[UNDERTOW-2645] Remove uses of classes in the 'javax.security.cert' package

Author: eirbjo

core/src/main/java/io/undertow/protocols/ssl/SNISSLEngine.java

@@ -33,7 +33,6 @@
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSessionContext;
-import javax.security.cert.X509Certificate;
 
 import io.undertow.UndertowMessages;
 
@@ -257,10 +256,6 @@ public Certificate[] getLocalCertificates() {
                 return null;
             }
 
-            public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
-                throw new UnsupportedOperationException();
-            }
-
             public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
                 throw new UnsupportedOperationException();
             }

core/src/main/java/io/undertow/server/BasicSSLSessionInfo.java

@@ -24,8 +24,6 @@
 
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.security.cert.CertificateException;
-import javax.security.cert.X509Certificate;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@@ -41,7 +39,6 @@ public class BasicSSLSessionInfo implements SSLSessionInfo {
     private final byte[] sessionId;
     private final String cypherSuite;
     private final java.security.cert.Certificate[] peerCertificate;
-    private final X509Certificate[] certificate;
     private final Integer keySize;
     private final String secureProtocol;
 
@@ -52,9 +49,8 @@ public class BasicSSLSessionInfo implements SSLSessionInfo {
      * @param certificate A string representation of the client certificate
      * @param keySize The key-size used by the cypher
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException {
         this(sessionId, cypherSuite, certificate, keySize, null);
     }
 
@@ -66,9 +62,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific
      * @param keySize The key-size used by the cypher
      * @param secureProtocol the secure protocol, example {@code TLSv1.2}
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException {
         this.sessionId = sessionId;
         this.cypherSuite = cypherSuite;
         this.keySize = keySize;
@@ -79,26 +74,13 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific
             ByteArrayInputStream stream = new ByteArrayInputStream(certificateBytes);
             Collection<? extends java.security.cert.Certificate> certCol = cf.generateCertificates(stream);
             this.peerCertificate = new java.security.cert.Certificate[certCol.size()];
-            X509Certificate[] legacyCertificate = new X509Certificate[certCol.size()];
             int i=0;
             for(java.security.cert.Certificate cert : certCol) {
                 this.peerCertificate[i] = cert;
-                if (legacyCertificate != null) {
-                    try {
-                        legacyCertificate[i] = X509Certificate.getInstance(cert.getEncoded());
-                    } catch (CertificateException ce) {
-                        // [UNDERTOW-1969] We don't care about deprecated JDK methods failure caused by the fact newer JDKs
-                        // doesn't support them anymore. "this.certificate" is used only by deprecated method
-                        // {@link SSLSessionInfo.getPeerCertificateChain()} which call should be avoided by API users.
-                        legacyCertificate = null;
-                    }
-                }
                 i++;
             }
-            this.certificate = legacyCertificate;
         } else {
             this.peerCertificate = null;
-            this.certificate = null;
         }
     }
 
@@ -108,9 +90,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific
      * @param cypherSuite The cypher suite name
      * @param certificate A string representation of the client certificate
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException {
         this(sessionId, cypherSuite, certificate, null);
     }
 
@@ -120,9 +101,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific
      * @param cypherSuite The cypher suite name
      * @param certificate A string representation of the client certificate
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException {
         this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, null);
     }
 
@@ -133,9 +113,8 @@ public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certific
      * @param certificate A string representation of the client certificate
      * @param keySize The key-size used by the cypher
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException {
         this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, keySize);
     }
 
@@ -147,9 +126,8 @@ public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certific
      * @param keySize The key-size used by the cypher
      * @param secureProtocol the secure protocol, example {@code TLSv1.2}
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException {
         this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, keySize, secureProtocol);
     }
 
@@ -185,15 +163,6 @@ public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnve
         return peerCertificate;
     }
 
-    @Deprecated
-    @Override
-    public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
-        if (certificate == null) {
-            throw UndertowMessages.MESSAGES.peerUnverified();
-        }
-        return certificate;
-    }
-
     @Override
     public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
         throw UndertowMessages.MESSAGES.renegotiationNotSupported();

core/src/main/java/io/undertow/server/ConnectionSSLSessionInfo.java

@@ -25,7 +25,6 @@
 
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.security.cert.X509Certificate;
 
 import org.xnio.ChannelListener;
 import org.xnio.IoUtils;
@@ -98,32 +97,6 @@ public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, Re
         }
     }
 
-    @Override
-    @Deprecated(since="2.2.3", forRemoval=false)
-    public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException, RenegotiationRequiredException {
-        if (unverified != null) {
-            throw unverified;
-        }
-        if (renegotiationRequiredException != null) {
-            throw renegotiationRequiredException;
-        }
-        try {
-            return channel.getSslSession().getPeerCertificateChain();
-        } catch (SSLPeerUnverifiedException e) {
-          try {
-              SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
-              if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
-                  renegotiationRequiredException = RENEGOTIATION_REQUIRED_EXCEPTION;
-                  throw renegotiationRequiredException;
-              }
-          } catch (IOException ioe) {
-              // ignore, will not actually happen
-          }
-            unverified = PEER_UNVERIFIED_EXCEPTION;
-            throw unverified;
-        }
-    }
-
     @Override
     public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
         if ("TLSv1.3".equals(channel.getSslSession().getProtocol())) {

core/src/main/java/io/undertow/server/SSLSessionInfo.java

@@ -100,15 +100,6 @@ default int getKeySize() {
      */
     java.security.cert.Certificate[] getPeerCertificates() throws javax.net.ssl.SSLPeerUnverifiedException, RenegotiationRequiredException;
 
-    /**
-     * This method is no longer supported on java 15 and should be avoided.
-     * @deprecated in favor of {@link #getPeerCertificates()} because {@link SSLSession#getPeerCertificateChain()}
-     *             throws java 15.
-     * @see SSLSession#getPeerCertificateChain()
-     */
-    @Deprecated(since="2.2.3", forRemoval=false)
-    javax.security.cert.X509Certificate[] getPeerCertificateChain() throws javax.net.ssl.SSLPeerUnverifiedException, RenegotiationRequiredException;
-
     /**
      * Renegotiate in a blocking manner. This will set the client aut
      *

core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParseState.java

@@ -128,8 +128,6 @@ BasicSSLSessionInfo createSslSessionInfo() {
             return new BasicSSLSessionInfo(sessionId, cypher, cert, keySize);
         } catch (CertificateException e) {
             return null;
-        } catch (javax.security.cert.CertificateException e) {
-            return null;
         }
     }
 

core/src/main/java/io/undertow/server/protocol/http2/Http2SslSessionInfo.java

@@ -22,7 +22,6 @@
 import java.security.cert.Certificate;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.security.cert.X509Certificate;
 import org.xnio.Options;
 import org.xnio.SslClientAuthMode;
 
@@ -70,24 +69,6 @@ public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, Re
         }
     }
 
-    @Override
-    public X509Certificate[] getPeerCertificateChain()
-        throws SSLPeerUnverifiedException, RenegotiationRequiredException {
-        try {
-            return channel.getSslSession().getPeerCertificateChain();
-        } catch (SSLPeerUnverifiedException e) {
-            try {
-                SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
-                if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
-                    throw new RenegotiationRequiredException();
-                }
-            } catch (IOException e1) {
-              // ignore, will not actually happen
-            }
-            throw e;
-        }
-    }
-
     @Override
     public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
         throw UndertowMessages.MESSAGES.renegotiationNotSupported();

core/src/main/java/io/undertow/util/Certificates.java

@@ -28,12 +28,6 @@ public class Certificates {
 
     public static final String END_CERT = "-----END CERTIFICATE-----";
 
-    @Deprecated (since = "2.3.0", forRemoval=true)
-    public static String toPem(final javax.security.cert.X509Certificate certificate)
-            throws javax.security.cert.CertificateEncodingException {
-        return toPem(certificate.getEncoded());
-    }
-
     /**
      * Converts a certificate to PEM format.
      * @param certificate the Certificate to recode