Remove bouncy castle and change the exception for invalid security token (#131)

Removed the Bouncy Castle libraries and replaced with standard Java JCE APIs

Changed the exception thrown in Instance/Resource/OKE principal providers
for invalid security token from IllegalArgumentException to
SecurityInfoNotReadyException

Author: yfei-a

CHANGELOG.md

@@ -13,7 +13,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/).
   provide local region information.
 - Cloud only: fixed a compatibility issue introduced in 5.4.15 regarding use of
   the Bouncy Castle artifacts. This would turn up when using Instance Principal
-  authentication
+  authentication, the bouncy castle artifacts have been removed and replaced
+  with standard Java JCE APIs.
 
 ### Changed
 - Put and Put if-present can return the existing row when setReturnRow is

THIRD_PARTY_LICENSES.txt

@@ -35,26 +35,6 @@ in some artifacts (usually source distributions); but is always available
 from the source code management (SCM) system project uses.
 ===============
 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Bouncy Castle
-Copyright (c) 2000 - 2017 The Legion of the Bouncy Castle Inc.
-License:   modified MIT
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this
-software and associated documentation files (the "Software"), to deal in the Software
-without restriction, including without limitation the rights to use, copy, modify,
-merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or
-substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
-BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 jQuery UI for Javadoc 
 
@@ -1511,4 +1491,4 @@ indemnify, defend, and hold each Contributor harmless for any liability incurred
 by, or claims asserted against, such Contributor by reason of your accepting any
 such warranty or additional liability.
 
-END OF TERMS AND CONDITIONS
+END OF TERMS AND CONDITIONS

driver/pom.xml

@@ -48,7 +48,6 @@
     <maven.deploy.skip>false</maven.deploy.skip>
     <netty.version>4.1.108.Final</netty.version>
     <jackson.version>2.15.2</jackson.version>
-    <bouncy.version>1.78</bouncy.version>
    <!-- by default, skip tests; tests require a profile -->
    <maven.test.skip>true</maven.test.skip>
    <javac>javac</javac>
@@ -249,19 +248,6 @@
       <version>${netty.version}</version>
     </dependency>
 
-    <!-- Bouncycastle - request signing in cloud -->
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk18on</artifactId>
-      <version>${bouncy.version}</version>
-    </dependency>
-
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcpkix-jdk18on</artifactId>
-      <version>${bouncy.version}</version>
-    </dependency>
-
     <!-- test -->
     <dependency>
       <groupId>junit</groupId>

driver/src/main/java/oracle/nosql/driver/iam/OkeWorkloadIdentityProvider.java

@@ -32,6 +32,7 @@
 
 import oracle.nosql.driver.NoSQLHandleConfig;
 import oracle.nosql.driver.Region;
+import oracle.nosql.driver.SecurityInfoNotReadyException;
 import oracle.nosql.driver.httpclient.HttpClient;
 import oracle.nosql.driver.iam.SessionKeyPairSupplier.DefaultSessionKeySupplier;
 import oracle.nosql.driver.util.HttpRequestUtil;
@@ -222,6 +223,16 @@ private String getSecurityToken() {
         final byte[] payloadByte = new byte[buf.remaining()];
         buf.get(payloadByte);
 
+        try {
+            return getSecurityTokenFromProxymux(requestId, saToken, payloadByte);
+        } catch (Exception e) {
+            throw new SecurityInfoNotReadyException(e.getMessage(), e);
+        }
+    }
+
+    private String getSecurityTokenFromProxymux(String requestId,
+                                                String saToken,
+                                                byte[] payloadByte) {
         HttpRequestUtil.HttpResponse response = HttpRequestUtil.doPostRequest(
             okeTokenClient, tokenURL.toString(), headers(saToken, requestId),
             payloadByte, timeoutMs, logger);

driver/src/main/java/oracle/nosql/driver/iam/PrivateKeyProvider.java

@@ -7,37 +7,29 @@
 
 package oracle.nosql.driver.iam;
 
-import static oracle.nosql.driver.util.CheckNull.requireNonNullIAE;
-
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
-import java.security.Provider;
-import java.security.Security;
+import java.nio.channels.Channels;
+import java.nio.channels.ReadableByteChannel;
+import java.security.PrivateKey;
 import java.security.interfaces.RSAPrivateKey;
 import java.util.Arrays;
 
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.openssl.EncryptionException;
-import org.bouncycastle.openssl.PEMDecryptorProvider;
-import org.bouncycastle.openssl.PEMEncryptedKeyPair;
-import org.bouncycastle.openssl.PEMException;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
-import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
+import oracle.nosql.driver.iam.pki.Pem;
+import oracle.nosql.driver.iam.pki.PemEncryptionException;
+import oracle.nosql.driver.iam.pki.PemException;
 
 /**
  * @hidden
  * Internal use only
  * <p>
  * The RSA private key provider that loads and caches private key from input
- * stream using bouncy castle PEM key utilities.
+ * stream using PEM key utilities in oci-java-sdk.
+ *
+ * See com.oracle.bmc.http.signing.internal.PEMStreamRSAPrivateKeySupplier
+ * for reference.
  */
 class PrivateKeyProvider {
-    private final JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
     private RSAPrivateKey key = null;
 
     /**
@@ -66,79 +58,25 @@ void reload(InputStream keyInputStream, char[] passphrase) {
     }
 
     void getKeyInternal(InputStream keyInputStream, char[] passphrase) {
-        PEMParser keyReader = null;
-        try {
-            keyReader = new PEMParser(
-                new InputStreamReader(keyInputStream, StandardCharsets.UTF_8));
-
-            Object object = null;
-            try {
-                object = keyReader.readObject();
-            } catch (IOException ioe) {
-                throw new IllegalArgumentException(
-                    "Error reading private key", ioe);
-            }
-            PrivateKeyInfo keyInfo;
-
-            if (object instanceof PEMEncryptedKeyPair) {
-                requireNonNullIAE(
-                    passphrase,
-                    "The provided private key requires a passphrase");
-
-                JcePEMDecryptorProviderBuilder decryptBuilder =
-                    new JcePEMDecryptorProviderBuilder();
-
-                if (!isProviderInstalled()) {
-                    /*
-                     * If BouncyCastle is not installed, must add the provider
-                     * explicitly to enable the PEMDecrptorProvider.
-                     * https://github.com/bcgit/bc-java/issues/156
-                     */
-                    decryptBuilder.setProvider(getBouncyCastleProvider());
-                }
-
-                PEMDecryptorProvider decProv = decryptBuilder.build(passphrase);
-                try {
-                    keyInfo = ((PEMEncryptedKeyPair) object)
-                        .decryptKeyPair(decProv)
-                        .getPrivateKeyInfo();
-                } catch (EncryptionException ee) {
-                    throw new IllegalArgumentException(
-                            "The provided passphrase is incorrect.", ee);
-                } catch (IOException ioe) {
-                    throw new IllegalArgumentException(
-                        "Error decrypting private key.", ioe);
-                }
-            } else if (object instanceof PrivateKeyInfo) {
-                keyInfo = (PrivateKeyInfo) object;
-            } else if (object instanceof PEMKeyPair) {
-                keyInfo = ((PEMKeyPair) object).getPrivateKeyInfo();
-            } else if (object instanceof SubjectPublicKeyInfo) {
-                throw new IllegalArgumentException(
-                    "Public key provided instead of private key");
-            } else if (object != null) {
-                throw new IllegalArgumentException(
-                    "Private key must be in PEM format," +
-                    "was: " + object.getClass());
+        try (ReadableByteChannel channel = Channels.newChannel(keyInputStream);
+             Pem.Passphrase pemPassphrase = Pem.Passphrase.of(passphrase)){
+            PrivateKey privateKey =
+                Pem.decoder().with(pemPassphrase).decodePrivateKey(channel);
+            if (privateKey instanceof RSAPrivateKey) {
+                key = (RSAPrivateKey) privateKey;
             } else {
                 throw new IllegalArgumentException(
-                    "Private key must be in PEM format");
-            }
-
-            try {
-                this.key = (RSAPrivateKey) converter.getPrivateKey(keyInfo);
-            } catch (PEMException e) {
-                throw new IllegalArgumentException(
-                    "Error converting private key");
+                    "Must be RSA private key, but " + privateKey.toString());
             }
+        } catch (PemEncryptionException e) {
+            throw new IllegalArgumentException(
+                "The provided passphrase is incorrect.", e);
+        } catch (PemException e) {
+            throw new IllegalArgumentException(
+                "Private key must be in PEM format", e);
+        } catch (IOException e) {
+            throw new IllegalArgumentException("Error reading private key", e);
         } finally {
-            if (keyReader != null) {
-                try {
-                    keyReader.close();
-                } catch (IOException e) {
-                    /* ignore */
-                }
-            }
             if (keyInputStream != null) {
                 try {
                     keyInputStream.close();
@@ -151,25 +89,4 @@ void getKeyInternal(InputStream keyInputStream, char[] passphrase) {
             }
         }
     }
-
-    private static boolean isProviderInstalled() {
-        return (Security.getProvider("BC") != null);
-    }
-
-    private static Provider getBouncyCastleProvider() {
-        Provider provider = null;
-        try {
-            Class<?> providerClass = Class.forName(
-                "org.bouncycastle.jce.provider.BouncyCastleProvider");
-            provider = (Provider)providerClass
-                .getDeclaredConstructor().newInstance();
-        } catch (ClassNotFoundException e) {
-            throw new IllegalArgumentException(
-                "Unable to find bouncy castle provider");
-        } catch (Exception e) {
-            throw new IllegalArgumentException(
-                "Error creating bouncy castle provider");
-        }
-        return provider;
-    }
 }

driver/src/main/java/oracle/nosql/driver/iam/ResourcePrincipalTokenSupplier.java

@@ -16,6 +16,7 @@
 import java.security.KeyPair;
 import java.util.logging.Logger;
 
+import oracle.nosql.driver.SecurityInfoNotReadyException;
 import oracle.nosql.driver.iam.SecurityTokenSupplier.SecurityToken;
 
 /**
@@ -91,11 +92,15 @@ private synchronized String refreshAndGetSecurityToken() {
             logTrace(logger, "Refreshing session keys");
             sessionKeyPairSupplier.refreshKeys();
 
-            logTrace(logger, "Getting security token from file.");
-            SecurityToken token = getSecurityTokenFromFile();
-            token.validate(minTokenLifetime, logger);
-            securityToken = token;
-            return securityToken.getSecurityToken();
+            try {
+                logTrace(logger, "Getting security token from file.");
+                SecurityToken token = getSecurityTokenFromFile();
+                token.validate(minTokenLifetime, logger);
+                securityToken = token;
+                return securityToken.getSecurityToken();
+            } catch (Exception e) {
+                throw new SecurityInfoNotReadyException(e.getMessage(), e);
+            }
         }
 
         SecurityToken getSecurityTokenFromFile() {

driver/src/main/java/oracle/nosql/driver/iam/SecurityTokenSupplier.java

@@ -164,13 +164,10 @@ private synchronized String refreshAndGetTokenInternal() {
                 }
             }
         }
-        SecurityToken token = getSecurityTokenFromIAM();
-        token.validate(minTokenLifetime, logger);
-
-        return token.getSecurityToken();
+        return getSecurityTokenFromIAM();
     }
 
-    private SecurityToken getSecurityTokenFromIAM() {
+    private String getSecurityTokenFromIAM() {
         KeyPair keyPair = keyPairSupplier.getKeyPair();
         requireNonNullIAE(keyPair, "Keypair for session not provided");
 
@@ -211,7 +208,9 @@ private SecurityToken getSecurityTokenFromIAM() {
                 Utils.base64EncodeNoChunking(certificateAndKeyPair),
                 intermediateStrings);
 
-            return new SecurityToken(securityToken, keyPairSupplier);
+            SecurityToken st = new SecurityToken(securityToken, keyPairSupplier);
+            st.validate(minTokenLifetime, logger);
+            return st.getSecurityToken();
         } catch (Exception e) {
             throw new SecurityInfoNotReadyException(e.getMessage(), e);
         }