Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
JRuby-OpenSSL treats incorrect RFC 7468 label differently than OpenSSL For Ruby #5746
[root@puppetmaster2 tmp]# jruby --version jruby 188.8.131.52 (2.5.3) 2019-04-09 8a269e3 OpenJDK 64-Bit Server VM 25.212-b04 on 1.8.0_212-b04 +jit [linux-x86_64] [root@puppetmaster2 tmp]# uname -a Linux puppetmaster2 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@puppetmaster2 tmp]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core)
Just like CRuby, only correct PEM parsed:
$ /usr/bin/ruby jruby-openssl-rfc7468-poc1.rb Result 1: Correctly parses RFC-7468 compliant PEM. Result 4: Correctly does not parse RFC-7468 non-compliant PEM.
(See the attached script.)
Both correct and incorrect PEM are parsed:
$ cd jruby-openssl-rfc7468 $ tar -C /tmp -xf ~/files/downloads/jruby-dist-184.108.40.206-bin.tar.gz $ export PATH=/tmp/jruby-220.127.116.11/bin:$PATH $ jruby jruby-openssl-rfc7468-poc1.rb Result 1: Correctly parses RFC-7468 compliant PEM. Result 3: Incorrectly parses RFC-7468 non-compliant PEM.
(See the attached script.)
The only difference between the two cert files (NB, different number of dashes):
$ diff test1a.pem test1b.pem 20c20 < -----END CERTIFICATE----- --- > -----END CERTIFICATE----
Further comments here, rather than crudding up the description.
There is exactly one space character (SP) separating the "BEGIN" or
The implication is that if JRuby-OpenSSL is used to validate cert provisioning for later OpenSSL-linked application consumption, loading the cert will fail at the later step. This has different behaviour depending on the application; some fall back to no-SSL/no-TLS operation, some fail to start. (The latter behaviour was encountered.)
I'm filing this here because of the differing behaviour in JRuby-OpenSSL versus OpenSSL For Ruby, the former being documented as "an add-on gem for JRuby that emulates the Ruby OpenSSL native library".
I apologize for no patch, I am not a programmer and couldn't figure out how JRuby-OpenSSL and Bouncy Castle might interact to correctly fail on invalid input here.
I (ignorantly) suspect the issue may be in src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java, there are a bunch of places where the strings are concatenated as beginning-label but no end/after. Here's one, there are more:
return new X509AuxCertificate(readCertificate(reader,BEF_E+PEM_STRING_X509));
For posterity, way above that line the variables are set as follows:
public static final String PEM_STRING_X509="CERTIFICATE";
Linking the POC for easy reading.