groupId>io.gravitee.gateway</groupId>
-            <artifactId>gravitee-gateway-buffer</artifactId>
-            <version>${gravitee-gateway.version}</version>
+            <groupId>io.gravitee.apim.gateway</groupId>
+            <artifactId>gravitee-apim-gateway-buffer</artifactId>
+            <version>${gravitee-apim.version}</version>
             <scope>provided</scope>
         </dependency>
 
@@ -88,22 +102,19 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson.version}</version>
             <scope>provided</scope>
         </dependency>
 
         <!-- Logging -->
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
-            <version>${slf4j.version}</version>
             <scope>provided</scope>
         </dependency>
 
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-core</artifactId>
-            <version>${spring.version}</version>
             <scope>provided</scope>
         </dependency>
 
@@ -117,14 +128,12 @@
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>${junit.version}</version>
             <scope>test</scope>
         </dependency>
 
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
-            <version>${mockito.version}</version>
             <scope>test</scope>
         </dependency>
 
@@ -141,6 +150,32 @@
             <version>1.4.0</version>
             <scope>test</scope>
         </dependency>
+
+        <dependency>
+            <groupId>io.gravitee.apim.gateway</groupId>
+            <artifactId>gravitee-apim-gateway-tests-sdk</artifactId>
+            <version>${gravitee-apim.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.2</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+            <version>1.70</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.xmlbeans</groupId>
+            <artifactId>xmlbeans</artifactId>
+            <version>3.1.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -173,7 +208,6 @@
             </plugin>
             <plugin>
                 <artifactId>maven-assembly-plugin</artifactId>
-                <version>${maven-assembly-plugin.version}</version>
                 <configuration>
                     <appendAssemblyId>false</appendAssemblyId>
                     <descriptors>
@@ -193,33 +227,19 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <configuration>
-                    <argLine>--add-opens java.base/sun.security.x509=ALL-UNNAMED</argLine>
-                </configuration>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-javadoc-plugin</artifactId>
-                <configuration>
-                    <additionalJOption>--add-exports=java.base/sun.security.x509=ALL-UNNAMED</additionalJOption>
-                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.11.0</version>
             </plugin>
             <plugin>
                 <groupId>com.hubspot.maven.plugins</groupId>
                 <artifactId>prettier-maven-plugin</artifactId>
-                <version>0.17</version>
-                <configuration>
-                    <nodeVersion>12.13.0</nodeVersion>
-                    <prettierJavaVersion>1.6.1</prettierJavaVersion>
-                </configuration>
-                <executions>
-                    <execution>
-                        <phase>validate</phase>
-                        <goals>
-                            <goal>check</goal>
-                        </goals>
-                    </execution>
-                </executions>
             </plugin>
         </plugins>
     </build>

diff --git a/src/main/java/io/gravitee/policy/jws/JWSPolicy.java b/src/main/java/io/gravitee/policy/jws/JWSPolicy.java
@@ -32,7 +32,6 @@
 import io.jsonwebtoken.impl.DefaultClaims;
 import java.io.*;
 import java.math.BigInteger;
-import java.net.URI;
 import java.net.URL;
 import java.net.URLConnection;
 import java.nio.charset.Charset;
@@ -50,17 +49,20 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.xml.bind.DatatypeConverter;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.DERIA5String;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.x509.*;
+import org.bouncycastle.asn1.x509.Extension;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.core.env.Environment;
-import sun.security.x509.*;
 
 /**
- * @author Titouan COMPIEGNE (titouan.compiegne at graviteesource.com)
  * @author GraviteeSource Team
  */
 public class JWSPolicy {
-
     private static final Logger LOGGER = LoggerFactory.getLogger(JWSPolicy.class);
     private static final String DEFAULT_KID = "default";
     private static final String PUBLIC_KEY_PROPERTY = "policy.jws.kid.%s";
@@ -123,7 +125,7 @@ Function<Buffer, Buffer> map(ExecutionContext executionContext, PolicyChain poli
                 | IllegalArgumentException
                 | CertificateException ex
             ) {
-                LOGGER.error("Failed to decoding JWS token", ex);
+                LOGGER.error("Unable to decode JWS token. {}", ex.getMessage(), ex);
                 policyChain.streamFailWith(PolicyResult.failure(HttpStatusCode.UNAUTHORIZED_401, "Unauthorized"));
                 return null;
             } catch (Exception ex) {
@@ -206,6 +208,7 @@ private DefaultClaims validateJsonWebToken(String jwt, ExecutionContext executio
      */
     private SigningKeyResolver getSigningKeyResolverByGatewaySettings(ExecutionContext executionContext) {
         return new SigningKeyResolverAdapter() {
+
             @Override
             public Key resolveSigningKey(JwsHeader header, Claims claims) {
                 String keyId = header.getKeyId(); //or any other field that you need to inspect
@@ -239,29 +242,44 @@ public Key resolveSigningKey(JwsHeader header, Claims claims) {
     public void validateCRLSFromCertificate(X509Certificate certificate, BigInteger serialNumber) throws CertificateException {
         X509CRLEntry revokedCertificate = null;
         X509CRL crl;
-        X509CertImpl x509Cert = (X509CertImpl) certificate;
-        CRLDistributionPointsExtension crlDistroExtension = x509Cert.getCRLDistributionPointsExtension();
-        if (crlDistroExtension != null) {
+        byte[] crlDistributionPointDerEncodedArray = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
+
+        if (crlDistributionPointDerEncodedArray != null) {
             try {
-                ArrayList<DistributionPoint> distributionPoints = (ArrayList<DistributionPoint>) crlDistroExtension.get(
-                    CRLDistributionPointsExtension.POINTS
-                );
-                Iterator<DistributionPoint> iterator = distributionPoints.iterator();
+                ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crlDistributionPointDerEncodedArray));
+                ASN1Primitive derObjCrlDP = oAsnInStream.readObject();
+                DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP;
+
+                oAsnInStream.close();
+
+                byte[] crldpExtOctets = dosCrlDP.getOctets();
+                ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets));
+                ASN1Primitive derObj2 = oAsnInStream2.readObject();
+                CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);
+
+                oAsnInStream2.close();
+
+                Iterator<DistributionPoint> iterator = Arrays.stream(distPoint.getDistributionPoints()).iterator();
                 boolean hasError = false;
                 while (iterator.hasNext()) {
                     if (revokedCertificate != null) {
                         break;
                     }
-                    GeneralNames distroName = iterator.next().getFullName();
-                    for (int i = 0; i < distroName.size(); ++i) {
+                    DistributionPointName dpn = iterator.next().getDistributionPoint();
+                    if (dpn.getType() != DistributionPointName.FULL_NAME) {
+                        // Look for only URIs in fullName
+                        continue;
+                    }
+
+                    for (GeneralName genName : GeneralNames.getInstance(dpn.getName()).getNames()) {
                         hasError = false;
                         if (revokedCertificate != null) {
                             break;
                         }
                         DataInputStream inStream = null;
                         try {
-                            URI uri = ((URIName) distroName.get(i).getName()).getURI();
-                            URL url = new URL(uri.toString());
+                            String urlString = DERIA5String.getInstance(genName.getName()).getString();
+                            URL url = new URL(urlString);
                             URLConnection connection = url.openConnection();
                             inStream = new DataInputStream(connection.getInputStream());
                             crl = (X509CRL) certificateFactory().generateCRL(inStream);

diff --git a/src/main/java/io/gravitee/policy/jws/configuration/JWSPolicyConfiguration.java b/src/main/java/io/gravitee/policy/jws/configuration/JWSPolicyConfiguration.java
@@ -22,7 +22,6 @@
  * @author GraviteeSource Team
  */
 public class JWSPolicyConfiguration implements PolicyConfiguration {
-
     private boolean checkCertificateValidity = false;
 
     private boolean checkCertificateRevocation = false;

diff --git a/src/main/java/io/gravitee/policy/jws/utils/JsonUtils.java b/src/main/java/io/gravitee/policy/jws/utils/JsonUtils.java
@@ -23,7 +23,6 @@
  * @author GraviteeSource Team
  */
 public class JsonUtils {
-
     private static final ObjectMapper mapper = new ObjectMapper();
 
     public static String writeValueAsString(Object value) {

diff --git a/src/test/README.md b/src/test/README.md
@@ -0,0 +1 @@
+Tests rely on generated keys and certificates, to regenerate them, please refer to the [dedicated documentation](./resources/io/gravitee/policy/jws/cert-with-crl/README.md).
diff --git a/src/test/java/io/gravitee/policy/jws/ConfigurableStreamHandlerFactory.java b/src/test/java/io/gravitee/policy/jws/ConfigurableStreamHandlerFactory.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.gravitee.policy.jws;
+
+import java.net.URLStreamHandler;
+import java.net.URLStreamHandlerFactory;
+import java.util.HashMap;
+import java.util.Map;
+
+class ConfigurableStreamHandlerFactory implements URLStreamHandlerFactory {
+    private final Map<String, URLStreamHandler> protocolHandlers;
+
+    public ConfigurableStreamHandlerFactory(String protocol, URLStreamHandler urlHandler) {
+        protocolHandlers = new HashMap<String, URLStreamHandler>();
+        addHandler(protocol, urlHandler);
+    }
+
+    public void addHandler(String protocol, URLStreamHandler urlHandler) {
+        protocolHandlers.put(protocol, urlHandler);
+    }
+
+    public URLStreamHandler createURLStreamHandler(String protocol) {
+        return protocolHandlers.get(protocol);
+    }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Tests rely on generated keys and certificates, to regenerate them, please refer to the [dedicated documentation](./resources/io/gravitee/policy/jws/cert-with-crl/README.md).