Fix deprecations and github workflow

Author: enricovianello

.github/workflows/maven.yaml

@@ -8,11 +8,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - name: Set up JDK 11
+    - name: Set up JDK 17
       uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
-        java-version: 11
+        java-version: 17
 
     - name: Install libfaketime on Ubuntu
       run: |
@@ -46,4 +46,4 @@ jobs:
         key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
         restore-keys: ${{ runner.os }}-m2
     - name: Build with Maven
-      run: mvn -B clean package
+      run: mvn -B clean package

src/main/java/org/italiangrid/voms/request/SSLSocketFactoryProvider.java

@@ -30,7 +30,9 @@
 
 import eu.emi.security.authn.x509.X509CertChainValidatorExt;
 import eu.emi.security.authn.x509.X509Credential;
-import eu.emi.security.authn.x509.impl.SocketFactoryCreator;
+import eu.emi.security.authn.x509.helpers.ssl.DisabledNameMismatchCallback;
+import eu.emi.security.authn.x509.helpers.ssl.EnforcingNameMismatchCallback;
+import eu.emi.security.authn.x509.impl.SocketFactoryCreator2;
 
 /**
  * Provider for a SSL socket factory configured using CAnL.
@@ -40,22 +42,26 @@
  * 
  */
 public class SSLSocketFactoryProvider {
-  
+
   private X509Credential credential;
   private X509CertChainValidatorExt validator;
+  private boolean skipHostnameChecks;
 
-  public SSLSocketFactoryProvider(X509Credential credential,
-    X509CertChainValidatorExt validator) {
+  public SSLSocketFactoryProvider(X509Credential credential, X509CertChainValidatorExt validator, boolean skipHostnameChecks) {
 
     this.credential = credential;
     this.validator = validator;
+    this.skipHostnameChecks = skipHostnameChecks;
+  }
 
+  public SSLSocketFactoryProvider(X509Credential credential, X509CertChainValidatorExt validator) {
+
+    this(credential, validator, false);
   }
 
   public SSLSocketFactoryProvider(X509Credential credential) {
 
-    this(credential, new CertificateValidatorBuilder()
-      .trustAnchorsUpdateInterval(60000L).build());
+    this(credential, new CertificateValidatorBuilder().trustAnchorsUpdateInterval(60000L).build());
   }
 
   /**
@@ -76,21 +82,22 @@ public SSLSocketFactory getSSLSockectFactory() {
       throw new VOMSError(e.getMessage(), e);
     }
 
-    KeyManager[] keyManagers = new KeyManager[] { credential.getKeyManager() };
-
-    X509TrustManager trustManager = SocketFactoryCreator
-      .getSSLTrustManager(validator);
+    KeyManager[] keyManagers = new KeyManager[] {credential.getKeyManager()};
 
-    TrustManager[] trustManagers = new TrustManager[] { trustManager };
+    SocketFactoryCreator2 factory =
+        new SocketFactoryCreator2(credential, validator,
+            skipHostnameChecks ? new DisabledNameMismatchCallback()
+                : new EnforcingNameMismatchCallback());
+    X509TrustManager trustManager = factory.getSSLTrustManager();
 
-    SecureRandom secureRandom = null;
+    TrustManager[] trustManagers = new TrustManager[] {trustManager};
 
     /* http://bugs.sun.com/view_bug.do?bug_id=6202721 */
     /*
-     * Use new SecureRandom instead of SecureRandom.getInstance("SHA1PRNG") to
-     * avoid unnecessary blocking
+     * Use new SecureRandom instead of SecureRandom.getInstance("SHA1PRNG") to avoid unnecessary
+     * blocking
      */
-    secureRandom = new SecureRandom();
+    SecureRandom secureRandom = new SecureRandom();
 
     try {
 

src/main/java/org/italiangrid/voms/request/impl/AbstractVOMSProtocol.java

@@ -119,7 +119,7 @@ public AbstractVOMSProtocol(X509CertChainValidatorExt validator,
   protected SSLSocketFactory getSSLSocketFactory(X509Credential credential) {
 
     SSLSocketFactoryProvider sslSocketFactoryProvider = new SSLSocketFactoryProvider(
-      credential, validator);
+      credential, validator, skipHostnameChecks);
     return sslSocketFactoryProvider.getSSLSockectFactory();
   }
 

src/main/java/org/italiangrid/voms/request/impl/LegacyProtocol.java

@@ -19,9 +19,9 @@
 import java.io.InputStream;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 
-import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 
@@ -36,16 +36,15 @@
 import eu.emi.security.authn.x509.X509Credential;
 import eu.emi.security.authn.x509.impl.CertificateUtils;
 import eu.emi.security.authn.x509.impl.FormatMode;
-import eu.emi.security.authn.x509.impl.HostnameMismatchCallback;
-import eu.emi.security.authn.x509.impl.SocketFactoryCreator;
+import eu.emi.security.authn.x509.impl.HostnameMismatchCallback2;
 
 /**
  * Protocol implementing the legacy interface.
  * 
  * 
  */
 public class LegacyProtocol extends AbstractVOMSProtocol implements
-  VOMSProtocol, HostnameMismatchCallback {
+  VOMSProtocol, HostnameMismatchCallback2 {
 
   public LegacyProtocol(X509CertChainValidatorExt validator,
     VOMSProtocolListener listener, int connectTimeout, int readTimeout) {
@@ -70,9 +69,6 @@ public synchronized VOMSResponse doRequest(VOMSServerInfo endpoint,
         endpoint.getURL().getPort());
 
       sslSocket.connect(sa, connectTimeout);
-      if (!isSkipHostnameChecks()) {
-        SocketFactoryCreator.connectWithHostnameChecking(sslSocket, this);
-      }
 
     } catch (Throwable t) {
 
@@ -105,17 +101,17 @@ public synchronized VOMSResponse doRequest(VOMSServerInfo endpoint,
     return response;
   }
 
-  public void nameMismatch(SSLSocket socket, X509Certificate peerCertificate,
-    String hostName) throws SSLException {
+  @Override
+  public void nameMismatch(X509Certificate peerCertificate, String hostName)
+      throws CertificateException {
 
     String peerCertString = CertificateUtils.format(peerCertificate,
-      FormatMode.MEDIUM_ONE_LINE);
-    String message = String
-      .format(
-        "No subject alternative DNS name matching %s found. Peer certificate : %s",
-        hostName, peerCertString);
-    throw new SSLException(message);
-
+        FormatMode.MEDIUM_ONE_LINE);
+      String message = String
+        .format(
+          "No subject alternative DNS name matching %s found. Peer certificate : %s",
+          hostName, peerCertString);
+      throw new CertificateException(message);
   }
 
 }

src/test/java/org/italiangrid/voms/test/TestOpensslHashFunction.java

@@ -92,8 +92,8 @@ public void testMD5HashFailsOnSHA1Dir() {
       "Trusted issuer of this certificate was not established",
       result.getErrors().get(1).getMessage());
 
-    Assert.assertEquals(cred.getCertificate().getSubjectDN(),
-      result.getErrors().get(1).getChain()[0].getSubjectDN());
+    Assert.assertEquals(cred.getCertificate().getSubjectX500Principal(),
+      result.getErrors().get(1).getChain()[0].getSubjectX500Principal());
 
   }
 
@@ -117,8 +117,8 @@ public void testSHA1FailsOnMD5Dir() {
       "Trusted issuer of this certificate was not established",
       result.getErrors().get(1).getMessage());
 
-    Assert.assertEquals(cred.getCertificate().getSubjectDN(),
-      result.getErrors().get(1).getChain()[0].getSubjectDN());
+    Assert.assertEquals(cred.getCertificate().getSubjectX500Principal(),
+      result.getErrors().get(1).getChain()[0].getSubjectX500Principal());
 
   }
 

src/test/java/org/italiangrid/voms/test/TestVOMSESLineParser.java

@@ -18,12 +18,11 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 import java.net.URISyntaxException;
 
-import org.hamcrest.CoreMatchers;
 import org.italiangrid.voms.VOMSError;
 import org.italiangrid.voms.request.VOMSServerInfo;
 import org.italiangrid.voms.request.impl.VOMSESLineParser;
@@ -68,9 +67,7 @@ public void emptyAlias() {
       fail("No error raised.");
     } catch (VOMSError e) {
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers
-          .containsString("Invalid VOMSES line: empty 'vo alias' field."));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: empty 'vo alias' field."));
     }
   }
 
@@ -84,9 +81,7 @@ public void incompleteAlias() {
       fail("No error raised.");
     } catch (VOMSError e) {
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers
-          .containsString("Invalid VOMSES line: incomplete 'vo alias' field."));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: incomplete 'vo alias' field."));
     }
   }
 
@@ -100,9 +95,7 @@ public void incompleteHost() {
       fail("No error raised.");
     } catch (VOMSError e) {
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers
-          .containsString("Invalid VOMSES line: incomplete 'voms host' field."));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: incomplete 'voms host' field."));
     }
   }
 
@@ -116,9 +109,7 @@ public void onlyAlias() {
       fail("No error raised.");
     } catch (VOMSError e) {
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers
-          .containsString("Invalid VOMSES line: incomplete information"));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: incomplete information"));
     }
   }
 
@@ -134,9 +125,7 @@ public void minimumInfoFailure() {
     } catch (VOMSError e) {
 
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers
-          .containsString("Invalid VOMSES line: incomplete information"));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: incomplete information"));
     }
   }
 
@@ -148,14 +137,10 @@ public void minimumInfo() {
     VOMSESLineParser p = new VOMSESLineParser();
     VOMSServerInfo i = p.parse(line);
 
-    assertThat(i.getAlias(), CoreMatchers.equalTo("a"));
-
-    assertThat(i.getURL().toString(),
-      CoreMatchers.equalTo("voms://voms.cern.ch:15000"));
-
-    assertThat(i.getVoName(), CoreMatchers.equalTo("alice"));
-
-    assertThat(i.getVOMSServerDN(), CoreMatchers.equalTo("DN=Illo"));
+    assertEquals("a", i.getAlias());
+    assertEquals("voms://voms.cern.ch:15000", i.getURL().toString());
+    assertEquals("alice", i.getVoName());
+    assertEquals("DN=Illo", i.getVOMSServerDN());
   }
 
   @Test
@@ -166,14 +151,10 @@ public void whitespaceHandling() {
     VOMSESLineParser p = new VOMSESLineParser();
     VOMSServerInfo i = p.parse(line);
 
-    assertThat(i.getAlias(), CoreMatchers.equalTo("a"));
-
-    assertThat(i.getURL().toString(),
-      CoreMatchers.equalTo("voms://voms.cern.ch:15000"));
-
-    assertThat(i.getVoName(), CoreMatchers.equalTo("alice"));
-
-    assertThat(i.getVOMSServerDN(), CoreMatchers.equalTo("DN=Illo"));
+    assertEquals("a", i.getAlias());
+    assertEquals("voms://voms.cern.ch:15000", i.getURL().toString());
+    assertEquals("alice", i.getVoName());
+    assertEquals("DN=Illo", i.getVOMSServerDN());
   }
 
   @Test
@@ -187,8 +168,7 @@ public void tooManyFields() {
       fail("No error raised.");
     } catch (VOMSError e) {
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers.containsString("Invalid VOMSES line: too many fields!"));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: too many fields!"));
     }
 
   }
@@ -204,9 +184,7 @@ public void invalidPort() {
       fail("No error raised.");
     } catch (VOMSError e) {
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers
-          .containsString("Invalid VOMSES line: invalid port number."));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: invalid port number."));
     }
 
   }
@@ -222,9 +200,7 @@ public void portOutOfRange1() {
       fail("No error raised.");
     } catch (VOMSError e) {
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers
-          .containsString("Invalid VOMSES line: invalid port number: -1"));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: invalid port number: -1"));
     }
   }
 
@@ -239,9 +215,7 @@ public void portOutOfRange2() {
       fail("No error raised.");
     } catch (VOMSError e) {
       assertNotNull("Got a null error message", e.getMessage());
-      assertThat(e.getMessage(),
-        CoreMatchers
-          .containsString("Invalid VOMSES line: invalid port number: 65536"));
+      assertTrue(e.getMessage().contains("Invalid VOMSES line: invalid port number: 65536"));
     }
   }
 
@@ -255,14 +229,12 @@ public void tooMultiCall() {
     VOMSServerInfo i0 = p.parse(line0);
     VOMSServerInfo i1 = p.parse(line1);
 
-    assertThat(i0.getAlias(), CoreMatchers.equalTo("a"));
-    assertThat(i0.getURL().toString(),
-      CoreMatchers.equalTo("voms://voms.cern.ch:15000"));
-    assertThat(i0.getVoName(), CoreMatchers.equalTo("alice"));
+    assertEquals("a", i0.getAlias());
+    assertEquals("voms://voms.cern.ch:15000", i0.getURL().toString());
+    assertEquals("alice", i0.getVoName());
 
-    assertThat(i1.getAlias(), CoreMatchers.equalTo("b"));
-    assertThat(i1.getURL().toString(),
-      CoreMatchers.equalTo("voms://voms.cern.ch:15001"));
-    assertThat(i1.getVoName(), CoreMatchers.equalTo("bolice"));
+    assertEquals("b", i1.getAlias());
+    assertEquals("voms://voms.cern.ch:15001", i1.getURL().toString());
+    assertEquals("bolice", i1.getVoName());
   }
 }