Unable to load EllipticalCurve EC class from JRuby's OpenSSL library [$500 awarded]

[headius]

(Transplanted from jruby/jruby#1261 reported by @michaelgpearce)

I hope this is the right place to report this bug (i think it is!).

The class OpenSSL::PKey::EC does not load on JRuby version 1.7.8. The library loads with the same commands in MRI version 1.9.3p125 and 2.0.0p195.

~/myprojects/test $ jruby --version
jruby 1.7.8 (1.9.3p392) 2013-11-14 0ce429e on Java HotSpot(TM) 64-Bit Server VM 1.6.0_65-b14-462-11M4609 [darwin-x86_64]
~/myprojects/test $ bundle show jruby-openssl
/Users/test/.rvm/gems/jruby-1.7.8@global/gems/jruby-openssl-0.9.4
~/myprojects/test $ bundle exec irb

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> ::OpenSSL::PKey::EC.new("secp256k1")
NameError: uninitialized constant OpenSSL::PKey::EC
    from org/jruby/RubyModule.java:2686:in `const_missing'
    from (irb):2:in `evaluate'
    from org/jruby/RubyKernel.java:1123:in `eval'
    from org/jruby/RubyKernel.java:1519:in `loop'
    from org/jruby/RubyKernel.java:1284:in `catch'
    from org/jruby/RubyKernel.java:1284:in `catch'
    from /Users/test/.rvm/rubies/jruby-1.7.8/bin/irb:13:in `(root)'

In MRI:

1.9.3p125 :001 > require 'openssl'
 => true 
1.9.3p125 :002 > ::OpenSSL::PKey::EC.new("secp256k1")
 => #<OpenSSL::PKey::EC:0x007f91e31d9670> 

See comments in jruby/jruby#1261. We had hoped to fix this for JRuby 9.1, but it will probably not happen. Moving this to jruby-openssl since it needs to be handled on jruby-openssl's release cycle.

cc @kares @mkristian @enebo

---

Want to see this issue fixed? Post a bounty on it! We accept bounties via Bountysource.

--- The **[$500 bounty](https://www.bountysource.com/issues/33165948-unable-to-load-ellipticalcurve-ec-class-from-jruby-s-openssl-library?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** on this issue has been claimed at [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).

[mohamedhafez]

Upvoting: this is going to be necessary in order to encode payloads for the new Web Push API, for example with the webpush gem

[mohamedhafez]

I know its not that much, but just posted a $100 bounty on this at BountySource if anyone is interested. @headius would it be possible to put a 'bounty' tag or label on the issue by any chance? (totally understandable if you don't want money influencing which bugs get fixed though, just a suggestion:)

[kares]

@mohamedhafez thanks. added a link to BountySource in the desc.
a bounty is a good motivator (at least for me) to get into features that are "more" time-consuming.

also regarding the .rb impl - it wasn't working good enough would instead prefer to have a native Java impl.

[headius]

I'm fine adding a "bounty" tag if that's all that's required to integrate BountySource.

[mohamedhafez]

@headius It looks like if you log into bountysource with a GitHub account that owns a project, you can turn on automatic integration that will automatically apply bountysource labels to issues and update bounty totals, etc: http://blog.bountysource.com/post/48954271533/improved-github-integration-automatically-update

[headius]

Since it looked like @kares was on board with Bountysource, I've enabled the automatic integration. It will be a good opportunity to evaluate it for other projects like JRuby.

[mohamedhafez]

Sweet, thanks @headius and @kares! I've gone ahead and upped the bounty to $500:)

[kares]

been looking into this for a few days now and have a prototype but all the details are turning out a bit hard to get right ;( esp. since there's little docs and one ends up looking into Ruby/OpenSSL internals.

as I am not sure which details are more important over others I looked into @mohamedhafez's webpush use-case, which seems to only use symmetric encryption over EC. so I am willing to give that part some more hours if it's acceptable as a resolution to get that working.

[mohamedhafez]

Personally as long as web push payload encryption works, I'm happy:)

On Tuesday, May 31, 2016, Karol Bucek notifications@github.com wrote:

been looking into this for a few days now and have a prototype but all the
details are turning out a bit hard to get right ;( esp. since there's
little docs and one ends up looking into Ruby/OpenSSL internals.

as I am not sure which details are more important over others I looked
into @mohamedhafez https://github.com/mohamedhafez's webpush use-case,
which seems to only use symmetric encryption
https://github.com/zaru/webpush/blob/f2c5e8e47f78bfb4f9d247e7612cd6fbf56b1aa2/lib/webpush/encryption.rb#L11-L19
over EC. so I am willing to give that part some more hours if it's
acceptable as a resolution to get that working.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#90 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AA9u2V--AxMdUigWdYbPBuLwR-H3Pzzbks5qHBYFgaJpZM4IMB3N
.

[kares]

(symmetric) EC support just landed on master ... most of the PKey::EC API is implemented except for asymmetric signature/verification. they're not hard but what I struggled with is ASN.1 (its not the first case with BC) so that part might need to really get down to the bones. additionally, the WebPush use-case needed aes-128-gcm encryption/decryption working (AAED - Cipher#auth_tag and Cipher#auth_data=).

w prefer having smaller focused issues on what's not working (users shall report) instead of this monolith.

[mohamedhafez]

Awesome thanks so much for the quick fix @kares, this does everything I need:)

[mohamedhafez]

Actually it looks like a future version of the Web Push API will encourage the use of VAPID, which requires ECDSA, I'm guessing that's the asymmetric signature/verification part you were mentioning. I'd be fine closing this issue (and delivering the bounty) and then opening a new issue for that if that's the case

[mohamedhafez]

taking a closer look, I believe its just ECDSA signature that would be required for this use case

[kares]

@mohamedhafez thanks for the info, we're already half into 0.9.17 release (rushing due a leak) so the "non-future" parts of WebPush will be there. would be great if the existing EC/DH+GCM support was real-world tested. there's much work around jossl so I do not really have time for a test application.
ECDSA might be prototyped but to really have something worth releasing PEM/DER encoding is needed so that keys/signatures are properly tested. some time later I might get to it, once again, if no one else will.

[mohamedhafez]

Sounds good to me, thanks again @kares. I'll start using it in my app and report back if I see any issues

[mohamedhafez]

Just wanted to report back that I've been using the webpush gem along with this fix in my real-world app, and its been smooth sailing. (Though admittedly there hasn't been a huge usage of the webpush feature yet since my app is for subsititute teachers and this is the low season since its summer out here)