[ https://issues.apache.org/jira/browse/NIFI-1753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15240401#comment-15240401 ]
ASF subversion and git services commented on NIFI-1753: ------------------------------------------------------- Commit 378ccf53c26ef40ca56512247c93243546fefa8b in nifi's branch refs/heads/master from [~alopresto] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=378ccf5 ] NIFI-1753 Replaced usage of javax.security.cert.X509Certificate with java.security.cert.X509Certificate and resolved user-reported ClassCastException when handling client certificates during TLS mutual authentication. Fixed nifi-utils pom.xml comment about additional dependencies. (+5 squashed commits) Squashed commits: [965b766] NIFI-1753 Removed temporary work-around of duplicate certificate conversion util method and added nifi-security-utils as dependency of nifi-utils. [cd35f9b] NIFI-1753 Replaced legacy X.509 certificate declarations with new declarations in SSLSocketChannel and EndpointConnectionPool. Temporary work-around of duplicate certificate conversion util method because nifi-utils cannot depend on nifi-security-utils. [6420897] NIFI-1753 Replaced legacy X.509 certificate declarations with new declarations in PostHTTP. [b9868ef] NIFI-1753 Added convenience method for extracting DN from peer certificate chain in SSL socket (canonical implementation to reduce code duplication and references to legacy certificate implementations). Refactored logic retrieving legacy X.509 certificates with reference to convenience method in NodeProtocolSenderImpl. Replaced logic retrieving legacy X.509 certificates with reference to convenience method in SocketProtocolListener. Cleaned up exception handling in SocketProtocolListener. Replaced legacy X.509 certificate declarations with new declarations in HandleHttpRequest (needs manual test). [e2d1c35] NIFI-1753 Added convenience methods for converting legacy X.509 certificates and abstract certificates to correct X.509 format. Added unit tests for certificate manipulation. Replaced logic retrieving legacy X.509 certificates with new logic in NodeProtocolSenderImpl. Added bcpkix (Bouncy Castle PKI implementation) dependency to nifi-standard-processors pom. This closes #346. Signed-off-by: Andy LoPresto <alopre...@apache.org> > Legacy X.509 certificate handling code should be upgraded > --------------------------------------------------------- > > Key: NIFI-1753 > URL: https://issues.apache.org/jira/browse/NIFI-1753 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework > Affects Versions: 0.6.1 > Reporter: Andy LoPresto > Assignee: Andy LoPresto > Fix For: 1.0.0, 0.7.0 > > > There are multiple instances throughout the codebase [1][2] where legacy > {{javax.security.cert.X509Certificate}} class is used rather than the current > (Java SE 6) {{java.security.cert.X509Certificate}}. The {{javax.*}} classes > are provided for legacy compatibility with JSSE [3][4]. This can manifest as > an exception: > {{java.lang.ClassCastException: [Ljava.security.cert.X509Certificate; cannot > be cast to [Ljavax.security.cert.X509Certificate}} > The {{CertificateFactory}} class allows conversion to the new format. > [1] > https://git1-us-west.apache.org/repos/asf?p=nifi.git;a=blob;f=nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.java;hb=ffbfffce > [2 > ]https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java#L40 > [3] http://stackoverflow.com/a/24600621/70465 > [4] > https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificates%28%29 -- This message was sent by Atlassian JIRA (v6.3.4#6332)