From 2ea657916bb16169db2c176653f7c74fd531a927 Mon Sep 17 00:00:00 2001
From: James Nord <jtnord@users.noreply.github.com>
Date: Mon, 30 Oct 2023 11:27:21 +0000
Subject: [PATCH] [JENKINS-72249] switch to JcaContentSignerBuilder in order to
 obtain a ContentSigner

Switch the implementation to JcaContentSignerBuilder which is available
in the regula bcpkix and bcpkix-fips

The higher level API also has the benifit that the code becomes more legible.
---
 .../SelfSignedCertificate.java                | 31 +++----------------
 1 file changed, 4 insertions(+), 27 deletions(-)

diff --git a/src/main/java/org/jenkinsci/main/modules/instance_identity/SelfSignedCertificate.java b/src/main/java/org/jenkinsci/main/modules/instance_identity/SelfSignedCertificate.java
index a8e77d2..1a43e9e 100644
--- a/src/main/java/org/jenkinsci/main/modules/instance_identity/SelfSignedCertificate.java
+++ b/src/main/java/org/jenkinsci/main/modules/instance_identity/SelfSignedCertificate.java
@@ -3,7 +3,6 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.math.BigInteger;
-import java.security.InvalidKeyException;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
@@ -18,21 +17,13 @@
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x500.X500NameBuilder;
 import org.bouncycastle.asn1.x500.style.BCStyle;
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.cert.X509v3CertificateBuilder;
 import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
-import org.bouncycastle.crypto.params.RSAKeyParameters;
-import org.bouncycastle.jcajce.provider.asymmetric.dsa.DSAUtil;
-import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
 import org.bouncycastle.operator.ContentSigner;
-import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
-import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.operator.bc.BcDSAContentSignerBuilder;
-import org.bouncycastle.operator.bc.BcECContentSignerBuilder;
-import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 
 final class SelfSignedCertificate {
 
@@ -136,23 +127,11 @@ public X509Certificate generate() throws IOException {
 
             ContentSigner signer;
             if (keyPair.getPrivate() instanceof RSAPrivateKey) {
-                RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
-                AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(hashAlg + "withRSA");
-                AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
-                signer = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(
-                        new RSAKeyParameters(true,privateKey.getModulus(), privateKey.getPrivateExponent()));
+                signer = new JcaContentSignerBuilder(hashAlg + "withRSA").build(keyPair.getPrivate());
             } else if (keyPair.getPrivate() instanceof DSAPrivateKey) {
-                DSAPrivateKey privateKey = (DSAPrivateKey) keyPair.getPrivate();
-                AlgorithmIdentifier sigAlgId =
-                        new DefaultSignatureAlgorithmIdentifierFinder().find(hashAlg + "withDSA");
-                AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
-                signer = new BcDSAContentSignerBuilder(sigAlgId, digAlgId).build(DSAUtil.generatePrivateKeyParameter(privateKey));
+                signer = new JcaContentSignerBuilder(hashAlg + "withDSA").build(keyPair.getPrivate());
             } else if (keyPair.getPrivate() instanceof ECPrivateKey) {
-                ECPrivateKey privateKey = (ECPrivateKey)keyPair.getPrivate();
-                AlgorithmIdentifier sigAlgId =
-                        new DefaultSignatureAlgorithmIdentifierFinder().find(hashAlg + "withECDSA");
-                AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
-                signer = new BcECContentSignerBuilder(sigAlgId, digAlgId).build(ECUtil.generatePrivateKeyParameter(privateKey));
+                signer = new JcaContentSignerBuilder(hashAlg + "withECDSA").build(keyPair.getPrivate());
             } else {
                 throw new IOException("Unsupported key type");
             }
@@ -165,8 +144,6 @@ public X509Certificate generate() throws IOException {
             throw new IOException("Failed to generate a certificate", e);
         } catch (NoSuchAlgorithmException e) {
             throw new IOException("Failed to generate a certificate", e);
-        } catch (InvalidKeyException e) {
-            throw new IOException("Failed to generate a certificate", e);
         }
     }
 }