You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by alopresto <gi...@git.apache.org> on 2016/04/13 01:46:28 UTC
[GitHub] nifi pull request: Nifi 1753 Removed legacy X.509 certificate impl...
GitHub user alopresto opened a pull request:
https://github.com/apache/nifi/pull/346
Nifi 1753 Removed legacy X.509 certificate implementation references
Various logic throughout the application referenced `javax.security.cert.X509Certificate` which is a deprecated class and exists only for legacy compatibility with older JSSE implementations. As of Java SE 6, new development should use `java.security.cert.X509Certificate`. Most references to the legacy classes were in similar logic blocks to retrieve the distinguished name (DN) from the client certificate chain presented during TLS mutual authentication.
I refactored this logic into a common utility method to deduplicate and provided utility methods for converting legacy `X509Certificate`s and the abstract `java.security.cert.Certificate` returned by the replacement method (`javax.net.ssl.SSLSession#getPeerCertificateChain()` is succeeded by `javax.net.ssl.SSLSession#getPeerCertificates()`) to the correct version of `X509Certificate`.
The module `nifi-security-utils` was added as a dependency to `nifi-utils` but contains only two utility classes with static helper methods and four enums. This change may be reverted/expanded as part of the larger-scale work on NIFI-1478, NIFI-1480, etc., but that is 1.0.0 refactor work, while this was a surgical fix for both 0.7.0 and 1.0.0.
This will be rebased & squashed before merging.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi NIFI-1753
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/346.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #346
----
commit e2d1c359bb94148679a057b5521b3fb17f6a936a
Author: Andy LoPresto <al...@apache.org>
Date: 2016-04-12T03:11:45Z
NIFI-1753 Added convenience methods for converting legacy X.509 certificates and abstract certificates to correct X.509 format.
Added unit tests for certificate manipulation.
Replaced logic retrieving legacy X.509 certificates with new logic in NodeProtocolSenderImpl.
Added bcpkix (Bouncy Castle PKI implementation) dependency to nifi-standard-processors pom.
commit b9868ef297228ef7398a30fbddb915abef98eda6
Author: Andy LoPresto <al...@apache.org>
Date: 2016-04-12T03:36:38Z
NIFI-1753 Added convenience method for extracting DN from peer certificate chain in SSL socket (canonical implementation to reduce code duplication and references to legacy certificate implementations).
Refactored logic retrieving legacy X.509 certificates with reference to convenience method in NodeProtocolSenderImpl.
Replaced logic retrieving legacy X.509 certificates with reference to convenience method in SocketProtocolListener.
Cleaned up exception handling in SocketProtocolListener.
Replaced legacy X.509 certificate declarations with new declarations in HandleHttpRequest (needs manual test).
commit 64208973bf9046d447230c8f096dde09d47d01bd
Author: Andy LoPresto <al...@apache.org>
Date: 2016-04-12T03:46:33Z
NIFI-1753 Replaced legacy X.509 certificate declarations with new declarations in PostHTTP.
commit cd35f9b36d1e373b99490a6f6df735cd16175383
Author: Andy LoPresto <al...@apache.org>
Date: 2016-04-12T04:16:57Z
NIFI-1753 Replaced legacy X.509 certificate declarations with new declarations in SSLSocketChannel and EndpointConnectionPool.
Temporary work-around of duplicate certificate conversion util method because nifi-utils cannot depend on nifi-security-utils.
commit 965b766f2a0be9f703d10e231ca595464bc57f07
Author: Andy LoPresto <al...@apache.org>
Date: 2016-04-12T22:19:14Z
NIFI-1753 Removed temporary work-around of duplicate certificate conversion util method and added nifi-security-utils as dependency of nifi-utils.
commit 613fe0b62e56898ebe99fed50a25f3aa515d727a
Author: Andy LoPresto <al...@apache.org>
Date: 2016-04-12T22:20:22Z
NIFI-1753 Fixed nifi-utils pom.xml comment about additional dependencies.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: Nifi 1753 Removed legacy X.509 certificate impl...
Posted by alopresto <gi...@git.apache.org>.
GitHub user alopresto reopened a pull request:
https://github.com/apache/nifi/pull/346
Nifi 1753 Removed legacy X.509 certificate implementation references
Various logic throughout the application referenced `javax.security.cert.X509Certificate` which is a deprecated class and exists only for legacy compatibility with older JSSE implementations. As of Java SE 6, new development should use `java.security.cert.X509Certificate`. Most references to the legacy classes were in similar logic blocks to retrieve the distinguished name (DN) from the client certificate chain presented during TLS mutual authentication.
I refactored this logic into a common utility method to deduplicate and provided utility methods for converting legacy `X509Certificate`s and the abstract `java.security.cert.Certificate` returned by the replacement method (`javax.net.ssl.SSLSession#getPeerCertificateChain()` is succeeded by `javax.net.ssl.SSLSession#getPeerCertificates()`) to the correct version of `X509Certificate`.
The module `nifi-security-utils` was added as a dependency to `nifi-utils` but contains only two utility classes with static helper methods and four enums. This change may be reverted/expanded as part of the larger-scale work on NIFI-1478, NIFI-1480, etc., but that is 1.0.0 refactor work, while this was a surgical fix for both 0.7.0 and 1.0.0.
This will be rebased & squashed before merging.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi NIFI-1753
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/346.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #346
----
commit 2161d1e8123020e0846f6290f4f500bba84f6ef7
Author: Andy LoPresto <al...@apache.org>
Date: 2016-04-12T03:11:45Z
NIFI-1753 Replaced usage of javax.security.cert.X509Certificate with java.security.cert.X509Certificate and resolved user-reported ClassCastException when handling client certificates during TLS mutual authentication.
Fixed nifi-utils pom.xml comment about additional dependencies. (+5 squashed commits)
Squashed commits:
[965b766] NIFI-1753 Removed temporary work-around of duplicate certificate conversion util method and added nifi-security-utils as dependency of nifi-utils.
[cd35f9b] NIFI-1753 Replaced legacy X.509 certificate declarations with new declarations in SSLSocketChannel and EndpointConnectionPool.
Temporary work-around of duplicate certificate conversion util method because nifi-utils cannot depend on nifi-security-utils.
[6420897] NIFI-1753 Replaced legacy X.509 certificate declarations with new declarations in PostHTTP.
[b9868ef] NIFI-1753 Added convenience method for extracting DN from peer certificate chain in SSL socket (canonical implementation to reduce code duplication and references to legacy certificate implementations).
Refactored logic retrieving legacy X.509 certificates with reference to convenience method in NodeProtocolSenderImpl.
Replaced logic retrieving legacy X.509 certificates with reference to convenience method in SocketProtocolListener.
Cleaned up exception handling in SocketProtocolListener.
Replaced legacy X.509 certificate declarations with new declarations in HandleHttpRequest (needs manual test).
[e2d1c35] NIFI-1753 Added convenience methods for converting legacy X.509 certificates and abstract certificates to correct X.509 format.
Added unit tests for certificate manipulation.
Replaced logic retrieving legacy X.509 certificates with new logic in NodeProtocolSenderImpl.
Added bcpkix (Bouncy Castle PKI implementation) dependency to nifi-standard-processors pom.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: Nifi 1753 Removed legacy X.509 certificate impl...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto closed the pull request at:
https://github.com/apache/nifi/pull/346
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: Nifi 1753 Removed legacy X.509 certificate impl...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/nifi/pull/346
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: Nifi 1753 Removed legacy X.509 certificate impl...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the pull request:
https://github.com/apache/nifi/pull/346#issuecomment-209713757
Accidentally closed because I had to remove the local branch because of a bad commit order. Copied out, cherry-picked, re-pushed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---