Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

why does Quarkus return a deprecated X509Certificate? #12371

Open
serrodcal opened this issue Sep 28, 2020 · 6 comments
Open

why does Quarkus return a deprecated X509Certificate? #12371

serrodcal opened this issue Sep 28, 2020 · 6 comments
Labels
kind/enhancement New feature or request

Comments

@serrodcal
Copy link

serrodcal commented Sep 28, 2020
edited
Loading

Description
I'm not sure where to put this question. I hope I am in the right place.

The question is, why does Quarkus return a deprecated X509Certificate?

When I want to get the certificate from the request, I get a javax.security.cert.X509Certificate instead of java.security.cert.X509Certificate.

Implementation ideas
I was wondering if with Vert.x v4, this issue will be fixed or not. But, Quarkus/Vert.x should work with no deprecated objects. Mainly, trying to build in native with filters, a serialization is needed as given below:

CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new ByteArrayInputStream(request.peerCertificateChain()[0].getEncoded());
X509Certificate clientCertificate =  (X509Certificate) cf.generateCertificate(bais);

This is needed because to be able to use libraries to validate a JWT token I need the java.security.cert.X509Certificate, but in native I got an error in runtime because the serialization doesn't work.
@serrodcal serrodcal added the kind/enhancement New feature or request label Sep 28, 2020
@gsmet
Copy link
Member

gsmet commented Sep 28, 2020

In which context, does Quarkus return a deprecated X509Certificate? It's not clear from your report. Thanks!

@serrodcal
Copy link
Author

serrodcal commented Sep 28, 2020
edited
Loading

For instance, making a filter using Reactive Routes:

import java.security.*;
public class Filters {

    @RouteFilter(100) 
    void filter1(RoutingContext rc) {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        ByteArrayInputStream bais = new ByteArrayInputStream(rc.request.peerCertificateChain()[0].getEncoded());
        X509Certificate clientCertificate =  (X509Certificate) cf.generateCertificate(bais);
       ...
    }

From request.peerCertificateChain()[0] I get an javax.security.cert.X509Certificate which is deprecated.

Do you need futher information? I'm using 1.8.1.Final of quarkus-vertx-web.

@sberyozkin
Copy link
Member

sberyozkin commented Oct 6, 2020
edited
Loading

@serrodcal it is off-topic, but do you do an access token binding to the client cert check ? We've been thinking to do it for a while for quarkus-oidc bearer tokens (#4482), may be also worth trying for smallrye-jwt...

@serrodcal
Copy link
Author

Our problem is building to native, because the only way to convert to the non deprecated X509Certificate (which is needed to be able to use a library to validate the Access Token) is using the serialization. I don't know if there is other way to do that.

@gastaldi
Copy link
Contributor

A small reproducer project would help also

@serrodcal
Copy link
Author

I can't share the project because it belong to my company, but I'll try create a small reproducer project as you mentioned as soon as possible :).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gastaldi @sberyozkin @gsmet @serrodcal