MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Drop Bouncy Castle as a dependency.

This commit is contained in:
Jon Chambers 2021-04-22 18:13:03 -04:00 committed by Jon Chambers
parent 97d2d97ee7
commit 0e8d4f9a61
9 changed files with 44 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
gcm-sender-async/pom.xml
View File

@ -19,13 +19,6 @@
<artifactId>resilience4j-retry</artifactId>
<version>${resilience4j.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk16</artifactId>
<version>1.46</version>
<scope>test</scope>
</dependency>
</dependencies>

6
service/pom.xml
View File

@ -45,12 +45,6 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk16</artifactId>
<version>1.46</version>
</dependency>
<dependency>
<groupId>io.github.resilience4j</groupId>
<artifactId>resilience4j-circuitbreaker</artifactId>

5
service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
View File

@ -61,7 +61,6 @@ import java.util.concurrent.TimeUnit;
import javax.servlet.DispatcherType;
import javax.servlet.FilterRegistration;
import javax.servlet.ServletRegistration;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.eclipse.jetty.servlets.CrossOriginFilter;
import org.jdbi.v3.core.Jdbi;
import org.signal.zkgroup.ServerSecretParams;
@ -194,10 +193,6 @@ import org.whispersystems.websocket.setup.WebSocketEnvironment;
public class WhisperServerService extends Application<WhisperServerConfiguration> {
static {
Security.addProvider(new BouncyCastleProvider());
}
@Override
public void initialize(Bootstrap<WhisperServerConfiguration> bootstrap) {
bootstrap.addCommand(new VacuumCommand());

3
service/src/main/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV3.java
View File

@ -23,6 +23,7 @@ import javax.ws.rs.core.MediaType;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.Base64;
@ -45,7 +46,7 @@ public class AttachmentControllerV3 extends AttachmentControllerBase {
private final SecureRandom secureRandom;
public AttachmentControllerV3(@Nonnull RateLimiters rateLimiters, @Nonnull String domain, @Nonnull String email, int maxSizeInBytes, @Nonnull String pathPrefix, @Nonnull String rsaSigningKey)
throws IOException, InvalidKeyException {
throws IOException, InvalidKeyException, InvalidKeySpecException {
this.rateLimiter = rateLimiters.getAttachmentLimiter();
this.canonicalRequestGenerator = new CanonicalRequestGenerator(domain, email, maxSizeInBytes, pathPrefix);
this.canonicalRequestSigner = new CanonicalRequestSigner(rsaSigningKey);

40
service/src/main/java/org/whispersystems/textsecuregcm/gcp/CanonicalRequestSigner.java
View File

@ -5,26 +5,32 @@
package org.whispersystems.textsecuregcm.gcp;
import org.apache.commons.codec.binary.Hex;
import org.bouncycastle.openssl.PEMReader;
import javax.annotation.Nonnull;
import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import org.apache.commons.codec.binary.Hex;
import org.whispersystems.websocket.util.Base64;
public class CanonicalRequestSigner {
@Nonnull
private final PrivateKey rsaSigningKey;
public CanonicalRequestSigner(@Nonnull String rsaSigningKey) throws IOException, InvalidKeyException {
private static final Pattern PRIVATE_KEY_PATTERN =
Pattern.compile("(?m)(?s)^-+BEGIN PRIVATE KEY-+$(.+)^-+END PRIVATE KEY-+.*$");
public CanonicalRequestSigner(@Nonnull String rsaSigningKey) throws IOException, InvalidKeyException, InvalidKeySpecException {
this.rsaSigningKey = initializeRsaSigningKey(rsaSigningKey);
}
@ -64,11 +70,23 @@ public class CanonicalRequestSigner {
return Hex.encodeHexString(signature);
}
private static PrivateKey initializeRsaSigningKey(String rsaSigningKey) throws IOException, InvalidKeyException {
final PEMReader pemReader = new PEMReader(new StringReader(rsaSigningKey));
final PrivateKey key = (PrivateKey) pemReader.readObject();
testKeyIsValidForSigning(key);
return key;
private static PrivateKey initializeRsaSigningKey(String rsaSigningKey) throws IOException, InvalidKeyException, InvalidKeySpecException {
final Matcher matcher = PRIVATE_KEY_PATTERN.matcher(rsaSigningKey);
if (matcher.matches()) {
try {
final KeyFactory keyFactory = KeyFactory.getInstance("RSA");
final PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(Base64.decode(matcher.group(1)));
final PrivateKey key = keyFactory.generatePrivate(keySpec);
testKeyIsValidForSigning(key);
return key;
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e);
}
}
throw new IOException("Invalid RSA key");
}
private static void testKeyIsValidForSigning(PrivateKey key) throws InvalidKeyException {

10
service/src/main/java/org/whispersystems/textsecuregcm/util/CertificateUtil.java
View File

@ -5,15 +5,13 @@
package org.whispersystems.textsecuregcm.util;
import org.bouncycastle.openssl.PEMReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
public class CertificateUtil {
@ -38,8 +36,10 @@ public class CertificateUtil {
}
public static X509Certificate getCertificate(final String certificatePem) throws CertificateException {
try (PEMReader reader = new PEMReader(new InputStreamReader(new ByteArrayInputStream(certificatePem.getBytes())))) {
return (X509Certificate) reader.readObject();
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
try (final ByteArrayInputStream pemInputStream = new ByteArrayInputStream(certificatePem.getBytes())) {
return (X509Certificate) certificateFactory.generateCertificate(pemInputStream);
} catch (IOException e) {
throw new CertificateException(e);
}

11
service/src/test/java/org/whispersystems/textsecuregcm/securebackup/SecureBackupClientTest.java
View File

@ -7,7 +7,6 @@ package org.whispersystems.textsecuregcm.securebackup;
import com.github.tomakehurst.wiremock.junit.WireMockRule;
import org.apache.commons.lang3.RandomStringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
@ -46,11 +45,6 @@ public class SecureBackupClientTest {
@Rule
public WireMockRule wireMockRule = new WireMockRule(options().dynamicPort().dynamicHttpsPort());
@BeforeClass
public static void setupBeforeClass() {
Security.addProvider(new BouncyCastleProvider());
}
@Before
public void setUp() throws CertificateException {
accountUuid = UUID.randomUUID();
@ -87,11 +81,6 @@ public class SecureBackupClientTest {
httpExecutor.awaitTermination(1, TimeUnit.SECONDS);
}
@AfterClass
public static void tearDownAfterClass() {
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
}
@Test
public void deleteStoredData() {
final String username = RandomStringUtils.randomAlphabetic(16);

11
service/src/test/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClientTest.java
View File

@ -7,7 +7,6 @@ package org.whispersystems.textsecuregcm.securestorage;
import com.github.tomakehurst.wiremock.junit.WireMockRule;
import org.apache.commons.lang3.RandomStringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
@ -46,11 +45,6 @@ public class SecureStorageClientTest {
@Rule
public WireMockRule wireMockRule = new WireMockRule(options().dynamicPort().dynamicHttpsPort());
@BeforeClass
public static void setupBeforeClass() {
Security.addProvider(new BouncyCastleProvider());
}
@Before
public void setUp() throws CertificateException {
accountUuid = UUID.randomUUID();
@ -87,11 +81,6 @@ public class SecureStorageClientTest {
httpExecutor.awaitTermination(1, TimeUnit.SECONDS);
}
@AfterClass
public static void tearDownAfterClass() {
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
}
@Test
public void deleteStoredData() {
final String username = RandomStringUtils.randomAlphabetic(16);

36
service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AttachmentControllerTest.java
View File

@ -11,9 +11,6 @@ import io.dropwizard.testing.junit.ResourceTestRule;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.Condition;
import org.assertj.core.api.InstanceOfAssertFactories;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.openssl.PKCS8Generator;
import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory;
import org.junit.AfterClass;
import org.junit.BeforeClass;
@ -36,7 +33,6 @@ import org.whispersystems.textsecuregcm.util.SystemMapper;
import javax.ws.rs.core.Response;
import java.io.IOException;
import java.io.StringWriter;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLDecoder;
@ -45,8 +41,7 @@ import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.security.spec.InvalidKeySpecException;
import java.util.HashMap;
import java.util.Map;
@ -67,17 +62,14 @@ public class AttachmentControllerTest {
static {
try {
final Provider provider = new BouncyCastleProvider();
final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", provider);
final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
final KeyPair keyPair = keyPairGenerator.generateKeyPair();
final StringWriter stringWriter = new StringWriter();
final PEMWriter pemWriter = new PEMWriter(stringWriter);
final PKCS8Generator pkcs8Generator = new PKCS8Generator(keyPair.getPrivate());
pemWriter.writeObject(pkcs8Generator);
pemWriter.close();
RSA_PRIVATE_KEY_PEM = stringWriter.toString();
} catch (NoSuchAlgorithmException | IOException e) {
RSA_PRIVATE_KEY_PEM = "-----BEGIN PRIVATE KEY-----\n" +
Base64.encodeBytes(keyPair.getPrivate().getEncoded()) + "\n" +
"-----END PRIVATE KEY-----";
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e);
}
}
@ -87,7 +79,6 @@ public class AttachmentControllerTest {
static {
try {
Security.insertProviderAt(new BouncyCastleProvider(), 0);
resources = ResourceTestRule.builder()
.addProvider(AuthHelper.getAuthFilter())
.addProvider(new PolymorphicAuthValueFactoryProvider.Binder<>(ImmutableSet.of(Account.class, DisabledPermittedAccount.class)))
@ -97,22 +88,11 @@ public class AttachmentControllerTest {
.addResource(new AttachmentControllerV2(rateLimiters, "accessKey", "accessSecret", "us-east-1", "attachmentv2-bucket"))
.addResource(new AttachmentControllerV3(rateLimiters, "some-cdn.signal.org", "signal@example.com", 1000, "/attach-here", RSA_PRIVATE_KEY_PEM))
.build();
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
} catch (IOException | InvalidKeyException e) {
} catch (IOException | InvalidKeyException | InvalidKeySpecException e) {
throw new AssertionError(e);
}
}
@BeforeClass
public static void setup() {
Security.insertProviderAt(new BouncyCastleProvider(), 0);
}
@AfterClass
public static void tearDown() {
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
}
@Test
public void testV3Form() {
AttachmentDescriptorV3 descriptor = resources.getJerseyTest()