diff options
| author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2024-04-19 13:05:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-19 13:05:59 +0200 |
| commit | 433cb01e19f6bb51d6a2d029482a6e16431cb055 (patch) | |
| tree | d86f458e5358874475e743df8b206d9d0f6624fc /config-model | |
| parent | 06b7bccd5586ed353069593a71535e4c958bc63e (diff) | |
| parent | 3bc4c498b479cbb919a3f6e6b6ded892d6d55bce (diff) | |
Merge pull request #29575 from vespa-engine/renovate/bouncycastle.vespa.version
Update bouncycastle.vespa.version to v1.77
Diffstat (limited to 'config-model')
2 files changed, 5 insertions, 11 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudClientsValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudClientsValidator.java index 9a8c8435790..5e6bd2a4b7f 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudClientsValidator.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/CloudClientsValidator.java @@ -31,20 +31,17 @@ public class CloudClientsValidator implements Validator { if (extensions == null) return; // Certificate without any extensions is okay if (extensions.getExtensionOIDs().length == 0) { /* - BouncyCastle 1.77 no longer accepts certificates having an empty sequence of extensions. + BouncyCastle 1.77 and 1.78 did not accept certificates having an empty sequence of extensions. Earlier releases violated the ASN.1 specification as the specification forbids empty extension sequence. See https://github.com/bcgit/bc-java/issues/1479. - - Detect such certificates and issue a warning for now. - Validation will be implicitly enforced once we upgrade BouncyCastle past 1.76. + The restriction was lifted on 1.78.1 although it's a reasonble to warn users still. */ var message = "The certificate's ASN.1 structure contains an empty sequence of extensions, " + "which is a violation of the ASN.1 specification. " + "Please update the application package with a new certificate, " + - "e.g by generating a new one using the Vespa CLI `$ vespa auth cert`. " + - "Such certificate will no longer be accepted in near future."; + "e.g by generating a new one using the Vespa CLI `$ vespa auth cert`. "; state.getDeployLogger() - .logApplicationPackage(Level.WARNING, errorMessage(clusterName, clientId, message)); + .log(Level.INFO, errorMessage(clusterName, clientId, message)); } } catch (CertificateEncodingException e) { reporter.accept(errorMessage(clusterName, clientId, e.getMessage()), e); diff --git a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudClientsValidatorTest.java b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudClientsValidatorTest.java index 6fbca76ccbc..72230a580d7 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudClientsValidatorTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/application/validation/CloudClientsValidatorTest.java @@ -18,8 +18,6 @@ class CloudClientsValidatorTest { @Test void logs_deployment_warning_on_certificate_with_empty_sequence_of_extensions() { - // Test should fail on BouncyCastle 1.77 or later - var logger = new DeployLoggerStub(); var state = new DeployState.Builder().deployLogger(logger).build(); var cert = readTestCertificate("cert-with-empty-sequence-of-extensions.pem"); @@ -30,8 +28,7 @@ class CloudClientsValidatorTest { "The certificate's ASN.1 structure contains an empty sequence of extensions, " + "which is a violation of the ASN.1 specification. " + "Please update the application package with a new certificate, " + - "e.g by generating a new one using the Vespa CLI `$ vespa auth cert`. " + - "Such certificate will no longer be accepted in near future."; + "e.g by generating a new one using the Vespa CLI `$ vespa auth cert`. "; assertEquals(expected, logger.getLast().message); } |