"Duplicate extensions not allowed" should not raise errors despite bug in Java

[docwhat]

There is a nasty little bug in Java: JDK-8062548 Support duplicate Extended Key Usage certificate extensions

This causes problems on OS X systems such as jruby/jruby#1055 because Apple creates some certificates with multiple "X509v3 Extended Key Usage" sections.

It may cause problems elsewhere as well.

This is not a bug in JRuby, however, I think JRuby should work around it by dropping any of these certificates.

How to recreate:

1. Create a file called openjdk-bug-cert.pem with the contents of the certificate in JDK-8062548 (copied below for ease of use)
2. Run env -u SSL_CERT_DIR SSL_CERT_FILE=$PWD/openjdk-bug-cert.pem jruby -ropenssl -e 'puts "hi"'

Example output:

Using:

• Oracle Java 1.7.0_80, 1.8.0_45, and 1.8.0_51
• JRuby 1.7.21

$ env -u SSL_CERT_DIR SSL_CERT_FILE=$PWD/openjdk-bug-cert.pem jruby -ropenssl -e 'puts "hi"'
OpenSSL::X509::StoreError: setting default path failed: problem creating X509 Aux certificate: java.io.IOException: problem parsing cert: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
  set_default_paths at org/jruby/ext/openssl/X509Store.java:185
             (root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/jopenssl/load.rb:22
            require at org/jruby/RubyKernel.java:1040
             (root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
            require at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:54
            require at org/jruby/RubyKernel.java:1040
             (root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/openssl.rb:1

The above command works fine with ruby instead of jruby.

Workaround

Find the offending certificates and remove them from your SSL_CERT_FILE or SSL_CERT_DIR. I'll see if I can create a script to help with that.

Edits

• Corrected link to jruby bug

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[docwhat]

Interesting note:

If you put the offending certificate as a .pem file in your SSL_CERT_DIR jruby works fine. It appears that whatever code is getting the certificate doesn't cause JRuby-OpenSSL to blow up.

However, there are two mechanisms for generate the c_rehash hashes (MD5 in older OpenSSL and SHA1 in newer) that will cause some versions of OpenSSL not to be able to find things in a directory.

So the single file mechanism is still the best for compatibility. sigh

[docwhat]

I have a working "workaround" in a gist: https://gist.github.com/docwhat/24f0add92c2f43d8ec9e

This script filters out the offending certificates and dumps them to a single cert.pem file in /usr/local/etc/openssl/ (or SSL_CERT_FILE if you have that set).

[totszwai]

@docwhat How can I modify your ruby script to give/show me the offending cert instead?
I don't think Ruby has stuff like map.accept(&:extended_key_usage?)

[docwhat]

Instead of reject use select