From 6860944f07676de958832fd87eb98f564b154436 Mon Sep 17 00:00:00 2001
From: Adrien Grand <jpountz@gmail.com>
Date: Wed, 18 May 2016 09:20:25 +0200
Subject: [PATCH] Use Java's Base64 instead of elasticsearch's.
 elastic/elasticsearch#2282

Original commit: elastic/x-pack-elasticsearch@c2e748d732ae69201bbd2b95af62739bd17d03d9
---
 .../license/core/CryptUtils.java              |  5 ++-
 .../elasticsearch/license/core/License.java   |  8 ++---
 .../license/core/LicenseVerifier.java         |  6 ++--
 .../license/licensor/LicenseSigner.java       |  6 ++--
 .../messy/tests/SearchTransformIT.java        |  4 +--
 .../license/plugin/core/LicensesMetaData.java |  8 ++---
 .../license/plugin/core/TrialLicense.java     |  6 ++--
 .../license/plugin/TrialLicenseTests.java     |  4 +--
 .../LicensesMetaDataSerializationTests.java   | 10 +++---
 .../agent/exporter/http/HttpExporter.java     |  4 +--
 .../authc/InternalAuthenticationService.java  |  6 ++--
 .../shield/authc/support/Hasher.java          | 15 ++++-----
 .../authc/support/UsernamePasswordToken.java  |  9 +++---
 .../shield/crypto/InternalCryptoService.java  | 32 ++++++++-----------
 .../InternalAuthenticationServiceTests.java   |  4 +--
 .../support/UsernamePasswordTokenTests.java   |  6 ++--
 .../http/auth/basic/ApplicableBasicAuth.java  |  4 +--
 17 files changed, 65 insertions(+), 72 deletions(-)

diff --git a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/CryptUtils.java b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/CryptUtils.java
index 2cf0e4330de..6940d121402 100644
--- a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/CryptUtils.java
+++ b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/CryptUtils.java
@@ -6,8 +6,6 @@
 package org.elasticsearch.license.core;
 
 
-import org.elasticsearch.common.Base64;
-
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
@@ -27,6 +25,7 @@ import java.security.SecureRandom;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
 
 public class CryptUtils {
     private static final int minimumPadding = 20;
@@ -251,6 +250,6 @@ public class CryptUtils {
     private static char[] hashPassPhrase(String passPhrase) throws NoSuchAlgorithmException {
         final byte[] passBytes = passPhrase.getBytes(StandardCharsets.UTF_8);
         final byte[] digest = MessageDigest.getInstance(passHashAlgorithm).digest(passBytes);
-        return new String(Base64.encodeBytesToBytes(digest), StandardCharsets.UTF_8).toCharArray();
+        return Base64.getEncoder().encodeToString(digest).toCharArray();
     }
 }
diff --git a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/License.java b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/License.java
index 6e9e9fd4816..9acb3a6f4ee 100644
--- a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/License.java
+++ b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/License.java
@@ -8,7 +8,6 @@ package org.elasticsearch.license.core;
 import org.apache.lucene.util.CollectionUtil;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchParseException;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.xcontent.ToXContent;
@@ -20,6 +19,7 @@ import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Locale;
@@ -388,7 +388,7 @@ public class License implements ToXContent {
         }
         // not a license spec
         if (builder.signature != null) {
-            byte[] signatureBytes = Base64.decode(builder.signature);
+            byte[] signatureBytes = Base64.getDecoder().decode(builder.signature);
             ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
             int version = byteBuffer.getInt();
             // we take the absolute version, because negative versions
@@ -415,10 +415,10 @@ public class License implements ToXContent {
      */
     public static boolean isAutoGeneratedLicense(String signature) {
         try {
-            byte[] signatureBytes = Base64.decode(signature);
+            byte[] signatureBytes = Base64.getDecoder().decode(signature);
             ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
             return byteBuffer.getInt() < 0;
-        } catch (IOException e) {
+        } catch (IllegalArgumentException e) {
             throw new IllegalStateException(e);
         }
     }
diff --git a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/LicenseVerifier.java b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/LicenseVerifier.java
index 51ace787491..1bef3dc58e7 100644
--- a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/LicenseVerifier.java
+++ b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/LicenseVerifier.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.license.core;
 
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
@@ -18,6 +17,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.util.Arrays;
+import java.util.Base64;
 import java.util.Collections;
 
 /**
@@ -35,7 +35,7 @@ public class LicenseVerifier {
         byte[] signedContent = null;
         byte[] signatureHash = null;
         try {
-            byte[] signatureBytes = Base64.decode(license.signature());
+            byte[] signatureBytes = Base64.getDecoder().decode(license.signature());
             ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
             int version = byteBuffer.getInt();
             int magicLen = byteBuffer.getInt();
@@ -53,7 +53,7 @@ public class LicenseVerifier {
             rsa.initVerify(CryptUtils.readEncryptedPublicKey(encryptedPublicKeyData));
             rsa.update(contentBuilder.bytes().toBytes());
             return rsa.verify(signedContent)
-                    && Arrays.equals(Base64.encodeBytesToBytes(encryptedPublicKeyData), signatureHash);
+                    && Arrays.equals(Base64.getEncoder().encode(encryptedPublicKeyData), signatureHash);
         } catch (IOException | NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
             throw new IllegalStateException(e);
         } finally {
diff --git a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/LicenseSigner.java b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/LicenseSigner.java
index c9a99623930..915c9ba86dc 100644
--- a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/LicenseSigner.java
+++ b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/LicenseSigner.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.license.licensor;
 
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
@@ -22,6 +21,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.Signature;
 import java.security.SignatureException;
+import java.util.Base64;
 import java.util.Collections;
 
 /**
@@ -63,7 +63,7 @@ public class LicenseSigner {
         final byte[] magic = new byte[MAGIC_LENGTH];
         SecureRandom random = new SecureRandom();
         random.nextBytes(magic);
-        final byte[] hash = Base64.encodeBytesToBytes(Files.readAllBytes(publicKeyPath));
+        final byte[] hash = Base64.getEncoder().encode(Files.readAllBytes(publicKeyPath));
         assert hash != null;
         byte[] bytes = new byte[4 + 4 + MAGIC_LENGTH + 4 + hash.length + 4 + signedContent.length];
         ByteBuffer byteBuffer = ByteBuffer.wrap(bytes);
@@ -76,7 +76,7 @@ public class LicenseSigner {
                 .put(signedContent);
 
         return License.builder()
-                .fromLicenseSpec(licenseSpec, Base64.encodeBytes(bytes))
+                .fromLicenseSpec(licenseSpec, Base64.getEncoder().encodeToString(bytes))
                 .build();
     }
 }
diff --git a/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformIT.java b/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformIT.java
index 335dea193a9..dc13579070b 100644
--- a/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformIT.java
+++ b/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformIT.java
@@ -10,7 +10,6 @@ import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.search.SearchType;
 import org.elasticsearch.client.Requests;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.io.Streams;
@@ -60,6 +59,7 @@ import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
@@ -214,7 +214,7 @@ public class SearchTransformIT extends ESIntegTestCase {
         assertThat(map.get("query"), instanceOf(String.class));
 
         String queryAsBase64 = (String) map.get("query");
-        String decodedQuery = new String(Base64.decode(queryAsBase64), StandardCharsets.UTF_8);
+        String decodedQuery = new String(Base64.getDecoder().decode(queryAsBase64), StandardCharsets.UTF_8);
         assertThat(decodedQuery, containsString("_unknown_query_"));
     }
 
diff --git a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesMetaData.java b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesMetaData.java
index 6ac3f8d6acd..de8dc139750 100644
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesMetaData.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesMetaData.java
@@ -9,7 +9,6 @@ import org.apache.lucene.util.CollectionUtil;
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.AbstractDiffable;
 import org.elasticsearch.cluster.metadata.MetaData;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.xcontent.ToXContent;
@@ -21,6 +20,7 @@ import org.elasticsearch.license.core.License;
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
@@ -114,7 +114,7 @@ public class LicensesMetaData extends AbstractDiffable<MetaData.Custom> implemen
                             while (parser.nextToken() != XContentParser.Token.END_ARRAY) {
                                 if (parser.currentToken().isValue()) {
                                     // trial license
-                                    byte[] data = decrypt(Base64.decode(parser.text()));
+                                    byte[] data = decrypt(Base64.getDecoder().decode(parser.text()));
                                     try (XContentParser trialLicenseParser =
                                                  XContentFactory.xContent(XContentType.JSON).createParser(data)) {
                                         trialLicenseParser.nextToken();
@@ -186,7 +186,7 @@ public class LicensesMetaData extends AbstractDiffable<MetaData.Custom> implemen
                 XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
                 license.toXContent(contentBuilder,
                         new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-                streamOutput.writeString(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+                streamOutput.writeString(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
             }
         } else {
             if (license == LICENSE_TOMBSTONE) {
@@ -209,7 +209,7 @@ public class LicensesMetaData extends AbstractDiffable<MetaData.Custom> implemen
             }
             int numTrialLicenses = streamInput.readVInt();
             for (int i = 0; i < numTrialLicenses; i++) {
-                byte[] data = decrypt(Base64.decode(streamInput.readString()));
+                byte[] data = decrypt(Base64.getDecoder().decode(streamInput.readString()));
                 try (XContentParser trialLicenseParser = XContentFactory.xContent(XContentType.JSON).createParser(data)) {
                     trialLicenseParser.nextToken();
                     License pre20TrialLicense = License.fromXContent(trialLicenseParser);
diff --git a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/TrialLicense.java b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/TrialLicense.java
index d63753e7666..814e220cd7b 100644
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/TrialLicense.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/TrialLicense.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.license.plugin.core;
 
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
@@ -15,6 +14,7 @@ import org.elasticsearch.license.core.License;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.util.Base64;
 import java.util.Collections;
 
 import static org.elasticsearch.license.core.CryptUtils.decrypt;
@@ -39,7 +39,7 @@ public class TrialLicense {
             byteBuffer.putInt(-License.VERSION_CURRENT)
                     .putInt(encrypt.length)
                     .put(encrypt);
-            signature = Base64.encodeBytes(bytes);
+            signature = Base64.getEncoder().encodeToString(bytes);
         } catch (IOException e) {
             throw new IllegalStateException(e);
         }
@@ -48,7 +48,7 @@ public class TrialLicense {
 
     public static boolean verify(final License license) {
         try {
-            byte[] signatureBytes = Base64.decode(license.signature());
+            byte[] signatureBytes = Base64.getDecoder().decode(license.signature());
             ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
             int version = byteBuffer.getInt();
             int contentLen = byteBuffer.getInt();
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TrialLicenseTests.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TrialLicenseTests.java
index 716c33b1b59..d520ae0e3d7 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TrialLicenseTests.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TrialLicenseTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.license.plugin;
 
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
@@ -17,6 +16,7 @@ import org.elasticsearch.test.ESTestCase;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.UUID;
 
@@ -102,7 +102,7 @@ public class TrialLicenseTests extends ESTestCase {
             byteBuffer.putInt(-spec.version())
                     .putInt(encrypt.length)
                     .put(encrypt);
-            signature = Base64.encodeBytes(bytes);
+            signature = Base64.getEncoder().encodeToString(bytes);
         } catch (IOException e) {
             throw new IllegalStateException(e);
         }
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesMetaDataSerializationTests.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesMetaDataSerializationTests.java
index cb02eda63c2..5ca36015575 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesMetaDataSerializationTests.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesMetaDataSerializationTests.java
@@ -9,7 +9,6 @@ import org.elasticsearch.Version;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.cluster.metadata.RepositoriesMetaData;
 import org.elasticsearch.cluster.metadata.RepositoryMetaData;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.ByteBufferStreamInput;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.settings.Settings;
@@ -26,6 +25,7 @@ import org.elasticsearch.license.plugin.TestUtils;
 import org.elasticsearch.test.ESTestCase;
 
 import java.nio.ByteBuffer;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.UUID;
 
@@ -113,7 +113,7 @@ public class LicensesMetaDataSerializationTests extends ESTestCase {
         builder.startArray("trial_licenses");
         XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
         trialLicense.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-        builder.value(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+        builder.value(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
         builder.endArray();
         builder.startArray("signed_licenses");
         builder.endArray();
@@ -143,7 +143,7 @@ public class LicensesMetaDataSerializationTests extends ESTestCase {
         builder.startArray("trial_licenses");
         contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
         trialLicense.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-        builder.value(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+        builder.value(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
         builder.endArray();
         builder.startArray("signed_licenses");
         signedLicense.toXContent(builder, ToXContent.EMPTY_PARAMS);
@@ -162,7 +162,7 @@ public class LicensesMetaDataSerializationTests extends ESTestCase {
         builder.startArray("trial_licenses");
         contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
         trialLicense.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-        builder.value(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+        builder.value(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
         builder.endArray();
         builder.startArray("signed_licenses");
         signedLicense.toXContent(builder, ToXContent.EMPTY_PARAMS);
@@ -190,7 +190,7 @@ public class LicensesMetaDataSerializationTests extends ESTestCase {
         output.writeVInt(1);
         XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
         trialLicense.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-        output.writeString(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+        output.writeString(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
         byte[] bytes = output.bytes().toBytes();
         ByteBufferStreamInput input = new ByteBufferStreamInput(ByteBuffer.wrap(bytes));
 
diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporter.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporter.java
index 5137b1a867f..cbbb1a097d2 100644
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporter.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporter.java
@@ -9,7 +9,6 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.Version;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.inject.Inject;
@@ -53,6 +52,7 @@ import java.security.AccessController;
 import java.security.KeyStore;
 import java.security.PrivilegedAction;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.Collection;
 import java.util.Map;
 import java.util.stream.Collectors;
@@ -683,7 +683,7 @@ public class HttpExporter extends Exporter {
 
         void apply(HttpURLConnection connection) throws UnsupportedEncodingException {
             String userInfo = username + ":" + (password != null ? new String(password) : "");
-            String basicAuth = "Basic " + Base64.encodeBytes(userInfo.getBytes("ISO-8859-1"));
+            String basicAuth = "Basic " + Base64.getEncoder().encodeToString(userInfo.getBytes("ISO-8859-1"));
             connection.setRequestProperty("Authorization", basicAuth);
         }
     }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
index 5dafd0a585e..343b08d50c4 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
@@ -7,7 +7,6 @@ package org.elasticsearch.shield.authc;
 
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.Version;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.component.AbstractComponent;
 import org.elasticsearch.common.inject.Inject;
@@ -29,6 +28,7 @@ import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportMessage;
 
 import java.io.IOException;
+import java.util.Base64;
 
 import static org.elasticsearch.shield.Security.setting;
 import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@@ -157,7 +157,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
 
     static User decodeUser(String text) {
         try {
-            byte[] bytes = Base64.decode(text);
+            byte[] bytes = Base64.getDecoder().decode(text);
             StreamInput input = StreamInput.wrap(bytes);
             Version version = Version.readVersion(input);
             input.setVersion(version);
@@ -173,7 +173,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
             Version.writeVersion(Version.CURRENT, output);
             User.writeTo(user, output);
             byte[] bytes = output.bytes().toBytes();
-            return Base64.encodeBytes(bytes);
+            return Base64.getEncoder().encodeToString(bytes);
         } catch (IOException ioe) {
             if (logger != null) {
                 logger.error("could not encode authenticated user in message header... falling back to token headers", ioe);
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java
index 528e0b2a5e6..73acdaaf8ac 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java
@@ -5,13 +5,12 @@
  */
 package org.elasticsearch.shield.authc.support;
 
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Randomness;
 import org.elasticsearch.common.hash.MessageDigests;
 
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
 import java.util.Locale;
 import java.util.Random;
 
@@ -145,7 +144,7 @@ public enum Hasher {
             byte[] textBytes = CharArrays.toUtf8Bytes(text.internalChars());
             MessageDigest md = MessageDigests.sha1();
             md.update(textBytes);
-            String hash = Base64.encodeBytes(md.digest());
+            String hash = Base64.getEncoder().encodeToString(md.digest());
             return (SHA1_PREFIX + hash).toCharArray();
         }
 
@@ -158,7 +157,7 @@ public enum Hasher {
             byte[] textBytes = CharArrays.toUtf8Bytes(text.internalChars());
             MessageDigest md = MessageDigests.sha1();
             md.update(textBytes);
-            String passwd64 = Base64.encodeBytes(md.digest());
+            String passwd64 = Base64.getEncoder().encodeToString(md.digest());
             String hashNoPrefix = hashStr.substring(SHA1_PREFIX.length());
             return SecuredString.constantTimeEquals(hashNoPrefix, passwd64);
         }
@@ -169,7 +168,7 @@ public enum Hasher {
         public char[] hash(SecuredString text) {
             MessageDigest md = MessageDigests.md5();
             md.update(CharArrays.toUtf8Bytes(text.internalChars()));
-            String hash = Base64.encodeBytes(md.digest());
+            String hash = Base64.getEncoder().encodeToString(md.digest());
             return (MD5_PREFIX + hash).toCharArray();
         }
 
@@ -182,7 +181,7 @@ public enum Hasher {
             hashStr = hashStr.substring(MD5_PREFIX.length());
             MessageDigest md = MessageDigests.md5();
             md.update(CharArrays.toUtf8Bytes(text.internalChars()));
-            String computedHashStr = Base64.encodeBytes(md.digest());
+            String computedHashStr = Base64.getEncoder().encodeToString(md.digest());
             return SecuredString.constantTimeEquals(hashStr, computedHashStr);
         }
     },
@@ -194,7 +193,7 @@ public enum Hasher {
             md.update(CharArrays.toUtf8Bytes(text.internalChars()));
             char[] salt = SaltProvider.salt(8);
             md.update(CharArrays.toUtf8Bytes(salt));
-            String hash = Base64.encodeBytes(md.digest());
+            String hash = Base64.getEncoder().encodeToString(md.digest());
             char[] result = new char[SSHA256_PREFIX.length() + salt.length + hash.length()];
             System.arraycopy(SSHA256_PREFIX.toCharArray(), 0, result, 0, SSHA256_PREFIX.length());
             System.arraycopy(salt, 0, result, SSHA256_PREFIX.length(), salt.length);
@@ -213,7 +212,7 @@ public enum Hasher {
             MessageDigest md = MessageDigests.sha256();
             md.update(CharArrays.toUtf8Bytes(text.internalChars()));
             md.update(new String(saltAndHash, 0, 8).getBytes(StandardCharsets.UTF_8));
-            String computedHash = Base64.encodeBytes(md.digest());
+            String computedHash = Base64.getEncoder().encodeToString(md.digest());
             return SecuredString.constantTimeEquals(computedHash, new String(saltAndHash, 8, saltAndHash.length - 8));
         }
     },
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/UsernamePasswordToken.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/UsernamePasswordToken.java
index 096709d04f3..4dd4f0f08d7 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/UsernamePasswordToken.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/UsernamePasswordToken.java
@@ -5,13 +5,12 @@
  */
 package org.elasticsearch.shield.authc.support;
 
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.shield.authc.AuthenticationToken;
 
-import java.io.IOException;
 import java.nio.CharBuffer;
 import java.util.Arrays;
+import java.util.Base64;
 import java.util.Objects;
 
 import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@@ -85,8 +84,8 @@ public class UsernamePasswordToken implements AuthenticationToken {
 
         char[] userpasswd;
         try {
-            userpasswd = CharArrays.utf8BytesToChars(Base64.decode(headerValue.substring(BASIC_AUTH_PREFIX.length()).trim()));
-        } catch (IllegalArgumentException | IOException e) {
+            userpasswd = CharArrays.utf8BytesToChars(Base64.getDecoder().decode(headerValue.substring(BASIC_AUTH_PREFIX.length()).trim()));
+        } catch (IllegalArgumentException e) {
             throw authenticationError("invalid basic authentication header encoding", e);
         }
 
@@ -109,7 +108,7 @@ public class UsernamePasswordToken implements AuthenticationToken {
         chars.put(username).put(':').put(passwd.internalChars());
 
         //TODO we still have passwords in Strings in headers
-        String basicToken = Base64.encodeBytes(CharArrays.toUtf8Bytes(chars.array()));
+        String basicToken = Base64.getEncoder().encodeToString(CharArrays.toUtf8Bytes(chars.array()));
         return "Basic " + basicToken;
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
index 207c9851a19..30994e722f2 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
@@ -6,7 +6,6 @@
 package org.elasticsearch.shield.crypto;
 
 import org.elasticsearch.ElasticsearchException;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.inject.Inject;
@@ -39,6 +38,7 @@ import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Arrays;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
@@ -138,11 +138,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
         keyFile = resolveSystemKey(settings, env);
         systemKey = readSystemKey(keyFile);
         randomKey = generateSecretKey(RANDOM_KEY_SIZE);
-        try {
-            randomKeyBase64 = Base64.encodeBytes(randomKey.getEncoded(), 0, randomKey.getEncoded().length, Base64.URL_SAFE);
-        } catch (IOException e) {
-            throw new ElasticsearchException("failed to encode key data as base64", e);
-        }
+        randomKeyBase64 = Base64.getUrlEncoder().encodeToString(randomKey.getEncoded());
 
         signingKey = createSigningKey(systemKey, randomKey);
 
@@ -256,17 +252,17 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
         } else {
             byte[] randomKeyBytes;
             try {
-                randomKeyBytes = Base64.decode(base64RandomKey, Base64.URL_SAFE);
-                if (randomKeyBytes.length * 8 != RANDOM_KEY_SIZE) {
-                    logger.debug("incorrect random key data length. received [{}] bytes", randomKeyBytes.length);
-                    throw new IllegalArgumentException("tampered signed text");
-                }
-                SecretKey randomKey = new SecretKeySpec(randomKeyBytes, KEY_ALGO);
-                signingKey = createSigningKey(systemKey, randomKey);
-            } catch (IOException e) {
+                randomKeyBytes = Base64.getUrlDecoder().decode(base64RandomKey);
+            } catch (IllegalArgumentException e) {
                 logger.error("error occurred while decoding key data", e);
                 throw new IllegalStateException("error while verifying the signed text");
             }
+            if (randomKeyBytes.length * 8 != RANDOM_KEY_SIZE) {
+                logger.debug("incorrect random key data length. received [{}] bytes", randomKeyBytes.length);
+                throw new IllegalArgumentException("tampered signed text");
+            }
+            SecretKey randomKey = new SecretKeySpec(randomKeyBytes, KEY_ALGO);
+            signingKey = createSigningKey(systemKey, randomKey);
         }
 
         try {
@@ -297,7 +293,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
         }
 
         byte[] charBytes = CharArrays.toUtf8Bytes(chars);
-        String base64 = Base64.encodeBytes(encryptInternal(charBytes, key));
+        String base64 = Base64.getEncoder().encodeToString(encryptInternal(charBytes, key));
         return ENCRYPTED_TEXT_PREFIX.concat(base64).toCharArray();
     }
 
@@ -335,8 +331,8 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
         String encrypted = new String(chars, ENCRYPTED_TEXT_PREFIX.length(), chars.length - ENCRYPTED_TEXT_PREFIX.length());
         byte[] bytes;
         try {
-            bytes = Base64.decode(encrypted);
-        } catch (IOException e) {
+            bytes = Base64.getDecoder().decode(encrypted);
+        } catch (IllegalArgumentException e) {
             throw new ElasticsearchException("unable to decode encrypted data", e);
         }
 
@@ -430,7 +426,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
     private static String signInternal(String text, SecretKey key) throws IOException {
         Mac mac = createMac(key);
         byte[] sig = mac.doFinal(text.getBytes(StandardCharsets.UTF_8));
-        return Base64.encodeBytes(sig, 0, sig.length, Base64.URL_SAFE);
+        return Base64.getUrlEncoder().encodeToString(sig);
     }
 
 
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
index 9facc8cf499..f0dcbaf5148 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
@@ -8,7 +8,6 @@ package org.elasticsearch.shield.authc;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.Version;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.settings.Settings;
@@ -37,6 +36,7 @@ import org.junit.Rule;
 import org.junit.rules.ExpectedException;
 
 import java.util.Arrays;
+import java.util.Base64;
 import java.util.Collections;
 
 import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@@ -751,7 +751,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
         User user = new User("username", "r1", "r2", "r3");
         String text = InternalAuthenticationService.encodeUser(user, null);
 
-        StreamInput input = StreamInput.wrap(Base64.decode(text));
+        StreamInput input = StreamInput.wrap(Base64.getDecoder().decode(text));
         Version version = Version.readVersion(input);
         assertThat(version, is(Version.CURRENT));
     }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/UsernamePasswordTokenTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/UsernamePasswordTokenTests.java
index 6981b7a36db..c8ea49237d3 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/UsernamePasswordTokenTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/UsernamePasswordTokenTests.java
@@ -6,7 +6,6 @@
 package org.elasticsearch.shield.authc.support;
 
 import org.elasticsearch.ElasticsearchSecurityException;
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.test.ESTestCase;
@@ -14,6 +13,7 @@ import org.junit.Rule;
 import org.junit.rules.ExpectedException;
 
 import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 
 import static org.elasticsearch.test.ShieldTestsUtils.assertAuthenticationException;
 import static org.hamcrest.Matchers.equalTo;
@@ -35,7 +35,7 @@ public class UsernamePasswordTokenTests extends ESTestCase {
         assertThat(header, notNullValue());
         assertTrue(header.startsWith("Basic "));
         String token = header.substring("Basic ".length());
-        token = new String(Base64.decode(token), StandardCharsets.UTF_8);
+        token = new String(Base64.getDecoder().decode(token), StandardCharsets.UTF_8);
         int i = token.indexOf(":");
         assertTrue(i > 0);
         String username = token.substring(0, i);
@@ -46,7 +46,7 @@ public class UsernamePasswordTokenTests extends ESTestCase {
 
     public void testExtractToken() throws Exception {
         ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
-        String header = "Basic " + Base64.encodeBytes("user1:test123".getBytes(StandardCharsets.UTF_8));
+        String header = "Basic " + Base64.getEncoder().encodeToString("user1:test123".getBytes(StandardCharsets.UTF_8));
         threadContext.putHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, header);
         UsernamePasswordToken token = UsernamePasswordToken.extractToken(threadContext);
         assertThat(token, notNullValue());
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/common/http/auth/basic/ApplicableBasicAuth.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/common/http/auth/basic/ApplicableBasicAuth.java
index c547ad81159..d52d8d644d0 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/common/http/auth/basic/ApplicableBasicAuth.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/common/http/auth/basic/ApplicableBasicAuth.java
@@ -5,12 +5,12 @@
  */
 package org.elasticsearch.xpack.common.http.auth.basic;
 
-import org.elasticsearch.common.Base64;
 import org.elasticsearch.xpack.common.http.auth.ApplicableHttpAuth;
 import org.elasticsearch.xpack.common.secret.SecretService;
 
 import java.net.HttpURLConnection;
 import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 
 /**
  */
@@ -24,7 +24,7 @@ public class ApplicableBasicAuth extends ApplicableHttpAuth<BasicAuth> {
     }
 
     public static String headerValue(String username, char[] password) {
-        return "Basic " + Base64.encodeBytes((username + ":" + new String(password)).getBytes(StandardCharsets.UTF_8));
+        return "Basic " + Base64.getEncoder().encodeToString((username + ":" + new String(password)).getBytes(StandardCharsets.UTF_8));
     }
 
     public void apply(HttpURLConnection connection) {