You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by ad...@apache.org on 2016/11/17 09:38:36 UTC
[6/9] james-project git commit: JAMES-1856 Upgrade to bouncy castle
1.52 jdk15on
JAMES-1856 Upgrade to bouncy castle 1.52 jdk15on
Project: http://git-wip-us.apache.org/repos/asf/james-project/repo
Commit: http://git-wip-us.apache.org/repos/asf/james-project/commit/a14fd656
Tree: http://git-wip-us.apache.org/repos/asf/james-project/tree/a14fd656
Diff: http://git-wip-us.apache.org/repos/asf/james-project/diff/a14fd656
Branch: refs/heads/master
Commit: a14fd6565eb36b7e80ae82806eaff51375793f3a
Parents: b3a30c1
Author: Benoit Tellier <bt...@linagora.com>
Authored: Thu Nov 3 15:22:09 2016 +0100
Committer: Benoit Tellier <bt...@linagora.com>
Committed: Thu Nov 17 15:26:18 2016 +0700
----------------------------------------------------------------------
mailet/crypto/pom.xml | 2 +-
.../org/apache/james/transport/InitJCE.java | 1 -
.../apache/james/transport/KeyStoreHolder.java | 34 +++++++++++----
.../apache/james/transport/SMIMEKeyHolder.java | 45 ++++++++++++--------
.../james/transport/mailet/SMIMEDecrypt.java | 27 ++++++------
mailet/pom.xml | 5 +--
6 files changed, 70 insertions(+), 44 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/pom.xml
----------------------------------------------------------------------
diff --git a/mailet/crypto/pom.xml b/mailet/crypto/pom.xml
index c56a19c..5ab267d 100644
--- a/mailet/crypto/pom.xml
+++ b/mailet/crypto/pom.xml
@@ -45,7 +45,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcmail-jdk16</artifactId>
+ <artifactId>bcmail-jdk15on</artifactId>
</dependency>
<dependency>
<groupId>org.apache.james</groupId>
http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java
----------------------------------------------------------------------
diff --git a/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java b/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java
index 5446656..eaa1d06 100644
--- a/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java
+++ b/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java
@@ -65,7 +65,6 @@ public class InitJCE {
CommandMap.setDefaultCommandMap(mailcap);
initialized = true;
- } else {
}
}
}
http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java
----------------------------------------------------------------------
diff --git a/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java b/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java
index 0b0eb7c..c863761 100644
--- a/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java
+++ b/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java
@@ -46,10 +46,17 @@ import java.util.List;
import javax.mail.MessagingException;
+import org.bouncycastle.cert.jcajce.JcaCertStoreBuilder;
+import org.bouncycastle.cert.selector.X509CertificateHolderSelector;
+import org.bouncycastle.cert.selector.jcajce.JcaX509CertSelectorConverter;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
+import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.mail.smime.SMIMESigned;
+import com.google.common.base.Preconditions;
+
/**
* This class is used to handle in a simple way a keystore that contains a set
* of trusted certificates. It loads the set from the specified keystore (type,
@@ -59,7 +66,9 @@ import org.bouncycastle.mail.smime.SMIMESigned;
*
*/
public class KeyStoreHolder {
-
+
+ private static final String BC = BouncyCastleProvider.PROVIDER_NAME;
+
protected KeyStore keyStore;
public KeyStoreHolder () throws IOException, GeneralSecurityException {
@@ -114,9 +123,12 @@ public class KeyStoreHolder {
* @throws Exception
* @throws MessagingException
*/
- @SuppressWarnings("deprecation")
- public List<SMIMESignerInfo> verifySignatures(SMIMESigned signed) throws Exception, MessagingException {
- CertStore certs = signed.getCertificatesAndCRLs("Collection", "BC");
+ public List<SMIMESignerInfo> verifySignatures(SMIMESigned signed) throws Exception {
+
+ CertStore certs = new JcaCertStoreBuilder()
+ .addCertificates(signed.getCertificates())
+ .addCRLs(signed.getCRLs())
+ .build();
SignerInformationStore siginfo = signed.getSignerInfos();
@SuppressWarnings("unchecked")
Collection<SignerInformation> sigCol = siginfo.getSigners();
@@ -126,8 +138,10 @@ public class KeyStoreHolder {
// on the message are valid.
for (SignerInformation info: sigCol) {
// I get the signer's certificate
+ X509CertificateHolderSelector x509CertificateHolderSelector = new X509CertificateHolderSelector(info.getSID().getSubjectKeyIdentifier());
+ X509CertSelector certSelector = new JcaX509CertSelectorConverter().getCertSelector(x509CertificateHolderSelector);
@SuppressWarnings("unchecked")
- Collection<X509Certificate> certCollection = (Collection<X509Certificate>) certs.getCertificates(info.getSID());
+ Collection<X509Certificate> certCollection = (Collection<X509Certificate>) certs.getCertificates(certSelector);
if (!certCollection.isEmpty()) {
X509Certificate signerCert = certCollection.iterator().next();
// The issuer's certifcate is searched in the list of trusted certificate.
@@ -143,7 +157,7 @@ public class KeyStoreHolder {
// certificate can be trusted (it can be connected
// by a chain of trust to a trusted certificate), null
// otherwise.
- if (info.verify(signerCert, "BC")) {
+ if (info.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(BC).build(signerCert))) {
result.add(new SMIMESignerInfo(signerCert, path, true));
}
} catch (Exception e) {
@@ -171,9 +185,11 @@ public class KeyStoreHolder {
*/
private static CertPath verifyCertificate(X509Certificate cert, CertStore store, KeyStore trustedStore)
throws InvalidAlgorithmParameterException, KeyStoreException, MessagingException, CertPathBuilderException {
-
- if (cert == null || store == null || trustedStore == null) throw new IllegalArgumentException("cert == "+cert+", store == "+store+", trustedStore == "+trustedStore);
-
+
+ Preconditions.checkNotNull(cert);
+ Preconditions.checkNotNull(store);
+ Preconditions.checkNotNull(trustedStore);
+
CertPathBuilder pathBuilder;
// I create the CertPathBuilder object. It will be used to find a
http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java
----------------------------------------------------------------------
diff --git a/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java b/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java
index a078ed4..2fb0bca 100644
--- a/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java
+++ b/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java
@@ -34,6 +34,7 @@ import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
+import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509Certificate;
@@ -45,8 +46,12 @@ import javax.mail.internet.MimeBodyPart;
import javax.mail.internet.MimeMessage;
import javax.mail.internet.MimeMultipart;
+import org.bouncycastle.cert.jcajce.JcaCertStore;
+import org.bouncycastle.cms.SignerInfoGenerator;
+import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder;
import org.bouncycastle.mail.smime.SMIMEException;
import org.bouncycastle.mail.smime.SMIMESignedGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
/**
* <p>Loads a {@link java.security.KeyStore} in memory and keeps it ready for the
@@ -58,7 +63,9 @@ import org.bouncycastle.mail.smime.SMIMESignedGenerator;
* @since 3.0
*/
public class SMIMEKeyHolder implements KeyHolder{
-
+
+ private final JcaCertStore jcaCertStore;
+
/**
* Returns the default keystore type as specified in the Java security properties file,
* or the string "jks" (acronym for "Java keystore") if no such property exists.
@@ -105,7 +112,7 @@ public class SMIMEKeyHolder implements KeyHolder{
* @see java.security.KeyStore#getCertificate
*/
public SMIMEKeyHolder(String keyStoreFileName, String keyStorePassword, String keyAlias, String keyAliasPassword, String keyStoreType)
- throws KeyStoreException, FileNotFoundException, IOException, NoSuchAlgorithmException, InvalidAlgorithmParameterException,
+ throws KeyStoreException, IOException, NoSuchAlgorithmException, InvalidAlgorithmParameterException,
CertificateException, UnrecoverableKeyException, NoSuchProviderException {
try {
@@ -169,7 +176,9 @@ public class SMIMEKeyHolder implements KeyHolder{
// in the signature
this.certStore = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(certList), "BC");
-
+
+ jcaCertStore = new JcaCertStore(certList);
+
}
/**
@@ -195,24 +204,27 @@ public class SMIMEKeyHolder implements KeyHolder{
public CertStore getCertStore() {
return this.certStore;
}
-
+
/**
* Creates an <CODE>SMIMESignedGenerator</CODE>. Includes a signer private key and certificate,
* and a pool of certs and cerls (if any) to go with the signature.
* @return The generated SMIMESignedGenerator.
- */
- @SuppressWarnings("deprecation")
- public SMIMESignedGenerator createGenerator() throws CertStoreException, SMIMEException {
+ */
+ public SMIMESignedGenerator createGenerator() throws CertStoreException, SMIMEException, OperatorCreationException,
+ CertificateEncodingException {
// create the generator for creating an smime/signed message
SMIMESignedGenerator generator = new SMIMESignedGenerator();
// add a signer to the generator - this specifies we are using SHA1
// the encryption algorithm used is taken from the key
- generator.addSigner(this.privateKey, this.certificate, SMIMESignedGenerator.DIGEST_SHA1);
+ SignerInfoGenerator signerInfoGenerator = new JcaSimpleSignerInfoGeneratorBuilder()
+ .setProvider("BC")
+ .build("SHA1withRSA", privateKey, certificate);
+ generator.addSignerInfoGenerator(signerInfoGenerator);
// add our pool of certs and cerls (if any) to go with the signature
- generator.addCertificatesAndCRLs(this.certStore);
+ generator.addCertificates(jcaCertStore);
return generator;
@@ -223,14 +235,14 @@ public class SMIMEKeyHolder implements KeyHolder{
* @param message The message to sign.
* @return The signed <CODE>MimeMultipart</CODE>.
*/
- public MimeMultipart generate(MimeMessage message) throws CertStoreException,
- NoSuchAlgorithmException, NoSuchProviderException, SMIMEException {
+ public MimeMultipart generate(MimeMessage message) throws CertStoreException, NoSuchAlgorithmException, NoSuchProviderException,
+ SMIMEException, OperatorCreationException, CertificateEncodingException {
// create the generator for creating an smime/signed MimeMultipart
SMIMESignedGenerator generator = createGenerator();
// do it
- return generator.generate(message, "BC");
+ return generator.generate(message);
}
@@ -238,16 +250,15 @@ public class SMIMEKeyHolder implements KeyHolder{
* Generates a signed MimeMultipart from a MimeBodyPart.
* @param content The content to sign.
* @return The signed <CODE>MimeMultipart</CODE>.
- */
- @SuppressWarnings("deprecation")
- public MimeMultipart generate(MimeBodyPart content) throws CertStoreException,
- NoSuchAlgorithmException, NoSuchProviderException, SMIMEException {
+ */
+ public MimeMultipart generate(MimeBodyPart content) throws CertStoreException, NoSuchAlgorithmException, NoSuchProviderException,
+ SMIMEException, OperatorCreationException, CertificateEncodingException {
// create the generator for creating an smime/signed MimeMultipart
SMIMESignedGenerator generator = createGenerator();
// do it
- return generator.generate(content, "BC");
+ return generator.generate(content);
}
http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java
----------------------------------------------------------------------
diff --git a/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java b/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java
index 71820bf..2d24e6c 100644
--- a/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java
+++ b/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java
@@ -26,21 +26,21 @@ import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.Iterator;
import javax.mail.MessagingException;
import javax.mail.Multipart;
import javax.mail.Part;
-import javax.mail.internet.MimeBodyPart;
import javax.mail.internet.MimeMessage;
import org.apache.james.transport.SMIMEKeyHolder;
-import org.apache.mailet.base.GenericMailet;
import org.apache.mailet.Mail;
import org.apache.mailet.MailetConfig;
+import org.apache.mailet.base.GenericMailet;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.RecipientId;
import org.bouncycastle.cms.RecipientInformation;
+import org.bouncycastle.cms.RecipientInformationStore;
+import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
import org.bouncycastle.mail.smime.SMIMEEnveloped;
import org.bouncycastle.mail.smime.SMIMEUtil;
@@ -113,28 +113,29 @@ public class SMIMEDecrypt extends GenericMailet {
if (message.isMimeType("application/x-pkcs7-mime") || message.isMimeType("application/pkcs7-mime")) {
try {
SMIMEEnveloped env = new SMIMEEnveloped(message);
+ RecipientInformationStore informationStore = env.getRecipientInfos();
@SuppressWarnings("unchecked")
- Collection<RecipientInformation> recipients = env.getRecipientInfos().getRecipients();
- Iterator<RecipientInformation> iter = recipients.iterator();
- while (iter.hasNext()) {
- RecipientInformation info = iter.next();
+ Collection<RecipientInformation> recipients = informationStore.getRecipients();
+ for (RecipientInformation info : recipients) {
RecipientId id = info.getRID();
if (id.match(keyHolder.getCertificate())) {
try {
- @SuppressWarnings("deprecation")
- MimeBodyPart part = SMIMEUtil.toMimeBodyPart(info.getContent(keyHolder.getPrivateKey(), "BC"));
+ JceKeyTransEnvelopedRecipient recipient = new JceKeyTransEnvelopedRecipient(keyHolder.getPrivateKey());
// strippedMessage contains the decrypted message.
- strippedMessage = part;
+ strippedMessage = SMIMEUtil.toMimeBodyPart(info.getContent(recipient));
log("Encrypted message decrypted");
} catch (Exception e) {
- throw new MessagingException("Error during the decryption of the message", e); }
+ throw new MessagingException("Error during the decryption of the message", e);
+ }
} else {
log("Found an encrypted message but it isn't encrypted for the supplied key");
}
}
- } catch (CMSException e) { throw new MessagingException("Error during the decryption of the message",e); }
+ } catch (CMSException e) {
+ throw new MessagingException("Error during the decryption of the message",e);
+ }
}
-
+
// if the decryption has been successful..
if (strippedMessage != null) {
// I put the private key's public certificate as a mailattribute.
http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/pom.xml
----------------------------------------------------------------------
diff --git a/mailet/pom.xml b/mailet/pom.xml
index 276beec..1183e55 100644
--- a/mailet/pom.xml
+++ b/mailet/pom.xml
@@ -42,7 +42,6 @@
<javax.version>1.4.4</javax.version>
<junit.version>4.10</junit.version>
<activation.version>1.1.1</activation.version>
- <bcmail-jdk16.version>1.46</bcmail-jdk16.version>
<commons-collections.version>3.2.1</commons-collections.version>
<commons-io.version>2.4</commons-io.version>
<commons-lang.version>2.6</commons-lang.version>
@@ -98,8 +97,8 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcmail-jdk16</artifactId>
- <version>${bcmail-jdk16.version}</version>
+ <artifactId>bcmail-jdk15on</artifactId>
+ <version>1.52</version>
</dependency>
<dependency>
<groupId>org.apache.maven.artifact</groupId>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org