You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2016/04/14 04:18:25 UTC
[jira] [Resolved] (NIFI-1753) Legacy X.509 certificate handling
code should be upgraded
[ https://issues.apache.org/jira/browse/NIFI-1753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andy LoPresto resolved NIFI-1753.
---------------------------------
Resolution: Fixed
Various logic throughout the application referenced javax.security.cert.X509Certificate which is a deprecated class and exists only for legacy compatibility with older JSSE implementations. As of Java SE 6, new development should use java.security.cert.X509Certificate. Most references to the legacy classes were in similar logic blocks to retrieve the distinguished name (DN) from the client certificate chain presented during TLS mutual authentication.
I refactored this logic into a common utility method to deduplicate and provided utility methods for converting legacy X509Certificates and the abstract java.security.cert.Certificate returned by the replacement method (javax.net.ssl.SSLSession#getPeerCertificateChain() is succeeded by javax.net.ssl.SSLSession#getPeerCertificates()) to the correct version of X509Certificate.
The module nifi-security-utils was added as a dependency to nifi-utils but contains only two utility classes with static helper methods and four enums. This change may be reverted/expanded as part of the larger-scale work on NIFI-1478, NIFI-1480, etc., but that is 1.0.0 refactor work, while this was a surgical fix for both 0.7.0 and 1.0.0.
> Legacy X.509 certificate handling code should be upgraded
> ---------------------------------------------------------
>
> Key: NIFI-1753
> URL: https://issues.apache.org/jira/browse/NIFI-1753
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 0.6.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Fix For: 1.0.0, 0.7.0
>
>
> There are multiple instances throughout the codebase [1][2] where legacy {{javax.security.cert.X509Certificate}} class is used rather than the current (Java SE 6) {{java.security.cert.X509Certificate}}. The {{javax.*}} classes are provided for legacy compatibility with JSSE [3][4]. This can manifest as an exception:
> {{java.lang.ClassCastException: [Ljava.security.cert.X509Certificate; cannot be cast to [Ljavax.security.cert.X509Certificate}}
> The {{CertificateFactory}} class allows conversion to the new format.
> [1] https://git1-us-west.apache.org/repos/asf?p=nifi.git;a=blob;f=nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.java;hb=ffbfffce
> [2 ]https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java#L40
> [3] http://stackoverflow.com/a/24600621/70465
> [4] https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificates%28%29
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)