-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add OCSP support #124
add OCSP support #124
Conversation
TODO: - Replace manual construction of Request in #sign with OCSPReqBuilder - Fix verification
* There seems to be an issue with decoding objects using ASN1.decode and then trying to reconstitute decoded objects by calling to_der on them. Some data seems to be left off. Not covering it here because of scope creep.
Wow! |
return Utils.newError(runtime, _OCSP(runtime).getClass("OCSPError"), ex); | ||
} | ||
|
||
public static RaiseException newSSLError(Ruby runtime, String message) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📛 seems wrong
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, not sure why I added this in the first place. Thanks for catching.
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER | ||
* DEALINGS IN THE SOFTWARE. | ||
* | ||
* Copyright (C) 2007-2009 Ola Bini <ola.bini@gmail.com> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would prefer to have your name here instead of Ola's or just the (C) 2017 The JRuby Team
if your shy :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha, ok. I realized I need to add the license to the other files too.
|
||
private RubyString der; | ||
private byte[] nonce; | ||
private SecureRandom random = new SecureRandom(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should delay the SecureRandom
creation - and use the helper from SecurityHelper
(this is minor, really)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The final version ended up not needing SecureRandom anyway
|
||
@JRubyMethod(name = "add_status") | ||
public OCSPBasicResponse add_status(final ThreadContext context) { | ||
//TODO: Implement |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't we also print a warning on these stub impls? (am not sure - thus asking, there's helpers for that)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, those were notes for myself to implement them before pushing. The final version should have everything implemented. I could rebase/squash my commits if that would help so people wouldn't even see this. Thoughts?
|
||
@JRubyMethod(name = "to_der") | ||
public IRubyObject to_der() { | ||
//TODO implement |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it definitely makes sense to have warnings on these e.g.
OpenSSL.warn(context, "WARNING: unimplemented method called: OCSP::Request#to_der");
public IRubyObject verify(IRubyObject certificates, IRubyObject store, IRubyObject flags) { | ||
//TODO implement | ||
|
||
return RubyBoolean.newBoolean(getRuntime(), true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
safer to return false
if its unimplemented for users relying on this feature, right?
@@ -29,6 +29,8 @@ | |||
import java.util.ArrayList; | |||
import java.util.Locale; | |||
|
|||
import org.bouncycastle.asn1.ASN1InputStream; | |||
import org.bouncycastle.asn1.ASN1Primitive; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⛔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Woops!
CI also catched a (minor) issue :
.. otherwise this is looking 🍇 as far as I can tell 💘 |
I'll update based on comments and try to figure out the CI failure. |
@kares I'm not sure what's going on with the build failures now. One appears to have timed out: https://travis-ci.org/jruby/jruby-openssl/jobs/209400174 The others seem to be having trouble getting their environment/dependencies set up to run the ruby tests in their respective environments: https://travis-ci.org/jruby/jruby-openssl/jobs/209400177 I can't tell if I caused this problem or not... When I look at the file(s) in the stack in my checked out copy (jruby-openssl/lib/openssl.rb and jruby-openssl/lib/jopenssl/load.rb) i don't see the relevant lines... Am I missing something? |
@lampad no worries. thanks for all the code! |
I've bundled the master branch, and I'm still seeing the same error:
|
@HoneyryderChuck I'm not sure what "bundling" the master branch does exactly, but you'll probably need to package/repackage the new jopenssl.jar and the jruby-openssl gem and install the gem in your local gem env. There are instructions on how to do the packaging in the BUILDING.md file which should spit out a gem in the pkg dir. |
@HoneyryderChuck and yeah, I think you're correct re: #119. I didn't dig too deep into it there, but I did notice some functionality missing in the ASN1 class. If I find some time, I'll take a deep dive. |
@lampad I think bundler already takes care of that. |
here's the relevant bundler log run in verbose mode:
|
@HoneyryderChuck jruby-openssl does not work when using UPDATE: here's a SNAPSHOT build that should do. |
@kares thx for the info. That's unfortunate, my expectation for bundler would be definitely something else. Is this a pending/in-progress feature, and does it concern bundler or jruby? After downloading the package, is there a way to automate installing the local package with bundler, or do I resort to following the instructions in BUILDING.md, as suggested by @lampad ? |
that's a usual issue with native gems as they require building (e.g. same with nokogiri), this could be hacked to get working in an 'un-official' way. it does not concern JRuby nor Bundler atm. you just gem install the downloaded gem and than use it (specify its version in Gemfile). this is a bit out-of-scope here. just do the same thing as you would if you had a third-party gem not on RubyGems. |
@kares, doh, you're right :) managed to do it, and on to the next issue. |
An attempt to resolve #24
Finally found enough random time to finish this up.
Some assertions in test_ocsp.rb (ripped straight from 2.4.0 CRuby) are commented out because of some odd behavior I noticed with decoding objects using ASN1.decode. A cursory glance seems to suggest that bits of data are left out of the decoded objects or aren't put back in to the der string when calling to_der.
I decided to TODO them since it felt like scope creep, and my mind just wasn't ready to dive into that side of things.
Let me know if you have questions or anything. This is my first real foray into JRuby, so if I did stupid stuff, please let me know.