Skip to content

Replace native tool deps (keytool/openssl/certbot) with pure Java APIs#403

Open
lagergren wants to merge 2 commits intomasterfrom
lagergren/cert
Open

Replace native tool deps (keytool/openssl/certbot) with pure Java APIs#403
lagergren wants to merge 2 commits intomasterfrom
lagergren/cert

Conversation

@lagergren
Copy link
Contributor

@lagergren lagergren commented Mar 5, 2026

Summary

  • Replaced all ProcessBuilder calls to keytool, openssl, and certbot in xRTCertificateManager with pure Java equivalents
  • keytooljava.security.KeyStore API (JDK)
  • openssl (RSA keygen, CSR generation, PEM→PKCS12 conversion) → BouncyCastle + JDK crypto
  • certbot (ACME/Let's Encrypt protocol) → acme4j
  • New versioned dependencies: acme4j 3.5.1, BouncyCastle 1.82 (declared in libs.versions.toml)
  • Extracted KeyStoreOperations utility class with no XVM runtime dependencies
  • Added 13 unit tests covering all keystore operations
  • Fat jar size increased from 5.7 MB → 15 MB (BouncyCastle is ~7.8 MB)

Notes

  • The certbot/certbot-staging provider names are preserved for backward compatibility
  • TODO comments flag exception-swallowing patterns and lack of proper logging framework
  • ACME challenge flow uses the same .challenge webroot directory as before

Test plan

  • All 13 KeyStoreOperationsTest tests pass (self-signed cert, symmetric key, password, password change, key extraction, deletion)
  • Manual test with self-signed certificate provider
  • Manual test with Let's Encrypt staging provider (requires network + domain)

🤖 Generated with Claude Code

lagergren and others added 2 commits March 6, 2026 00:11
@lagergren @claude
Replace native tool dependencies (keytool, openssl, certbot) with pur…
81e5292 
…e Java APIs

xRTCertificateManager previously shelled out to keytool, openssl, and certbot
via ProcessBuilder — unversioned system binaries that the build couldn't declare
as dependencies. This replaces all three with pure Java:

- keytool → java.security.KeyStore API
- openssl (RSA keygen, CSR, PEM→PKCS12) → BouncyCastle + JDK crypto
- certbot (ACME/Let's Encrypt) → acme4j

New versioned dependencies in libs.versions.toml: acme4j 3.5.1, BouncyCastle 1.82.

Extracted KeyStoreOperations utility class (no XVM dependencies) with unit tests
covering self-signed cert generation, symmetric key, password storage, keystore
password change, key extraction, and entry deletion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@lagergren @claude
Revert whitespace change in xException.java
de0a397 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@lagergren lagergren marked this pull request as ready for review March 6, 2026 10:17
ggleyzer
ggleyzer reviewed Mar 9, 2026
View reviewed changes
javatools/src/test/java/org/xvm/runtime/template/_native/crypto/KeyStoreOperationsTest.java
Copy link
Collaborator

@ggleyzer ggleyzer Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not tested any of it with the platform; please hold on the merge

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggleyzer ggleyzer ggleyzer left review comments

@thegridman thegridman thegridman approved these changes

@cpurdy cpurdy Awaiting requested review from cpurdy

@mrcompator mrcompator Awaiting requested review from mrcompator

Assignees

@cpurdy cpurdy

@ggleyzer ggleyzer

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lagergren @thegridman @ggleyzer @cpurdy