JAMES-1856 Upgrade to bouncy castle 1.52 jdk15on
Project: http://git-wip-us.apache.org/repos/asf/james-project/repo Commit: http://git-wip-us.apache.org/repos/asf/james-project/commit/a14fd656 Tree: http://git-wip-us.apache.org/repos/asf/james-project/tree/a14fd656 Diff: http://git-wip-us.apache.org/repos/asf/james-project/diff/a14fd656 Branch: refs/heads/master Commit: a14fd6565eb36b7e80ae82806eaff51375793f3a Parents: b3a30c1 Author: Benoit Tellier <[email protected]> Authored: Thu Nov 3 15:22:09 2016 +0100 Committer: Benoit Tellier <[email protected]> Committed: Thu Nov 17 15:26:18 2016 +0700 ---------------------------------------------------------------------- mailet/crypto/pom.xml | 2 +- .../org/apache/james/transport/InitJCE.java | 1 - .../apache/james/transport/KeyStoreHolder.java | 34 +++++++++++---- .../apache/james/transport/SMIMEKeyHolder.java | 45 ++++++++++++-------- .../james/transport/mailet/SMIMEDecrypt.java | 27 ++++++------ mailet/pom.xml | 5 +-- 6 files changed, 70 insertions(+), 44 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/pom.xml ---------------------------------------------------------------------- diff --git a/mailet/crypto/pom.xml b/mailet/crypto/pom.xml index c56a19c..5ab267d 100644 --- a/mailet/crypto/pom.xml +++ b/mailet/crypto/pom.xml @@ -45,7 +45,7 @@ </dependency> <dependency> <groupId>org.bouncycastle</groupId> - <artifactId>bcmail-jdk16</artifactId> + <artifactId>bcmail-jdk15on</artifactId> </dependency> <dependency> <groupId>org.apache.james</groupId> http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java ---------------------------------------------------------------------- diff --git a/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java b/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java index 5446656..eaa1d06 100644 --- a/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java +++ b/mailet/crypto/src/main/java/org/apache/james/transport/InitJCE.java @@ -65,7 +65,6 @@ public class InitJCE { CommandMap.setDefaultCommandMap(mailcap); initialized = true; - } else { } } } http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java ---------------------------------------------------------------------- diff --git a/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java b/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java index 0b0eb7c..c863761 100644 --- a/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java +++ b/mailet/crypto/src/main/java/org/apache/james/transport/KeyStoreHolder.java @@ -46,10 +46,17 @@ import java.util.List; import javax.mail.MessagingException; +import org.bouncycastle.cert.jcajce.JcaCertStoreBuilder; +import org.bouncycastle.cert.selector.X509CertificateHolderSelector; +import org.bouncycastle.cert.selector.jcajce.JcaX509CertSelectorConverter; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.SignerInformationStore; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.mail.smime.SMIMESigned; +import com.google.common.base.Preconditions; + /** * This class is used to handle in a simple way a keystore that contains a set * of trusted certificates. It loads the set from the specified keystore (type, @@ -59,7 +66,9 @@ import org.bouncycastle.mail.smime.SMIMESigned; * */ public class KeyStoreHolder { - + + private static final String BC = BouncyCastleProvider.PROVIDER_NAME; + protected KeyStore keyStore; public KeyStoreHolder () throws IOException, GeneralSecurityException { @@ -114,9 +123,12 @@ public class KeyStoreHolder { * @throws Exception * @throws MessagingException */ - @SuppressWarnings("deprecation") - public List<SMIMESignerInfo> verifySignatures(SMIMESigned signed) throws Exception, MessagingException { - CertStore certs = signed.getCertificatesAndCRLs("Collection", "BC"); + public List<SMIMESignerInfo> verifySignatures(SMIMESigned signed) throws Exception { + + CertStore certs = new JcaCertStoreBuilder() + .addCertificates(signed.getCertificates()) + .addCRLs(signed.getCRLs()) + .build(); SignerInformationStore siginfo = signed.getSignerInfos(); @SuppressWarnings("unchecked") Collection<SignerInformation> sigCol = siginfo.getSigners(); @@ -126,8 +138,10 @@ public class KeyStoreHolder { // on the message are valid. for (SignerInformation info: sigCol) { // I get the signer's certificate + X509CertificateHolderSelector x509CertificateHolderSelector = new X509CertificateHolderSelector(info.getSID().getSubjectKeyIdentifier()); + X509CertSelector certSelector = new JcaX509CertSelectorConverter().getCertSelector(x509CertificateHolderSelector); @SuppressWarnings("unchecked") - Collection<X509Certificate> certCollection = (Collection<X509Certificate>) certs.getCertificates(info.getSID()); + Collection<X509Certificate> certCollection = (Collection<X509Certificate>) certs.getCertificates(certSelector); if (!certCollection.isEmpty()) { X509Certificate signerCert = certCollection.iterator().next(); // The issuer's certifcate is searched in the list of trusted certificate. @@ -143,7 +157,7 @@ public class KeyStoreHolder { // certificate can be trusted (it can be connected // by a chain of trust to a trusted certificate), null // otherwise. - if (info.verify(signerCert, "BC")) { + if (info.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(BC).build(signerCert))) { result.add(new SMIMESignerInfo(signerCert, path, true)); } } catch (Exception e) { @@ -171,9 +185,11 @@ public class KeyStoreHolder { */ private static CertPath verifyCertificate(X509Certificate cert, CertStore store, KeyStore trustedStore) throws InvalidAlgorithmParameterException, KeyStoreException, MessagingException, CertPathBuilderException { - - if (cert == null || store == null || trustedStore == null) throw new IllegalArgumentException("cert == "+cert+", store == "+store+", trustedStore == "+trustedStore); - + + Preconditions.checkNotNull(cert); + Preconditions.checkNotNull(store); + Preconditions.checkNotNull(trustedStore); + CertPathBuilder pathBuilder; // I create the CertPathBuilder object. It will be used to find a http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java ---------------------------------------------------------------------- diff --git a/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java b/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java index a078ed4..2fb0bca 100644 --- a/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java +++ b/mailet/crypto/src/main/java/org/apache/james/transport/SMIMEKeyHolder.java @@ -34,6 +34,7 @@ import java.security.PrivateKey; import java.security.UnrecoverableKeyException; import java.security.cert.CertStore; import java.security.cert.CertStoreException; +import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CollectionCertStoreParameters; import java.security.cert.X509Certificate; @@ -45,8 +46,12 @@ import javax.mail.internet.MimeBodyPart; import javax.mail.internet.MimeMessage; import javax.mail.internet.MimeMultipart; +import org.bouncycastle.cert.jcajce.JcaCertStore; +import org.bouncycastle.cms.SignerInfoGenerator; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder; import org.bouncycastle.mail.smime.SMIMEException; import org.bouncycastle.mail.smime.SMIMESignedGenerator; +import org.bouncycastle.operator.OperatorCreationException; /** * <p>Loads a {@link java.security.KeyStore} in memory and keeps it ready for the @@ -58,7 +63,9 @@ import org.bouncycastle.mail.smime.SMIMESignedGenerator; * @since 3.0 */ public class SMIMEKeyHolder implements KeyHolder{ - + + private final JcaCertStore jcaCertStore; + /** * Returns the default keystore type as specified in the Java security properties file, * or the string "jks" (acronym for "Java keystore") if no such property exists. @@ -105,7 +112,7 @@ public class SMIMEKeyHolder implements KeyHolder{ * @see java.security.KeyStore#getCertificate */ public SMIMEKeyHolder(String keyStoreFileName, String keyStorePassword, String keyAlias, String keyAliasPassword, String keyStoreType) - throws KeyStoreException, FileNotFoundException, IOException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, + throws KeyStoreException, IOException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, CertificateException, UnrecoverableKeyException, NoSuchProviderException { try { @@ -169,7 +176,9 @@ public class SMIMEKeyHolder implements KeyHolder{ // in the signature this.certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC"); - + + jcaCertStore = new JcaCertStore(certList); + } /** @@ -195,24 +204,27 @@ public class SMIMEKeyHolder implements KeyHolder{ public CertStore getCertStore() { return this.certStore; } - + /** * Creates an <CODE>SMIMESignedGenerator</CODE>. Includes a signer private key and certificate, * and a pool of certs and cerls (if any) to go with the signature. * @return The generated SMIMESignedGenerator. - */ - @SuppressWarnings("deprecation") - public SMIMESignedGenerator createGenerator() throws CertStoreException, SMIMEException { + */ + public SMIMESignedGenerator createGenerator() throws CertStoreException, SMIMEException, OperatorCreationException, + CertificateEncodingException { // create the generator for creating an smime/signed message SMIMESignedGenerator generator = new SMIMESignedGenerator(); // add a signer to the generator - this specifies we are using SHA1 // the encryption algorithm used is taken from the key - generator.addSigner(this.privateKey, this.certificate, SMIMESignedGenerator.DIGEST_SHA1); + SignerInfoGenerator signerInfoGenerator = new JcaSimpleSignerInfoGeneratorBuilder() + .setProvider("BC") + .build("SHA1withRSA", privateKey, certificate); + generator.addSignerInfoGenerator(signerInfoGenerator); // add our pool of certs and cerls (if any) to go with the signature - generator.addCertificatesAndCRLs(this.certStore); + generator.addCertificates(jcaCertStore); return generator; @@ -223,14 +235,14 @@ public class SMIMEKeyHolder implements KeyHolder{ * @param message The message to sign. * @return The signed <CODE>MimeMultipart</CODE>. */ - public MimeMultipart generate(MimeMessage message) throws CertStoreException, - NoSuchAlgorithmException, NoSuchProviderException, SMIMEException { + public MimeMultipart generate(MimeMessage message) throws CertStoreException, NoSuchAlgorithmException, NoSuchProviderException, + SMIMEException, OperatorCreationException, CertificateEncodingException { // create the generator for creating an smime/signed MimeMultipart SMIMESignedGenerator generator = createGenerator(); // do it - return generator.generate(message, "BC"); + return generator.generate(message); } @@ -238,16 +250,15 @@ public class SMIMEKeyHolder implements KeyHolder{ * Generates a signed MimeMultipart from a MimeBodyPart. * @param content The content to sign. * @return The signed <CODE>MimeMultipart</CODE>. - */ - @SuppressWarnings("deprecation") - public MimeMultipart generate(MimeBodyPart content) throws CertStoreException, - NoSuchAlgorithmException, NoSuchProviderException, SMIMEException { + */ + public MimeMultipart generate(MimeBodyPart content) throws CertStoreException, NoSuchAlgorithmException, NoSuchProviderException, + SMIMEException, OperatorCreationException, CertificateEncodingException { // create the generator for creating an smime/signed MimeMultipart SMIMESignedGenerator generator = createGenerator(); // do it - return generator.generate(content, "BC"); + return generator.generate(content); } http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java ---------------------------------------------------------------------- diff --git a/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java b/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java index 71820bf..2d24e6c 100644 --- a/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java +++ b/mailet/crypto/src/main/java/org/apache/james/transport/mailet/SMIMEDecrypt.java @@ -26,21 +26,21 @@ import java.security.GeneralSecurityException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; -import java.util.Iterator; import javax.mail.MessagingException; import javax.mail.Multipart; import javax.mail.Part; -import javax.mail.internet.MimeBodyPart; import javax.mail.internet.MimeMessage; import org.apache.james.transport.SMIMEKeyHolder; -import org.apache.mailet.base.GenericMailet; import org.apache.mailet.Mail; import org.apache.mailet.MailetConfig; +import org.apache.mailet.base.GenericMailet; import org.bouncycastle.cms.CMSException; import org.bouncycastle.cms.RecipientId; import org.bouncycastle.cms.RecipientInformation; +import org.bouncycastle.cms.RecipientInformationStore; +import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient; import org.bouncycastle.mail.smime.SMIMEEnveloped; import org.bouncycastle.mail.smime.SMIMEUtil; @@ -113,28 +113,29 @@ public class SMIMEDecrypt extends GenericMailet { if (message.isMimeType("application/x-pkcs7-mime") || message.isMimeType("application/pkcs7-mime")) { try { SMIMEEnveloped env = new SMIMEEnveloped(message); + RecipientInformationStore informationStore = env.getRecipientInfos(); @SuppressWarnings("unchecked") - Collection<RecipientInformation> recipients = env.getRecipientInfos().getRecipients(); - Iterator<RecipientInformation> iter = recipients.iterator(); - while (iter.hasNext()) { - RecipientInformation info = iter.next(); + Collection<RecipientInformation> recipients = informationStore.getRecipients(); + for (RecipientInformation info : recipients) { RecipientId id = info.getRID(); if (id.match(keyHolder.getCertificate())) { try { - @SuppressWarnings("deprecation") - MimeBodyPart part = SMIMEUtil.toMimeBodyPart(info.getContent(keyHolder.getPrivateKey(), "BC")); + JceKeyTransEnvelopedRecipient recipient = new JceKeyTransEnvelopedRecipient(keyHolder.getPrivateKey()); // strippedMessage contains the decrypted message. - strippedMessage = part; + strippedMessage = SMIMEUtil.toMimeBodyPart(info.getContent(recipient)); log("Encrypted message decrypted"); } catch (Exception e) { - throw new MessagingException("Error during the decryption of the message", e); } + throw new MessagingException("Error during the decryption of the message", e); + } } else { log("Found an encrypted message but it isn't encrypted for the supplied key"); } } - } catch (CMSException e) { throw new MessagingException("Error during the decryption of the message",e); } + } catch (CMSException e) { + throw new MessagingException("Error during the decryption of the message",e); + } } - + // if the decryption has been successful.. if (strippedMessage != null) { // I put the private key's public certificate as a mailattribute. http://git-wip-us.apache.org/repos/asf/james-project/blob/a14fd656/mailet/pom.xml ---------------------------------------------------------------------- diff --git a/mailet/pom.xml b/mailet/pom.xml index 276beec..1183e55 100644 --- a/mailet/pom.xml +++ b/mailet/pom.xml @@ -42,7 +42,6 @@ <javax.version>1.4.4</javax.version> <junit.version>4.10</junit.version> <activation.version>1.1.1</activation.version> - <bcmail-jdk16.version>1.46</bcmail-jdk16.version> <commons-collections.version>3.2.1</commons-collections.version> <commons-io.version>2.4</commons-io.version> <commons-lang.version>2.6</commons-lang.version> @@ -98,8 +97,8 @@ </dependency> <dependency> <groupId>org.bouncycastle</groupId> - <artifactId>bcmail-jdk16</artifactId> - <version>${bcmail-jdk16.version}</version> + <artifactId>bcmail-jdk15on</artifactId> + <version>1.52</version> </dependency> <dependency> <groupId>org.apache.maven.artifact</groupId> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
