GP-1296 Eliminated use of sun.security package and refactored ApplicationKeyManagerUtils

2026-05-31 19:05:51 +08:00 · 2021-09-15 13:55:20 -04:00
parent 8b2ea61e27
commit 9db26bc7f5
15 changed files with 252 additions and 263 deletions
@@ -30,5 +30,5 @@
    <stringAttribute key="org.eclipse.jdt.launching.MODULE_NAME" value="Framework Utility"/>
    <stringAttribute key="org.eclipse.jdt.launching.PROGRAM_ARGUMENTS" value="ghidra.GhidraRun"/>
    <stringAttribute key="org.eclipse.jdt.launching.PROJECT_ATTR" value="Framework Utility"/>
-    <stringAttribute key="org.eclipse.jdt.launching.VM_ARGUMENTS" value="-XX:+IgnoreUnrecognizedVMOptions&#13;&#10;-Djava.system.class.loader=ghidra.GhidraClassLoader&#13;&#10;-Xshare:off&#13;&#10;-Dfile.encoding=UTF8&#13;&#10;-Duser.country=US&#13;&#10;-Duser.language=en&#13;&#10;-Dsun.java2d.pmoffscreen=false&#13;&#10;-Dsun.java2d.xrender=true&#13;&#10;-Dsun.java2d.d3d=false&#13;&#10;-Xdock:name=&quot;Ghidra&quot;&#13;&#10;-Dvisualvm.display.name=Ghidra&#13;&#10;-Dpython.console.encoding=UTF-8&#13;&#10;--add-opens java.base/java.lang=ALL-UNNAMED&#13;&#10;--add-opens java.base/java.util=ALL-UNNAMED&#13;&#10;--add-opens java.base/java.net=ALL-UNNAMED&#13;&#10;--add-opens java.desktop/sun.awt.image=ALL-UNNAMED&#13;&#10;--add-opens java.base/sun.security.x509=ALL-UNNAMED&#13;&#10;--add-opens java.base/sun.security.util=ALL-UNNAMED&#13;&#10;--add-opens java.desktop/sun.awt.X11=ALL-UNNAMED"/>
+    <stringAttribute key="org.eclipse.jdt.launching.VM_ARGUMENTS" value="-XX:+IgnoreUnrecognizedVMOptions&#13;&#10;-Djava.system.class.loader=ghidra.GhidraClassLoader&#13;&#10;-Xshare:off&#13;&#10;-Dfile.encoding=UTF8&#13;&#10;-Duser.country=US&#13;&#10;-Duser.language=en&#13;&#10;-Dsun.java2d.pmoffscreen=false&#13;&#10;-Dsun.java2d.xrender=true&#13;&#10;-Dsun.java2d.d3d=false&#13;&#10;-Xdock:name=&quot;Ghidra&quot;&#13;&#10;-Dvisualvm.display.name=Ghidra&#13;&#10;-Dpython.console.encoding=UTF-8&#13;&#10;--add-opens java.base/java.lang=ALL-UNNAMED&#13;&#10;--add-opens java.base/java.util=ALL-UNNAMED&#13;&#10;--add-opens java.base/java.net=ALL-UNNAMED&#13;&#10;--add-opens java.desktop/sun.awt.image=ALL-UNNAMED&#13;&#10;--add-opens java.desktop/sun.awt.X11=ALL-UNNAMED"/>
 </launchConfiguration>
@@ -9,4 +9,4 @@ MODULE FILE LICENSE: lib/sevenzipjbinding-16.02-2.01.jar LGPL 2.1
 MODULE FILE LICENSE: lib/sevenzipjbinding-all-platforms-16.02-2.01.jar LGPL 2.1
 MODULE FILE LICENSE: lib/AXMLPrinter2.jar Apache License 2.0
 MODULE FILE LICENSE: lib/util-1.4.0.jar BSD
-MODULE FILE LICENSE: lib/bcprov-jdk15on-1.68.jar Bouncy Castle License
+
@@ -33,7 +33,6 @@ dependencies {
 	api ':dex-translator:2.0'

 	api 'org.ow2.asm:asm-debug-all:4.1'
-	api 'org.bouncycastle:bcprov-jdk15on:1.68'

 	api 'org.smali:baksmali:1.4.0' // TODO: upgrade to 2.2.6
 	api 'org.smali:dexlib:1.4.0'
@@ -35,10 +35,6 @@ dependencies {
 	runGhidraServer project
 }

-addExports([
-	'java.rmi/sun.rmi.transport.tcp=ALL-UNNAMED'
-])
-
 CopySpec yajswCopySpec = copySpec {
 	File depsFile = file("${DEPS_DIR}/GhidraServer/${yajswRelease}.zip")
 	File binRepoFile = file("${BIN_REPO}/Ghidra/Features/GhidraServer/${yajswRelease}.zip")
@@ -18,6 +18,7 @@ package ghidra.server;
 import java.io.File;
 import java.io.IOException;
 import java.net.UnknownHostException;
+import java.rmi.server.RemoteServer;
 import java.rmi.server.ServerNotActiveException;
 import java.util.*;

@@ -391,7 +392,7 @@ public class RepositoryManager {
 			}
 		}
 		try {
-			host = sun.rmi.transport.tcp.TCPTransport.getClientHost();
+			host = RemoteServer.getClientHost();
 			try {
 				host = InetNameLookup.getCanonicalHostName(host);
 			}
@@ -139,7 +139,7 @@ public class PKIAuthenticationModule implements AuthenticationModule {
 			}

 			ApplicationKeyManagerUtils.validateClient(certChain,
-				ApplicationKeyManagerUtils.DEFAULT_AUTH_TYPE);
+				ApplicationKeyManagerUtils.RSA_TYPE);

 			byte[] sigBytes = sigCb.getSignature();
 			if (sigBytes != null) {
@@ -8,3 +8,6 @@ MODULE FILE LICENSE: lib/commons-lang3-3.9.jar Apache License 2.0
 MODULE FILE LICENSE: lib/commons-io-2.6.jar Apache License 2.0
 MODULE FILE LICENSE: lib/commons-text-1.6.jar Apache License 2.0
 MODULE FILE LICENSE: lib/gson-2.8.6.jar Apache License 2.0
+MODULE FILE LICENSE: lib/bcpkix-jdk15on-1.69.jar Bouncy Castle License
+MODULE FILE LICENSE: lib/bcprov-jdk15on-1.69.jar Bouncy Castle License
+MODULE FILE LICENSE: lib/bcutil-jdk15on-1.69.jar Bouncy Castle License
@@ -36,14 +36,14 @@ dependencies {
 	api "org.apache.commons:commons-text:1.6"
 	api "commons-io:commons-io:2.6"	
 	api "com.google.code.gson:gson:2.8.6"
+	api 'org.bouncycastle:bcpkix-jdk15on:1.69' // requires bcutil and bcprov
+	api 'org.bouncycastle:bcprov-jdk15on:1.69'
+	api 'org.bouncycastle:bcutil-jdk15on:1.69'

 	compileOnly "junit:junit:4.12"
 }

 ext.addExports([
-	'java.base/sun.security.x509=ALL-UNNAMED',
-	'java.base/sun.security.provider=ALL-UNNAMED',
-	'java.base/sun.security.util=ALL-UNNAMED',
 	'java.desktop/sun.awt=ALL-UNNAMED'
 ])

@@ -15,8 +15,7 @@
 */
 package ghidra.net;

-import java.io.FileNotFoundException;
-import java.io.IOException;
+import java.io.*;
 import java.net.Socket;
 import java.security.*;
 import java.security.cert.CertificateException;
@@ -549,8 +548,9 @@ public class ApplicationKeyManagerFactory {
 					Msg.info(this, "Using self-signed certificate: " + defaultIdentity.getName());
 					char[] pwd = DEFAULT_PASSWORD.toCharArray();
 					KeyStore selfSignedKeyStore =
-						ApplicationKeyManagerUtils.createKeyStore(null, "JKS", pwd, "defaultSigKey",
-							null, defaultIdentity.getName(), null, SELF_SIGNED_DURATION_DAYS);
+						ApplicationKeyManagerUtils.createKeyStore("defaultSigKey",
+						defaultIdentity.getName(), SELF_SIGNED_DURATION_DAYS, null,
+							new File(newKeystorePath), "JKS", pwd);
 					keystoreData = new ProtectedKeyStoreData(selfSignedKeyStore, pwd);
 					isSelfSigned = true;
 				}
@@ -70,13 +70,11 @@ public class ApplicationKeyManagerFactoryTest extends AbstractGenericTest {
 	@Before
 	public void setUp() throws Exception {

-		KeyStore selfSignedKeyStore = ApplicationKeyManagerUtils.createKeyStore(null, "PKCS12",
-			TEST_PWD.toCharArray(), ALIAS, null, TEST_IDENTITY, null, 2);
-
 		keystoreFile = createTempFile("test-key", ".p12");
 		keystoreFile.delete();
-		ApplicationKeyManagerUtils.exportKeystore(selfSignedKeyStore, keystoreFile,
-			TEST_PWD.toCharArray());
+
+		ApplicationKeyManagerUtils.createKeyStore(ALIAS, TEST_IDENTITY, 2, null, keystoreFile,
+			"PKCS12", TEST_PWD.toCharArray());

 		ApplicationKeyManagerFactory.setKeyStorePasswordProvider(passwordProvider);
 	}
@@ -74,8 +74,6 @@ VMARGS=--add-opens java.base/java.lang=ALL-UNNAMED
 VMARGS=--add-opens java.base/java.util=ALL-UNNAMED
 VMARGS=--add-opens java.base/java.net=ALL-UNNAMED
 VMARGS=--add-opens java.desktop/sun.awt.image=ALL-UNNAMED
-VMARGS=--add-opens java.base/sun.security.x509=ALL-UNNAMED
-VMARGS=--add-opens java.base/sun.security.util=ALL-UNNAMED
 VMARGS_LINUX=--add-opens java.desktop/sun.awt.X11=ALL-UNNAMED

 # Persistent cache directory used by the application.  This directory will be used to store 
@@ -66,8 +66,6 @@ dependencies {
 // We export them to all "unnamed" modules, which are modules that don't define themselves
 // as a new Java 9 style module.  Ghidra is currently using unnamed modules everywhere.
 ext.addExports([
-	'java.base/sun.security.x509=ALL-UNNAMED',
-	'java.base/sun.security.util=ALL-UNNAMED',
 	'java.desktop/sun.awt=ALL-UNNAMED',
 	'java.desktop/sun.swing=ALL-UNNAMED',
 	'java.desktop/sun.java2d=ALL-UNNAMED'
@@ -19,8 +19,6 @@ import java.io.*;
 import java.net.*;
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
-import java.security.KeyStore;
-import java.security.KeyStore.PasswordProtection;
 import java.security.KeyStore.PrivateKeyEntry;
 import java.util.ArrayList;
 import java.util.zip.ZipEntry;
@@ -49,7 +47,6 @@ import ghidra.util.*;
 import ghidra.util.exception.*;
 import ghidra.util.task.TaskMonitor;
 import ghidra.util.timer.GTimer;
-import sun.security.x509.*;
 import utilities.util.FileUtilities;

 /**
@@ -902,38 +899,23 @@ public class ServerTestUtil {

 		// Generate CA certificate and keystore
 		Msg.info(ServerTestUtil.class, "Generating self-signed CA cert: " + caPath);
-
-		CertificateExtensions caCertExtensions = new CertificateExtensions();
-		BasicConstraintsExtension caBasicConstraints = new BasicConstraintsExtension(true, true, 1);
-		caCertExtensions.set(PKIXExtensions.BasicConstraints_Id.toString(), caBasicConstraints);
-
-		KeyUsageExtension caKeyUsage = new KeyUsageExtension();
-		caKeyUsage.set(KeyUsageExtension.KEY_CERTSIGN, true);
-		caCertExtensions.set(PKIXExtensions.KeyUsage_Id.toString(), caKeyUsage);
-
-		KeyStore caKeystore = ApplicationKeyManagerUtils.createKeyStore(null, "PKCS12",
-			ApplicationKeyManagerFactory.DEFAULT_PASSWORD.toCharArray(), "test-CA",
-			caCertExtensions, TEST_PKI_CA_DN, null, 2);
-		ApplicationKeyManagerUtils.exportX509Certificates(caKeystore, caFile);
-
-		PasswordProtection caPass =
-			new PasswordProtection(ApplicationKeyManagerFactory.DEFAULT_PASSWORD.toCharArray());
-		PrivateKeyEntry caPrivateKeyEntry =
-			(PrivateKeyEntry) caKeystore.getEntry("test-CA", caPass);
+		PrivateKeyEntry caEntry =
+			ApplicationKeyManagerUtils.createKeyEntry("test-CA", TEST_PKI_CA_DN, 2, null, null,
+				"PKCS12", ApplicationKeyManagerFactory.DEFAULT_PASSWORD.toCharArray());
+		ApplicationKeyManagerUtils.exportX509Certificates(caEntry.getCertificateChain(), caFile);

 		// Generate User/Client certificate and keystore
 		Msg.info(ServerTestUtil.class, "Generating test user key/cert (signed by test-CA, pwd: " +
 			TEST_PKI_USER_PASSPHRASE + "): " + userKeystorePath);
-		ApplicationKeyManagerUtils.createKeyStore(userKeystoreFile, "PKCS12",
-			TEST_PKI_USER_PASSPHRASE.toCharArray(), "test-sig", null, TEST_PKI_USER_DN,
-			caPrivateKeyEntry, 2);
+		ApplicationKeyManagerUtils.createKeyEntry("test-sig", TEST_PKI_USER_DN, 2, caEntry,
+			userKeystoreFile, "PKCS12", TEST_PKI_USER_PASSPHRASE.toCharArray());

 		// Generate Server certificate and keystore
 		Msg.info(ServerTestUtil.class, "Generating test server key/cert (signed by test-CA, pwd: " +
 			TEST_PKI_SERVER_PASSPHRASE + "): " + serverKeystorePath);
-		ApplicationKeyManagerUtils.createKeyStore(serverKeystoreFile, "PKCS12",
-			TEST_PKI_SERVER_PASSPHRASE.toCharArray(), "test-sig", null, TEST_PKI_SERVER_DN,
-			caPrivateKeyEntry, 2);
+
+		ApplicationKeyManagerUtils.createKeyEntry("test-sig", TEST_PKI_SERVER_DN, 2, caEntry,
+			serverKeystoreFile, "PKCS12", TEST_PKI_SERVER_PASSPHRASE.toCharArray());
 	}

 	/**
@@ -135,10 +135,7 @@ task createJavadocs(type: Javadoc, description: 'Generate javadocs for all proje
 	
 	// Some internal packages are not public and need to be exported.
    options.addMultilineStringsOption("-add-exports").setValue(["java.desktop/sun.awt.image=ALL-UNNAMED", 
-    															"java.desktop/sun.awt=ALL-UNNAMED", 
-    															"java.base/sun.security.x509=ALL-UNNAMED", 
-    															"java.base/sun.security.provider=ALL-UNNAMED", 
-    															"java.base/sun.security.util=ALL-UNNAMED"])
+    															"java.desktop/sun.awt=ALL-UNNAMED"])
 }


@@ -197,10 +194,7 @@ task createJsondocs(type: Javadoc, description: 'Generate JSON docs for all proj
 		
 	// Some internal packages are not public and need to be exported. 
    options.addMultilineStringsOption("-add-exports").setValue(["java.desktop/sun.awt.image=ALL-UNNAMED", 
-    															"java.desktop/sun.awt=ALL-UNNAMED", 
-    															"java.base/sun.security.x509=ALL-UNNAMED", 
-    															"java.base/sun.security.provider=ALL-UNNAMED", 
-    															"java.base/sun.security.util=ALL-UNNAMED"])
+    															"java.desktop/sun.awt=ALL-UNNAMED"])
 	
 	options.doclet = "JsonDoclet"
 	doFirst {