0.18.1: - integration des BouncyCastleJsseProvider und bouncy castle versionen 1.75

Author: basketmc

CHANGELOG.md

@@ -19,6 +19,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ```
 ```
 
+## [0.18.1]
+
+### Added
+```
+```
+
+### Changed
+```
+```
+
+### Fixed
+```
+- integration des BouncyCastleJsseProvider und bouncy castle versionen 1.75
+```
+
 ## [0.17.0]
 
 ### Added

pom.xml

@@ -10,7 +10,7 @@
     </parent>
     <groupId>net.sberg</groupId>
     <artifactId>openkim</artifactId>
-    <version>0.18.0</version>
+    <version>0.18.1</version>
     <name>openkim</name>
     <description>Open KIM Client Modul</description>
 
@@ -99,17 +99,22 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk18on</artifactId>
-            <version>1.72</version>
+            <version>1.75</version>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcmail-jdk18on</artifactId>
-            <version>1.72</version>
+            <version>1.75</version>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk18on</artifactId>
-            <version>1.72</version>
+            <version>1.75</version>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bctls-jdk18on</artifactId>
+            <version>1.75</version>
         </dependency>
         <dependency>
             <groupId>dnsjava</groupId>
@@ -130,6 +135,16 @@
             <groupId>net.sf.jasperreports</groupId>
             <artifactId>jasperreports</artifactId>
             <version>6.20.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcutil-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15on</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
@@ -204,16 +219,6 @@
             <version>1.18.24</version>
             <scope>provided</scope>
         </dependency>
-        <!--dependency>
-            <groupId>javax.xml.bind</groupId>
-            <artifactId>jaxb-api</artifactId>
-            <version>2.3.1</version>
-        </dependency>
-        <dependency>
-            <groupId>javax.xml.ws</groupId>
-            <artifactId>jaxws-api</artifactId>
-            <version>2.3.1</version>
-        </dependency-->
     </dependencies>
 
     <build>

src/main/java/net/sberg/openkim/AppConfig.java

@@ -19,6 +19,7 @@
 
 import jakarta.annotation.PostConstruct;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -39,7 +40,8 @@ public class AppConfig {
 
     @PostConstruct
     public void init() throws Exception {
-        Security.addProvider(new BouncyCastleProvider());
+        Security.insertProviderAt(new BouncyCastleProvider(), 1);
+        Security.insertProviderAt(new BouncyCastleJsseProvider(), 1);
     }
 
     @Bean

src/main/java/net/sberg/openkim/gateway/GatewayKeystoreService.java

@@ -16,27 +16,38 @@
  */
 package net.sberg.openkim.gateway;
 
-import io.netty.handler.ssl.util.SelfSignedCertificate;
-import net.sberg.openkim.common.FileUtils;
 import net.sberg.openkim.common.ICommonConstants;
+import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.*;
+import org.bouncycastle.cert.X509ExtensionUtils;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.DigestCalculator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
 import java.io.ByteArrayInputStream;
 import java.io.File;
-import java.io.FileInputStream;
 import java.io.FileOutputStream;
-import java.security.KeyFactory;
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.SecureRandom;
+import java.math.BigInteger;
+import java.security.*;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.security.spec.ECGenParameterSpec;
 import java.security.spec.PKCS8EncodedKeySpec;
+import java.time.Duration;
+import java.time.Instant;
 import java.util.Base64;
+import java.util.Date;
 
 @Service
 public class GatewayKeystoreService {
@@ -57,35 +68,59 @@ public class GatewayKeystoreService {
     @Value("${gatewaykeystore.password}")
     private String password;
 
-    public void createSelfSigned() throws Exception {
-        if (log.isInfoEnabled()) {
-            log.info("***generateSelfSigned keys and cert - BEGIN***");
-        }
-
-        SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate("eldix4kim.sberg.net", SecureRandom.getInstance("NativePRNG"), keysize);
+    private SubjectKeyIdentifier createSubjectKeyId(final PublicKey publicKey) throws OperatorCreationException {
+        final SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
+        final DigestCalculator digCalc =
+                new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
 
-        CertificateFactory fact = CertificateFactory.getInstance("X.509");
-        FileInputStream is = new FileInputStream(selfSignedCertificate.certificate());
-        X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
-        is.close();
+        return new X509ExtensionUtils(digCalc).createSubjectKeyIdentifier(publicKeyInfo);
+    }
 
-        Certificate[] chain = new Certificate[]{cer};
+    private AuthorityKeyIdentifier createAuthorityKeyId(final PublicKey publicKey)
+            throws OperatorCreationException
+    {
+        final SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
+        final DigestCalculator digCalc =
+                new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
 
-        String privKeyContent = FileUtils.readFileContent(selfSignedCertificate.privateKey().getAbsolutePath());
-        String privateKeyPEM = privKeyContent
-            .replace(BEGIN_KEY, "")
-            .replaceAll(System.lineSeparator(), "")
-            .replace(END_KEY, "");
+        return new X509ExtensionUtils(digCalc).createAuthorityKeyIdentifier(publicKeyInfo);
+    }
 
-        byte[] encoded = Base64.getDecoder().decode(privateKeyPEM.getBytes("UTF-8"));
+    public void createSelfSigned() throws Exception {
+        if (log.isInfoEnabled()) {
+            log.info("***generateSelfSigned keys and cert - BEGIN***");
+        }
 
-        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(encoded);
-        KeyFactory kf = KeyFactory.getInstance("RSA");
-        PrivateKey privKey = kf.generatePrivate(spec);
+        KeyPairGenerator kg = KeyPairGenerator.getInstance("EC", "BC");
+        ECGenParameterSpec kpgparams = new ECGenParameterSpec("brainpoolP256r1");
+        kg.initialize(kpgparams);
+
+        KeyPair keyPair = kg.generateKeyPair();
+
+        final Instant now = Instant.now();
+        final Date notBefore = Date.from(now);
+        final Date notAfter = Date.from(now.plus(Duration.ofDays(365)));
+        final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256withECDSA").build(keyPair.getPrivate());
+        final X500Name x500Name = new X500Name("CN=" + "eldix4kim.sberg.net");
+
+        final X509v3CertificateBuilder certificateBuilder =
+            new JcaX509v3CertificateBuilder(x500Name,
+                BigInteger.valueOf(now.toEpochMilli()),
+                notBefore,
+                notAfter,
+                x500Name,
+                keyPair.getPublic())
+                .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyId(keyPair.getPublic()))
+                .addExtension(Extension.authorityKeyIdentifier, false, createAuthorityKeyId(keyPair.getPublic()))
+                .addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
+
+        X509Certificate x509Certificate = new JcaX509CertificateConverter()
+                .setProvider(new BouncyCastleProvider()).getCertificate(certificateBuilder.build(contentSigner));
+        Certificate[] chain = new Certificate[]{x509Certificate};
 
         KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
         keyStore.load(null, null);
-        keyStore.setKeyEntry(ICommonConstants.OPENKIM_SERVER_KEYSTORE_ALIAS, privKey, password.toCharArray(), chain);
+        keyStore.setKeyEntry(ICommonConstants.OPENKIM_SERVER_KEYSTORE_ALIAS, keyPair.getPrivate(), password.toCharArray(), chain);
         keyStore.store(
             new FileOutputStream(new File(ICommonConstants.BASE_DIR + ICommonConstants.OPENKIM_SERVER_KEYSTORE_FILENAME)),
             password.toCharArray()

src/main/java/net/sberg/openkim/gateway/pop3/Pop3Gateway.java

@@ -121,11 +121,11 @@ private Encryption buildSSLContext(Konfiguration konfiguration) throws Exception
                 ks.load(fis, keyStorePwd.toCharArray());
 
                 // Set up key manager factory to use our key store
-                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+                KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX", "BCJSSE");
                 kmf.init(ks, keyStorePwd.toCharArray());
 
                 // Initialize the SSLContext to work with our key managers.
-                SSLContext context = SSLContext.getInstance("TLS");
+                SSLContext context = SSLContext.getInstance("TLS", "BCJSSE");
                 context.init(kmf.getKeyManagers(), null, null);
                 if (konfiguration.getPop3GatewayConnectionSec().equals(EnumMailConnectionSecurity.STARTTLS)) {
                     encryption = Encryption.createStartTls(context, null, null, ClientAuth.NONE);
@@ -134,7 +134,11 @@ private Encryption buildSSLContext(Konfiguration konfiguration) throws Exception
                     encryption = Encryption.createTls(context, null, null, ClientAuth.NONE);
                 }
 
-            } finally {
+            }
+            catch (Exception e) {
+                log.error("error on starting the pop3 gateway - bulding ssl context", e);
+            }
+            finally {
                 if (fis != null) {
                     fis.close();
                 }

src/main/java/net/sberg/openkim/gateway/smtp/SmtpGateway.java

@@ -124,11 +124,11 @@ private Encryption buildSSLContext(Konfiguration konfiguration) throws Exception
                 ks.load(fis, keyStorePwd.toCharArray());
 
                 // Set up key manager factory to use our key store
-                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+                KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX", "BCJSSE");
                 kmf.init(ks, keyStorePwd.toCharArray());
 
                 // Initialize the SSLContext to work with our key managers.
-                SSLContext context = SSLContext.getInstance("TLS");
+                SSLContext context = SSLContext.getInstance("TLS", "BCJSSE");
                 context.init(kmf.getKeyManagers(), null, null);
                 if (konfiguration.getSmtpGatewayConnectionSec().equals(EnumMailConnectionSecurity.STARTTLS)) {
                     encryption = Encryption.createStartTls(context, null, null, ClientAuth.NONE);
@@ -137,7 +137,11 @@ private Encryption buildSSLContext(Konfiguration konfiguration) throws Exception
                     encryption = Encryption.createTls(context, null, null, ClientAuth.NONE);
                 }
 
-            } finally {
+            }
+            catch (Exception e) {
+                log.error("error on starting the smtp gateway - bulding ssl context", e);
+            }
+            finally {
                 if (fis != null) {
                     fis.close();
                 }

src/main/java/net/sberg/openkim/gateway/smtp/hook/SmtpGatewayMailHook.java

@@ -388,7 +388,7 @@ public HookResult onMessage(SMTPSession session, MailEnvelope mailEnvelope) {
                 smtpGatewaySession.log("mail hook ends");
                 return HookResult.OK;
             } else {
-                smtpGatewaySession.log("mail hook ends - error");
+                smtpGatewaySession.log("mail hook ends on sendShortMessageData - "+smtpGatewaySession.getSmtpClient().getReplyCode()+" - "+smtpGatewaySession.getSmtpClient().getReplyString()+" - error");
                 return HookResult.DENY;
             }
         } catch (Exception e) {

src/main/java/net/sberg/openkim/konfiguration/Konfiguration.java

@@ -68,11 +68,11 @@ public class Konfiguration {
     private MultipartFile fachdienstCertFile;
 
     @JsonIgnore
-    private String xkimCmVersion = "OpenKIM_0.17.0";
+    private String xkimCmVersion = "OpenKIM_0.18.1";
     @JsonIgnore
-    private String xkimPtVersion = "1.5.0-2";
+    private String xkimPtVersion = "1.6.2-3";
     @JsonIgnore
-    private EnumKomLeVersion xkimPtShortVersion = EnumKomLeVersion.V1_5plus;
+    private EnumKomLeVersion xkimPtShortVersion = EnumKomLeVersion.V1_5;
 
     private List<Konnektor> konnektoren = new ArrayList<>();
 

src/main/java/net/sberg/openkim/pipeline/operation/mail/MailUtils.java

@@ -369,7 +369,8 @@ public static final Session createPop3ClientSession(
             authMethod,
             host,
             port,
-            pop3ClientIdleTimeoutInSeconds * 1000
+            pop3ClientIdleTimeoutInSeconds * 1000,
+            !createSSLSocketFactory
         );
 
         if (createSSLSocketFactory) {
@@ -385,7 +386,8 @@ public static final Properties fillPop3MailProps(
         EnumMailAuthMethod authMethod,
         String host,
         String port,
-        int timeout) throws Exception {
+        int timeout,
+        boolean trustAllHosts) throws Exception {
         if (connectionSecurity.equals(EnumMailConnectionSecurity.STARTTLS)) {
             props.put("mail.pop3.starttls.enable", "true");
             props.put("mail.pop3.ssl.enable", "false");
@@ -403,6 +405,10 @@ public static final Properties fillPop3MailProps(
             props.put("mail.pop3.auth", "false");
         }
 
+        if (trustAllHosts) {
+            props.put("mail.pop3.ssl.trust", "*");
+        }
+
         props.put("mail.transport.protocol", "pop3");
         props.put("mail.store.protocol", "pop3");
         props.put("mail.pop3.host", host);
@@ -420,7 +426,8 @@ public static final Properties fillSmtpMailProps(
         EnumMailAuthMethod authMethod,
         String host,
         String port,
-        int timeout) throws Exception {
+        int timeout,
+        boolean trustAllHosts) throws Exception {
         if (connectionSecurity.equals(EnumMailConnectionSecurity.STARTTLS)) {
             props.put("mail.smtp.starttls.enable", "true");
             props.put("mail.smtp.ssl.enable", "false");
@@ -442,7 +449,9 @@ else if (connectionSecurity.equals(EnumMailConnectionSecurity.NONE)) {
         }
 
         props.put("mail.transport.protocol", "smtp");
-        props.put("mail.smtp.ssl.trust", "*");
+        if (trustAllHosts) {
+            props.put("mail.smtp.ssl.trust", "*");
+        }
         props.put("mail.smtp.host", host);
         props.put("mail.smtp.port", port);
         props.put("mail.smtp.connectiontimeout", timeout);

src/main/java/net/sberg/openkim/pipeline/operation/test/SendMailTestOperation.java

@@ -95,7 +95,8 @@ public void execute(DefaultPipelineOperationContext defaultPipelineOperationCont
                 EnumMailAuthMethod.NORMALPWD,
                 konfiguration.getGatewayHost(),
                 konfiguration.getSmtpGatewayPort(),
-                konfiguration.getSmtpGatewayIdleTimeoutInSeconds() * 1000
+                konfiguration.getSmtpGatewayIdleTimeoutInSeconds() * 1000,
+                true
             );
             Session session = Session.getInstance(props);