Replace deprecated methods from BouncyCastle library (#17)

IlianaGenova · web-flow · commit a25320098e81 · 2020-07-15T08:31:03.000-07:00
* changes to CSR file
* indentation fix
* fixed key converting with new csr non-deprecated class
diff --git a/src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java b/src/main/java/com/venafi/vcert/sdk/certificate/CertificateRequest.java
@@ -9,7 +9,6 @@
 import java.io.StringReader;
 import java.net.InetAddress;
 import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
@@ -25,20 +24,24 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Objects;
-import java.util.Vector;
 import javax.security.auth.x500.X500Principal;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.DEROctetString;
-import org.bouncycastle.asn1.DERSet;
-import org.bouncycastle.asn1.pkcs.Attribute;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x500.X500NameBuilder;
 import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.ExtensionsGenerator;
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
-import org.bouncycastle.asn1.x509.X509Extension;
-import org.bouncycastle.asn1.x509.X509Extensions;
-import org.bouncycastle.jce.PKCS10CertificationRequest;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.operator.AlgorithmNameFinder;
+import org.bouncycastle.operator.DefaultAlgorithmNameFinder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
 import org.bouncycastle.util.io.pem.PemReader;
 import com.google.common.annotations.VisibleForTesting;
 import com.venafi.vcert.sdk.SignatureAlgorithm;
@@ -111,7 +114,12 @@ public void generatePrivateKey() throws VCertException {
 
   public void generateCSR() throws VCertException {
     try {
-      List<GeneralName> sans = new ArrayList<GeneralName>();
+      List<GeneralName> sans = new ArrayList<>();
+
+      PKCS10CertificationRequestBuilder requestBuilder =
+              new JcaPKCS10CertificationRequestBuilder(subject.toX500Principal(), keyPair.getPublic());
+      JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm.standardName());
+      ContentSigner signer = signerBuilder.build(keyPair.getPrivate());
 
       for (String san : dnsNames) {
         sans.add(new GeneralName(GeneralName.dNSName, san));
@@ -122,21 +130,14 @@ public void generateCSR() throws VCertException {
       for (String san : emailAddresses) {
         sans.add(new GeneralName(GeneralName.rfc822Name, san));
       }
+      if (!sans.isEmpty()){
+        GeneralNames names = new GeneralNames(sans.toArray(new GeneralName[]{}));
 
-      GeneralNames names = new GeneralNames(sans.toArray(new GeneralName[] {}));
-      Vector oids = new Vector();
-      Vector values = new Vector();
-
-      oids.add(X509Extensions.SubjectAlternativeName);
-      values.add(new X509Extension(false, new DEROctetString(names)));
-
-      X509Extensions extensions = new X509Extensions(oids, values);
-      Attribute attribute =
-          new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new DERSet(extensions));
-
-      PKCS10CertificationRequest certificationRequest = new PKCS10CertificationRequest(
-          signatureAlgorithm.standardName(), subject.toX500Principal(), keyPair.getPublic(),
-          new DERSet(attribute), keyPair.getPrivate());
+        ExtensionsGenerator extGen = new ExtensionsGenerator();
+        extGen.addExtension(Extension.subjectAlternativeName, false, names);
+        requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
+      }
+      PKCS10CertificationRequest certificationRequest = requestBuilder.build(signer);
 
       ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
       outputStream.write("-----BEGIN CERTIFICATE REQUEST-----".getBytes());
@@ -274,7 +275,7 @@ public boolean checkCertificate(Certificate certificate) throws VCertException {
                   || certCurve != csrCurve //
                       && (!certCurve.getA().equals(csrCurve.getA()) //
                           || !certCurve.getB().equals(csrCurve.getB()) //
-                          || certField.getFieldSize() != csrField.getFieldSize()))) {
+                         || certField.getFieldSize() != csrField.getFieldSize()))) {
             throw new VCertException("unmatched parameters for elliptic keys");
           }
           break;
@@ -287,25 +288,28 @@ public boolean checkCertificate(Certificate certificate) throws VCertException {
         PKCS10CertificationRequest csr =
             new PKCS10CertificationRequest(pemReader.readPemObject().getContent());
         pemReader.close();
+        AlgorithmNameFinder nameFinder = new DefaultAlgorithmNameFinder();
+        JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
 
         PublicKeyAlgorithm csrPublicKeyAlgorithm =
-            PublicKeyAlgorithm.valueOf(csr.getPublicKey("BC").getAlgorithm());
+            PublicKeyAlgorithm.valueOf(String.valueOf(nameFinder.getAlgorithmName(csr.getSubjectPublicKeyInfo().getAlgorithm())));
+
         if (publicKeyAlgorithm != csrPublicKeyAlgorithm) {
           throw new VCertException(
-              format("unmatched key type: %s, %s", publicKeyAlgorithm, csrPublicKeyAlgorithm));
+               format("unmatched key type: %s, %s", publicKeyAlgorithm, csrPublicKeyAlgorithm));
         }
 
         switch (csrPublicKeyAlgorithm) {
           case RSA:
             RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
-            RSAPublicKey reqPublicKey = (RSAPublicKey) csr.getPublicKey();
+            RSAPublicKey reqPublicKey = (RSAPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
             if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
               throw new VCertException("unmatched key modules");
             }
             break;
           case ECDSA:
             ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
-            ECPublicKey reqEcPublicKey = (ECPublicKey) csr.getPublicKey();
+            ECPublicKey reqEcPublicKey = (ECPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
 
             // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
             java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(),
@@ -326,8 +330,7 @@ public boolean checkCertificate(Certificate certificate) throws VCertException {
             }
             break;
         }
-      } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException
-          | IOException e) {
+      } catch (IOException e) {
         throw new VCertException(format("bad csr: %s", e.getMessage()), e);
       }
     }
