[HDDS-10743] Turn the direct dependency on BouncyCastle to an optional one - ASF JIRA

XML

Word

Printable

JSON

Our current system is statically linked wih the BouncyCastle JCE Provider and also we directly use some of its implementation details.

If we would like to allow crypto compliance on the long run, this is a bad practice.

This task aims to collect all small tasks that can help us to refactor this dependency to be an optional and replaceable one.

is blocked by

HDDS-10889 Remove certificate revocation related code.

HDDS-10744 Standardize byte array conversion to String for LiveFileMetaData in RocksDB

relates to

HDDS-11047 Unify the creation of Certificate Sign Requests in CertificateClient implementations

1.	Restrict X509CertificateHolder usage to the bare minimum required.	Resolved	István Fajth
2.	Create hdds-crypto-api and hdds-crypto-default modules	Resolved	István Fajth
3.	Create hdds-crypto-default module	Resolved	István Fajth
4.	Replace PKCS10CertificationRequest usage in CertificateClient	Resolved	István Fajth
5.	Replace PKCS10CertificationRequest usage in DefaultCAServer	Open	István Fajth
6.	Do not throw OperatorCreationException from CertificateApprover#sign	Resolved	István Fajth
7.	Merge BaseApprover abstract class with the DefaultApprover	Resolved	István Fajth
8.	Use Key/TrustManagers directly for TLS connection instead of factories	Resolved	Szabolcs Gál
9.	Replace HAUtils#buildCAX509List usages with other direct usages	Resolved	Szabolcs Gál
10.	Refactor SCMSecurityProtocol to return X509Certificates instead of Strings	Open	Unassigned