diff --git a/src/addons/messagelog/messagelog-addon/build.gradle b/src/addons/messagelog/messagelog-addon/build.gradle index 77c1cf057c..24a3485335 100644 --- a/src/addons/messagelog/messagelog-addon/build.gradle +++ b/src/addons/messagelog/messagelog-addon/build.gradle @@ -13,7 +13,7 @@ dependencies { testImplementation project(':common:common-test') testImplementation project(':addons:messagelog:messagelog-archiver') testImplementation "org.hsqldb:hsqldb:$hsqldbVersion" - testImplementation "org.bouncycastle:bcpg-jdk15on:${bouncyCastleVersion}" + testImplementation "org.bouncycastle:bcpg-jdk18on:${bouncyCastleVersion}" } jar { diff --git a/src/addons/messagelog/messagelog-db/build.gradle b/src/addons/messagelog/messagelog-db/build.gradle index f416d8e5b1..5935b40021 100644 --- a/src/addons/messagelog/messagelog-db/build.gradle +++ b/src/addons/messagelog/messagelog-db/build.gradle @@ -1,7 +1,7 @@ dependencies { implementation(project(':common:common-db')) implementation(project(':common:common-messagelog')) - implementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}" + implementation "org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}" implementation "org.slf4j:slf4j-api:${slf4jVersion}" } diff --git a/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/InternalSslSocketFactory.java b/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/InternalSslSocketFactory.java deleted file mode 100644 index cf7b94950a..0000000000 --- a/src/addons/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/InternalSslSocketFactory.java +++ /dev/null @@ -1,100 +0,0 @@ -/* - * The MIT License - * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS) - * Copyright (c) 2018 Estonian Information System Authority (RIA), - * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK) - * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK) - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ -package ee.ria.xroad.proxy.clientproxy; - -import ee.ria.xroad.common.conf.InternalSSLKey; -import ee.ria.xroad.common.conf.serverconf.ServerConf; -import ee.ria.xroad.common.util.CryptoUtils; -import ee.ria.xroad.proxy.util.InternalKeyManager; - -import javax.net.ssl.KeyManager; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; - -import java.security.SecureRandom; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; - -/** - * Holds an SSL socket factory that only trusts the internal certificate - * and presents the internal cert when connecting - */ -final class InternalSslSocketFactory { - - private static volatile SSLSocketFactory sslSocketFactory; - private static Object lock = new Object(); - - private InternalSslSocketFactory() { - } - - static SSLSocketFactory getInstance() throws Exception { - if (sslSocketFactory == null) { - synchronized (lock) { - if (sslSocketFactory == null) { - SSLContext sslContext = SSLContext.getInstance(CryptoUtils.SSL_PROTOCOL); - sslContext.init( - new KeyManager[]{new InternalKeyManager()}, - new TrustManager[]{new InternalTrustManager()}, - new SecureRandom()); - sslSocketFactory = sslContext.getSocketFactory(); - } - } - } - return sslSocketFactory; - } - - static final class InternalTrustManager implements X509TrustManager { - - @Override - public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { - //nop - } - - @Override - public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { - try { - InternalSSLKey sslKey = ServerConf.getSSLKey(); - X509Certificate internalCert = sslKey.getCertChain()[0]; - if (chain == null || chain.length == 0 || !internalCert.equals(chain[0])) { - throw new CertificateException("Not trusted"); - } - } catch (CertificateException ce) { - throw ce; - } catch (Exception e) { - throw new CertificateException(e); - } - - } - - @Override - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } - } - -} diff --git a/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicContainerVerifier.java b/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicContainerVerifier.java index 41e88fbe3f..e48ba7e498 100644 --- a/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicContainerVerifier.java +++ b/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicContainerVerifier.java @@ -52,7 +52,7 @@ import org.apache.xml.security.utils.resolver.ResourceResolverContext; import org.apache.xml.security.utils.resolver.ResourceResolverException; import org.apache.xml.security.utils.resolver.ResourceResolverSpi; -import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.cert.ocsp.BasicOCSPResp; import org.bouncycastle.cert.ocsp.OCSPResp; @@ -238,8 +238,7 @@ private byte[] getTimestampedData() throws Exception { private TimeStampToken getTimeStampToken() throws Exception { String timestampDerBase64 = asic.getEntryAsString(ENTRY_TIMESTAMP); byte[] tsDerDecoded = decodeBase64(timestampDerBase64); - return new TimeStampToken(new ContentInfo( - (ASN1Sequence) ASN1Sequence.fromByteArray(tsDerDecoded))); + return new TimeStampToken(ContentInfo.getInstance(ASN1Primitive.fromByteArray(tsDerDecoded))); } private static ClientId getSigner(String messageXml) { diff --git a/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicUtils.java b/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicUtils.java index 855e6731dc..9318853a9c 100644 --- a/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicUtils.java +++ b/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicUtils.java @@ -49,7 +49,7 @@ private AsicUtils() { @SneakyThrows public static String escapeString(String str) { String urlEncoded = - URLEncoder.encode(str, StandardCharsets.UTF_8.name()); + URLEncoder.encode(str, StandardCharsets.UTF_8); return urlEncoded.replace("/", "%2F"); } diff --git a/src/asicverifier/src/main/java/ee/ria/xroad/asicverifier/AsicVerifierMain.java b/src/asicverifier/src/main/java/ee/ria/xroad/asicverifier/AsicVerifierMain.java index 9c3507d2d9..f4b43fc3c4 100644 --- a/src/asicverifier/src/main/java/ee/ria/xroad/asicverifier/AsicVerifierMain.java +++ b/src/asicverifier/src/main/java/ee/ria/xroad/asicverifier/AsicVerifierMain.java @@ -35,10 +35,12 @@ import org.apache.commons.io.IOUtils; +import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.nio.file.Files; +import java.nio.file.Path; import java.nio.file.Paths; import java.util.Scanner; import java.util.zip.ZipEntry; @@ -49,6 +51,8 @@ */ public final class AsicVerifierMain { + private static final Path CURRENT_DIR = Paths.get("").toAbsolutePath(); + private AsicVerifierMain() { } @@ -137,10 +141,13 @@ private static void extractMessage(String fileName) { @SuppressWarnings("javasecurity:S2083") private static void writeToFile(String fileName, InputStream contents) throws IOException { - try (FileOutputStream file = new FileOutputStream(fileName)) { - IOUtils.copy(contents, file); + final var targetFile = new File(fileName); + if (targetFile.getCanonicalFile().toPath().startsWith(CURRENT_DIR)) { + try (FileOutputStream file = new FileOutputStream(targetFile)) { + IOUtils.copy(contents, file); + } + System.out.println("Created file " + fileName); } - System.out.println("Created file " + fileName); } private static void showUsage() { diff --git a/src/build.gradle b/src/build.gradle index d6cc1461f5..3c9640dfc7 100644 --- a/src/build.gradle +++ b/src/build.gradle @@ -133,34 +133,28 @@ configure(subprojects.findAll { !["shared-ui", "ui"].contains(it.name) }) { dependencies { //With require constraints we define lowest compliant dependency version (transitive dependencies are incl.) constraints { - add('implementation', 'com.fasterxml.jackson.core:jackson-databind') { - because("Vulnerability fix regarding CVE-2022-42003") + add('implementation', 'io.micrometer:micrometer-tracing-bridge-brave') { + because("Vulnerability fix regarding CVE-2022-47932") version { - require("$jacksonBomVersion") + require("1.23.0") } } - add('implementation', 'org.yaml:snakeyaml') { - because("Vulnerability fix regarding CVE-2022-25857") + add('implementation', 'org.springframework.security:spring-security-core') { + because("Vulnerability fix regarding CVE-2024-22234") version { - require("$snakeyamlVersion") + require("$springSecurityVersion") } } - add('implementation', 'org.apache.commons:commons-text') { - because("Vulnerability fix regarding CVE-2022-42889") + add('implementation', 'com.jayway.jsonpath:json-path') { + because("Vulnerability fix regarding CVE-2023-51074") version { - require("$commonsTextVersion") - } - } - add('implementation', 'com.fasterxml.woodstox:woodstox-core') { - because("Vulnerability fix regarding CVE-2022-40152") - version { - require("$woodstoxVersion") + require("$jsonPathVersion") } } } - testImplementation("org.junit.jupiter:junit-jupiter-engine:$junitVersion") - testImplementation("org.junit.vintage:junit-vintage-engine:$junitVersion") + testImplementation("org.junit.jupiter:junit-jupiter-engine:$junitJupiterVersion") + testImplementation("org.junit.vintage:junit-vintage-engine:$junitJupiterVersion") compileOnly "org.projectlombok:lombok:${lombokVersion}" annotationProcessor "org.projectlombok:lombok:${lombokVersion}" diff --git a/src/central-server/admin-service/ui-system-test/build.gradle b/src/central-server/admin-service/ui-system-test/build.gradle index a0ee036041..97295ecb38 100644 --- a/src/central-server/admin-service/ui-system-test/build.gradle +++ b/src/central-server/admin-service/ui-system-test/build.gradle @@ -8,7 +8,7 @@ dependencies { intTestImplementation("com.nortal.test:test-automation-allure:${testAutomationFrameworkVersion}") intTestImplementation("com.nortal.test:test-automation-containers:${testAutomationFrameworkVersion}") intTestImplementation("com.nortal.test:test-automation-feign:$testAutomationFrameworkVersion") - intTestImplementation("org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}") + intTestImplementation("org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}") intTestImplementation("org.awaitility:awaitility:${awaitilityVersion}") } diff --git a/src/common/common-core/build.gradle b/src/common/common-core/build.gradle index 44698922fc..4ef1310e96 100644 --- a/src/common/common-core/build.gradle +++ b/src/common/common-core/build.gradle @@ -17,7 +17,7 @@ dependencies { api("org.apache.santuario:xmlsec:$xmlsecVersion") api("org.apache.commons:commons-lang3:$commonsLang3Version") api("org.apache.commons:commons-text:$commonsTextVersion") - api("org.bouncycastle:bcpkix-jdk15on:$bouncyCastleVersion") + api("org.bouncycastle:bcpkix-jdk18on:$bouncyCastleVersion") api("com.google.guava:guava:$guavaVersion") api("com.fasterxml.jackson.core:jackson-annotations:$jacksonBomVersion") api("commons-io:commons-io:$commonsIOVersion") diff --git a/src/common/common-core/src/main/java/ee/ria/xroad/common/util/LogUtils.java b/src/common/common-core/src/main/java/ee/ria/xroad/common/util/LogUtils.java new file mode 100644 index 0000000000..cb6161c0f3 --- /dev/null +++ b/src/common/common-core/src/main/java/ee/ria/xroad/common/util/LogUtils.java @@ -0,0 +1,44 @@ +/* + * The MIT License + * Copyright (c) 2018 Estonian Information System Authority (RIA), + * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK) + * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK) + *

+ * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + *

+ * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + *

+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ +package ee.ria.xroad.common.util; + +import org.apache.commons.lang3.StringUtils; + +public final class LogUtils { + + private static final String REGEX_TO_ESCAPE = "[\t\n\r]"; + private static final String REPLACEMENT = "_"; + + public static String sanitize(final String text) { + if (StringUtils.isEmpty(text)) { + return text; + } + + return text.replaceAll(REGEX_TO_ESCAPE, REPLACEMENT); + } + + private LogUtils() { + } +} diff --git a/src/common/common-core/src/test/java/ee/ria/xroad/common/util/LogUtilsTest.java b/src/common/common-core/src/test/java/ee/ria/xroad/common/util/LogUtilsTest.java new file mode 100644 index 0000000000..169b54cdd8 --- /dev/null +++ b/src/common/common-core/src/test/java/ee/ria/xroad/common/util/LogUtilsTest.java @@ -0,0 +1,56 @@ +/* + * The MIT License + * Copyright (c) 2018 Estonian Information System Authority (RIA), + * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK) + * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK) + *

+ * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + *

+ * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + *

+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ +package ee.ria.xroad.common.util; + +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +class LogUtilsTest { + + @Test + void sanitize() { + var normalLogEntry = "2024-02-15T12:21:06.997+02:00 " + + "INFO ee.ria.xroad.common.util.LogUtilsTest : System is ready"; + var fakeLogEntry = "2024-02-15T12:21:06.997+02:00 " + + "INFO ee.ria.xroad.common.util.LogUtilsTest : Payment of $1000 was made"; + + var fakeLogData = "to receive $1000"; + + assertThat(LogUtils.sanitize(normalLogEntry)).isEqualTo(normalLogEntry); + + assertThat(LogUtils.sanitize(normalLogEntry + "\n" + fakeLogEntry)) + .isEqualTo(normalLogEntry + "_" + fakeLogEntry); + + assertThat(LogUtils.sanitize(normalLogEntry + "\n\r" + fakeLogEntry)) + .isEqualTo(normalLogEntry + "__" + fakeLogEntry); + + assertThat(LogUtils.sanitize(normalLogEntry + "\r" + fakeLogEntry)) + .isEqualTo(normalLogEntry + "_" + fakeLogEntry); + + assertThat(LogUtils.sanitize(normalLogEntry + "\t" + fakeLogData)) + .isEqualTo(normalLogEntry + "_" + fakeLogData); + } +} diff --git a/src/common/common-int-test/build.gradle b/src/common/common-int-test/build.gradle index fc94cf7a3b..dba4d9239b 100644 --- a/src/common/common-int-test/build.gradle +++ b/src/common/common-int-test/build.gradle @@ -15,7 +15,7 @@ dependencies { api("com.nortal.test:test-automation-selenide:${testAutomationFrameworkVersion}") { exclude group: "org.slf4j", module: "*" } - api("org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}") + api("org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}") api("org.awaitility:awaitility:${awaitilityVersion}") } diff --git a/src/common/common-message/src/main/java/ee/ria/xroad/common/util/XmlUtils.java b/src/common/common-message/src/main/java/ee/ria/xroad/common/util/XmlUtils.java index a40026e756..df142a2097 100644 --- a/src/common/common-message/src/main/java/ee/ria/xroad/common/util/XmlUtils.java +++ b/src/common/common-message/src/main/java/ee/ria/xroad/common/util/XmlUtils.java @@ -25,6 +25,8 @@ */ package ee.ria.xroad.common.util; +import ee.ria.xroad.common.CodedException; + import lombok.extern.slf4j.Slf4j; import org.apache.commons.io.IOUtils; import org.apache.xml.security.c14n.Canonicalizer; @@ -60,6 +62,8 @@ import java.nio.charset.StandardCharsets; import java.util.Optional; +import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR; + /** * Contains various XML-related utility methods. */ @@ -317,22 +321,7 @@ public static DocumentBuilderFactory createDocumentBuilderFactory() { try { dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (ParserConfigurationException e) { - log.warn("XMLConstants.FEATURE_SECURE_PROCESSING not supported"); - } - try { - dbf.setFeature(FEATURE_DISALLOW_DOCTYPE, true); - } catch (ParserConfigurationException e) { - log.warn("disallow-doctype-decl not supported"); - } - try { - dbf.setFeature(FEATURE_EXTERNAL_GENERAL_ENTITIES, false); - } catch (ParserConfigurationException e) { - log.warn("external-general-entities not supported"); - } - try { - dbf.setFeature(FEATURE_EXTERNAL_PARAMETER_ENTITIES, false); - } catch (ParserConfigurationException e) { - log.warn("external-parameter-entities not supported"); + throw new CodedException(X_INTERNAL_ERROR, e); } return dbf; } diff --git a/src/common/common-messagelog/build.gradle b/src/common/common-messagelog/build.gradle index 7349551742..05910e1069 100644 --- a/src/common/common-messagelog/build.gradle +++ b/src/common/common-messagelog/build.gradle @@ -6,7 +6,7 @@ dependencies { implementation project(':asic-util') testImplementation project(':common:common-test') - testImplementation "org.bouncycastle:bcpg-jdk15on:${bouncyCastleVersion}" + testImplementation "org.bouncycastle:bcpg-jdk18on:${bouncyCastleVersion}" testImplementation "org.mockito:mockito-core:$mockitoVersion" } diff --git a/src/common/common-test/build.gradle b/src/common/common-test/build.gradle index bb9480cd4c..de5e995d18 100644 --- a/src/common/common-test/build.gradle +++ b/src/common/common-test/build.gradle @@ -8,7 +8,7 @@ dependencies { implementation project(':common:common-verifier') implementation 'org.antlr:ST4:4.3.4' // JUnit is needed for ExpectedCodedException - implementation "org.junit.vintage:junit-vintage-engine:$junitVersion" + implementation "org.junit.vintage:junit-vintage-engine:$junitJupiterVersion" api("org.apache.httpcomponents:httpasyncclient:4.1.5") api "org.mockito:mockito-junit-jupiter:$mockitoVersion" diff --git a/src/common/common-verifier/src/main/java/ee/ria/xroad/common/ocsp/OcspVerifier.java b/src/common/common-verifier/src/main/java/ee/ria/xroad/common/ocsp/OcspVerifier.java index b17457fd39..b5c51ee710 100644 --- a/src/common/common-verifier/src/main/java/ee/ria/xroad/common/ocsp/OcspVerifier.java +++ b/src/common/common-verifier/src/main/java/ee/ria/xroad/common/ocsp/OcspVerifier.java @@ -34,7 +34,6 @@ import com.google.common.util.concurrent.UncheckedExecutionException; import lombok.extern.slf4j.Slf4j; import org.apache.xml.security.algorithms.MessageDigestAlgorithm; -import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.ocsp.ResponderID; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.ocsp.BasicOCSPResp; @@ -351,7 +350,7 @@ public static X509Certificate getOcspCert(BasicOCSPResp response) for (X509Certificate cert : knownCerts) { X509CertificateHolder certHolder = new X509CertificateHolder(cert.getEncoded()); - DERBitString keyData = + var keyData = certHolder.getSubjectPublicKeyInfo().getPublicKeyData(); byte[] d = calculateDigest(dc, keyData.getBytes()); if (MessageDigestAlgorithm.isEqual(respId.getKeyHash(), d)) { diff --git a/src/common/common-verifier/src/test/java/ee/ria/xroad/common/signature/TimestampVerifierTest.java b/src/common/common-verifier/src/test/java/ee/ria/xroad/common/signature/TimestampVerifierTest.java index 813d2ef58a..df8dba3e39 100644 --- a/src/common/common-verifier/src/test/java/ee/ria/xroad/common/signature/TimestampVerifierTest.java +++ b/src/common/common-verifier/src/test/java/ee/ria/xroad/common/signature/TimestampVerifierTest.java @@ -32,7 +32,7 @@ import ee.ria.xroad.common.conf.globalconf.GlobalConf; import org.apache.commons.io.IOUtils; -import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.tsp.TimeStampToken; import org.junit.BeforeClass; @@ -124,7 +124,7 @@ private static TimeStampToken getTimestampFromFile(String fileName) throws Exception { byte[] data = getBytesFromFile(fileName); TimeStampToken token = new TimeStampToken(ContentInfo.getInstance( - ASN1Sequence.fromByteArray(data))); + ASN1Primitive.fromByteArray(data))); assertNotNull(token); return token; } diff --git a/src/gradle.properties b/src/gradle.properties index a65d9348eb..4af3e9f5c5 100644 --- a/src/gradle.properties +++ b/src/gradle.properties @@ -23,25 +23,28 @@ mapStructVersion=1.5.5.Final shadowJarVersion=8.1.1 jacksonBomVersion=2.16.1 jackson-bom.version=${jacksonBomVersion} -snakeyamlVersion=2.2 -snakeyaml.version=${snakeyamlVersion} -postgresqlVersion=42.5.4 +postgresqlVersion=42.6.1 postgresql.version=${postgresqlVersion} mockitoVersion=5.7.0 mockito.version=${mockitoVersion} cxfVersion=3.4.10 xercesVersion=2.12.2 -woodstoxVersion=6.4.0 springBootVersion=3.2.2 springDependenciesVersion=1.1.4 +springSecurityVersion=6.2.2 +jsonPathVersion=2.9.0 +nettyVersion=4.1.105.Final +netty.version=${nettyVersion} +micrometerTracingVersion=1.2.3 springCloudVersion=2023.0.0 openFeignVersion=12.3 -junitVersion=5.10.1 +junitJupiterVersion=5.10.2 +junit-jupiter.version=${junitJupiterVersion} xmlUnitVersion=2.9.1 systemRulesVersion=1.19.0 -guavaVersion=32.1.3-jre +guavaVersion=33.0.0-jre guava.version=${guavaVersion} -bouncyCastleVersion=1.69 +bouncyCastleVersion=1.77 xmlsecVersion=4.0.1 tomcatVersion=10.1.18 tomcat.version=${tomcatVersion} @@ -55,12 +58,12 @@ liquibaseVersion=4.25.0 liquibase.version=${liquibaseVersion} lombokMapstructBinding=0.2.0 openApiGeneratorVersion=7.1.0 -swaggerParserVersion=2.1.18 +swaggerParserVersion=2.1.20 hsqldbVersion=2.7.1:jdk8 hsqldb.version=${hsqldbVersion} -commonsTextVersion=1.10.0 +commonsTextVersion=1.11.0 commonsCliVersion=1.6.0 -commonsCompressVersion=1.25.0 +commonsCompressVersion=1.26.0 commonsIOVersion=2.15.1 commonsLang3Version=3.14.0 commonsConfiguration2Version=2.9.0 @@ -72,7 +75,7 @@ assertj.version=${assertjVersion} swaggerAnnotationsVersion=2.2.17 protocVersion=3.24.3 protobufGradleVersion=0.9.4 -grpcVersion=1.58.0 +grpcVersion=1.61.1 libpam4jVersion=1.11 jakartaValidationApiVersion=3.0.2 jakartaServletApiVersion=6.0.0 diff --git a/src/gradle/wrapper/gradle-wrapper.jar b/src/gradle/wrapper/gradle-wrapper.jar index ccebba7710..d64cd49177 100644 Binary files a/src/gradle/wrapper/gradle-wrapper.jar and b/src/gradle/wrapper/gradle-wrapper.jar differ diff --git a/src/gradle/wrapper/gradle-wrapper.properties b/src/gradle/wrapper/gradle-wrapper.properties index 3499ded5c1..a80b22ce5c 100644 --- a/src/gradle/wrapper/gradle-wrapper.properties +++ b/src/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.6-bin.zip networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/src/gradlew b/src/gradlew index 79a61d421c..1aa94a4269 100755 --- a/src/gradlew +++ b/src/gradlew @@ -83,10 +83,8 @@ done # This is normally unused # shellcheck disable=SC2034 APP_BASE_NAME=${0##*/} -APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD=maximum @@ -133,10 +131,13 @@ location of your Java installation." fi else JAVACMD=java - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. @@ -144,7 +145,7 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then case $MAX_FD in #( max*) # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC3045 + # shellcheck disable=SC2039,SC3045 MAX_FD=$( ulimit -H -n ) || warn "Could not query maximum file descriptor limit" esac @@ -152,7 +153,7 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then '' | soft) :;; #( *) # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC3045 + # shellcheck disable=SC2039,SC3045 ulimit -n "$MAX_FD" || warn "Could not set maximum file descriptor limit to $MAX_FD" esac @@ -197,11 +198,15 @@ if "$cygwin" || "$msys" ; then done fi -# Collect all arguments for the java command; -# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of -# shell script including quotes and variable substitutions, so put them in -# double quotes to make sure that they get re-expanded; and -# * put everything else in single quotes, so that it's not re-expanded. + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. set -- \ "-Dorg.gradle.appname=$APP_BASE_NAME" \ diff --git a/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/QueryRequestHandler.java b/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/QueryRequestHandler.java index 9594e6f1ad..f531c7e675 100644 --- a/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/QueryRequestHandler.java +++ b/src/op-monitor-daemon/src/main/java/ee/ria/xroad/opmonitordaemon/QueryRequestHandler.java @@ -107,7 +107,6 @@ private static Schema createSchema() { try { final SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "file,jar:file"); return factory.newSchema(ResourceUtils.getClasspathResource("op-monitoring.xsd")); } catch (SAXException e) { diff --git a/src/packages/src/xroad/redhat/SPECS/xroad-base.spec b/src/packages/src/xroad/redhat/SPECS/xroad-base.spec index 4e824ee2c5..283f549643 100644 --- a/src/packages/src/xroad/redhat/SPECS/xroad-base.spec +++ b/src/packages/src/xroad/redhat/SPECS/xroad-base.spec @@ -51,12 +51,12 @@ mkdir -p %{buildroot}/var/lib/xroad/backup mkdir -p %{buildroot}/etc/xroad/backup.d ln -s /usr/share/xroad/jlib/common-db-1.0.jar %{buildroot}/usr/share/xroad/jlib/common-db.jar -ln -s /usr/share/xroad/jlib/postgresql-42.5.4.jar %{buildroot}/usr/share/xroad/jlib/postgresql.jar +ln -s /usr/share/xroad/jlib/postgresql-42.6.1.jar %{buildroot}/usr/share/xroad/jlib/postgresql.jar ln -s /usr/share/xroad/db/liquibase-core-4.19.0.jar %{buildroot}/usr/share/xroad/db/liquibase-core.jar cp -p %{_sourcedir}/base/xroad-base.service %{buildroot}%{_unitdir} cp -p %{srcdir}/../../../common/common-db/build/libs/common-db-1.0.jar %{buildroot}/usr/share/xroad/jlib/ -cp -p %{srcdir}/../../../security-server/admin-service/application/build/unpacked-libs/postgresql-42.5.4.jar %{buildroot}/usr/share/xroad/jlib/ +cp -p %{srcdir}/../../../security-server/admin-service/application/build/unpacked-libs/postgresql-42.6.1.jar %{buildroot}/usr/share/xroad/jlib/ cp -p %{srcdir}/default-configuration/common.ini %{buildroot}/etc/xroad/conf.d/ cp -p %{srcdir}/../../../LICENSE.txt %{buildroot}/usr/share/doc/%{name}/LICENSE.txt cp -p %{srcdir}/../../../3RD-PARTY-NOTICES.txt %{buildroot}/usr/share/doc/%{name}/3RD-PARTY-NOTICES.txt diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-base.install b/src/packages/src/xroad/ubuntu/generic/xroad-base.install index 4aadb1f871..c4e4590dd1 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-base.install +++ b/src/packages/src/xroad/ubuntu/generic/xroad-base.install @@ -2,7 +2,7 @@ ../../../../src/xroad/common/base/usr/* usr/ ../../../../src/xroad/default-configuration/common.ini etc/xroad/conf.d/ ../../../../../common/common-db/build/libs/common-db-1.0.jar usr/share/xroad/jlib/ -../../../../../security-server/admin-service/application/build/unpacked-libs/postgresql-42.5.4.jar usr/share/xroad/jlib/ +../../../../../security-server/admin-service/application/build/unpacked-libs/postgresql-42.6.1.jar usr/share/xroad/jlib/ ../../../../../3RD-PARTY-NOTICES.txt usr/share/doc/xroad-base/ ../../../../../../CHANGELOG.md usr/share/doc/xroad-base/ ../../../../../LICENSE.txt usr/share/doc/xroad-base/ diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-base.links b/src/packages/src/xroad/ubuntu/generic/xroad-base.links index 7dbe2d171d..22b896f608 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-base.links +++ b/src/packages/src/xroad/ubuntu/generic/xroad-base.links @@ -1,3 +1,3 @@ usr/share/xroad/jlib/common-db-1.0.jar usr/share/xroad/jlib/common-db.jar -usr/share/xroad/jlib/postgresql-42.5.4.jar usr/share/xroad/jlib/postgresql.jar +usr/share/xroad/jlib/postgresql-42.6.1.jar usr/share/xroad/jlib/postgresql.jar usr/share/xroad/db/liquibase-core-4.19.0.jar usr/share/xroad/db/liquibase-core.jar diff --git a/src/proxy/src/main/java/ee/ria/xroad/proxy/conf/KeyConf.java b/src/proxy/src/main/java/ee/ria/xroad/proxy/conf/KeyConf.java index 1f0c4f2979..c9d218981e 100644 --- a/src/proxy/src/main/java/ee/ria/xroad/proxy/conf/KeyConf.java +++ b/src/proxy/src/main/java/ee/ria/xroad/proxy/conf/KeyConf.java @@ -28,6 +28,7 @@ import ee.ria.xroad.common.CodedException; import ee.ria.xroad.common.conf.globalconf.AuthKey; import ee.ria.xroad.common.identifier.ClientId; +import ee.ria.xroad.common.util.LogUtils; import org.bouncycastle.cert.ocsp.OCSPResp; import org.slf4j.Logger; @@ -126,7 +127,7 @@ public static AuthKey getAuthKey() { */ public static OCSPResp getOcspResponse(String certHash) throws Exception { - if (LOG.isTraceEnabled()) LOG.trace("getOcspResponse({})", certHash); + if (LOG.isTraceEnabled()) LOG.trace("getOcspResponse({})", LogUtils.sanitize(certHash)); return getInstance().getOcspResponse(certHash); } diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/wsdl/HttpUrlConnectionConfig.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/wsdl/HttpUrlConnectionConfig.java index ae6a916340..1bb9479e00 100644 --- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/wsdl/HttpUrlConnectionConfig.java +++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/wsdl/HttpUrlConnectionConfig.java @@ -26,6 +26,8 @@ package org.niis.xroad.securityserver.restapi.wsdl; +import ee.ria.xroad.common.util.CryptoUtils; + import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; @@ -60,7 +62,7 @@ static void apply(HttpURLConnection conn) { static { try { - final SSLContext ctx = SSLContext.getInstance("TLSv1.2"); + final SSLContext ctx = SSLContext.getInstance(CryptoUtils.SSL_PROTOCOL); ctx.init(new KeyManager[]{new ClientSslKeyManager()}, new TrustManager[]{new NoopTrustManager()}, new SecureRandom()); diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/wsdl/WsdlParser.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/wsdl/WsdlParser.java index 26696d8431..c6aad217c6 100644 --- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/wsdl/WsdlParser.java +++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/wsdl/WsdlParser.java @@ -25,6 +25,8 @@ */ package org.niis.xroad.securityserver.restapi.wsdl; +import ee.ria.xroad.common.util.CryptoUtils; + import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.niis.xroad.restapi.exceptions.ErrorDeviation; @@ -371,7 +373,7 @@ public void checkServerTrusted( } }; - SSLContext ctx = SSLContext.getInstance("SSL"); + SSLContext ctx = SSLContext.getInstance(CryptoUtils.SSL_PROTOCOL); ctx.init(new KeyManager[]{new ClientSslKeyManager()}, trustAllCerts, new SecureRandom()); conn.setSSLSocketFactory(ctx.getSocketFactory()); diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/InternalTlsCertificateServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/InternalTlsCertificateServiceTest.java index 9385625dd4..d7ca11c25a 100644 --- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/InternalTlsCertificateServiceTest.java +++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/InternalTlsCertificateServiceTest.java @@ -85,7 +85,7 @@ public class InternalTlsCertificateServiceTest { new ExternalProcessRunner() { @Override public ProcessResult execute(String command, String... args) throws ProcessNotExecutableException, - ProcessFailedException { + ProcessFailedException { if (command.equals(MOCK_SUCCESS_SCRIPT)) { return new ProcessResult(command, 0, Collections.singletonList(SUCCESS)); } diff --git a/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java index dae4a1873e..f7dc14f25c 100644 --- a/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java +++ b/src/signer/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java @@ -273,7 +273,7 @@ public void selfSignedCertGeneratedForTokenKeyForClient(String friendlyName, Str final KeyInfo keyInToken = findKeyInToken(friendlyName, keyName); scenarioCert = SignerProxy.generateSelfSignedCert(keyInToken.getId(), getClientId(client), KeyUsageInfo.SIGNING, - "CN=" + client, Date.from(now().minus(5, DAYS)), Date.from(now().plus(5, DAYS))); + client, Date.from(now().minus(5, DAYS)), Date.from(now().plus(5, DAYS))); this.certHash = calculateCertHexHash(scenarioCert); }