Use of jdk internal classes.
whitingjr opened this issue · 7 comments
Running jdeps on the indy embedder jar artifact reports a dependency on jdk internal classes.
$ jdeps -jdkinternals -cp ./indy/lib/indy-embedder-1.9.9-SNAPSHOT.jar
indy-embedder-1.9.9-SNAPSHOT.jar -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.fc30.x86_64/jre/lib/rt.jar
org.commonjava.indy.httprox.util.CertUtils (indy-embedder-1.9.9-SNAPSHOT.jar)
-> sun.security.util.ObjectIdentifier JDK internal API (rt.jar)
-> sun.security.x509.AlgorithmId JDK internal API (rt.jar)
-> sun.security.x509.BasicConstraintsExtension JDK internal API (rt.jar)
-> sun.security.x509.CertificateAlgorithmId JDK internal API (rt.jar)
-> sun.security.x509.CertificateExtensions JDK internal API (rt.jar)
-> sun.security.x509.CertificateSerialNumber JDK internal API (rt.jar)
-> sun.security.x509.CertificateValidity JDK internal API (rt.jar)
-> sun.security.x509.CertificateVersion JDK internal API (rt.jar)
-> sun.security.x509.CertificateX509Key JDK internal API (rt.jar)
-> sun.security.x509.X500Name JDK internal API (rt.jar)
-> sun.security.x509.X509CertImpl JDK internal API (rt.jar)
-> sun.security.x509.X509CertInfo JDK internal API (rt.jar)Warning: JDK internal APIs are unsupported and private to JDK implementation that are
subject to be removed or changed incompatibly and could break your application.
Please modify your code to eliminate dependency on any JDK internal APIs.
For the most recent update on JDK internal API replacements, please check:
https://wiki.openjdk.java.net/display/JDK8/Java+Dependency+Analysis+ToolJDK Internal API Suggested Replacement
sun.security.x509.X500Name Use javax.security.auth.x500.X500Principal @SInCE 1.4
$
The code needs updating to remove the dependency.
I think this must be from the PEM-reading code in jhttpc
This is in the httpprox addons project not the external dependency jhttpc. CertUtils.
Maybe we can use bouncy-castle instead(https://www.bouncycastle.org/java.html). BTW, I see that we have included this deps in indy which is used by koji-addon.
Maybe we can use bouncy-castle instead(https://www.bouncycastle.org/java.html). BTW, I see that we have included this deps in indy which is used by koji-addon.
Yes I started to implement a replacement last week using bouncy castle. Given it's a dependency already in the project. Not finished coding and testing it yet.
The pr looks good. We should have no problem to merge it. The only thing is some related ftest failed when running locally. But CI passed them. As we are going to release Indy 2.0 very soon, in order not to add more uncertainty, we can close this issue but keep the pr open for a while. We can merge the pr once we finish the 2.0 release. Hopefully the remaining issue would have gone at that time.