Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JRuby-OpenSSL treats incorrect RFC 7468 label differently than OpenSSL For Ruby #5746

Open
christopherwood opened this issue May 27, 2019 · 2 comments

Comments

Projects
None yet
1 participant
@christopherwood
Copy link

commented May 27, 2019

Environment

[root@puppetmaster2 tmp]# jruby --version
jruby 9.2.7.0 (2.5.3) 2019-04-09 8a269e3 OpenJDK 64-Bit Server VM 25.212-b04 on 1.8.0_212-b04 +jit [linux-x86_64]

[root@puppetmaster2 tmp]# uname -a
Linux puppetmaster2 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[root@puppetmaster2 tmp]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

jruby-openssl-rfc7468-poc1.rb.gz

Expected Behavior

Just like CRuby, only correct PEM parsed:

$ /usr/bin/ruby jruby-openssl-rfc7468-poc1.rb 
Result 1: Correctly parses RFC-7468 compliant PEM.
Result 4: Correctly does not parse RFC-7468 non-compliant PEM.

(See the attached script.)

Actual Behavior

Both correct and incorrect PEM are parsed:

$ cd jruby-openssl-rfc7468
$ tar -C /tmp -xf ~/files/downloads/jruby-dist-9.2.7.0-bin.tar.gz 
$ export PATH=/tmp/jruby-9.2.7.0/bin:$PATH
$ jruby jruby-openssl-rfc7468-poc1.rb 
Result 1: Correctly parses RFC-7468 compliant PEM.
Result 3: Incorrectly parses RFC-7468 non-compliant PEM.

(See the attached script.)

The only difference between the two cert files (NB, different number of dashes):

$ diff test1a.pem test1b.pem 
20c20
< -----END CERTIFICATE-----
---
> -----END CERTIFICATE----
@christopherwood

This comment has been minimized.

Copy link
Author

commented May 27, 2019

Further comments here, rather than crudding up the description.

Quoth RFC-7468:

There is exactly one space character (SP) separating the "BEGIN" or
"END" from the label. There are exactly five hyphen-minus (also
known as dash) characters ("-") on both ends of the encapsulation
boundaries, no more, no less.

https://tools.ietf.org/html/rfc7486

The implication is that if JRuby-OpenSSL is used to validate cert provisioning for later OpenSSL-linked application consumption, loading the cert will fail at the later step. This has different behaviour depending on the application; some fall back to no-SSL/no-TLS operation, some fail to start. (The latter behaviour was encountered.)

I'm filing this here because of the differing behaviour in JRuby-OpenSSL versus OpenSSL For Ruby, the former being documented as "an add-on gem for JRuby that emulates the Ruby OpenSSL native library".

I apologize for no patch, I am not a programmer and couldn't figure out how JRuby-OpenSSL and Bouncy Castle might interact to correctly fail on invalid input here.

I (ignorantly) suspect the issue may be in src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java, there are a bunch of places where the strings are concatenated as beginning-label but no end/after. Here's one, there are more:

return new X509AuxCertificate(readCertificate(reader,BEF_E+PEM_STRING_X509));

For posterity, way above that line the variables are set as follows:

public static final String PEM_STRING_X509="CERTIFICATE";
public static final String BEF = "-----";
public static final String AFT = "-----";
public static final String BEF_G = BEF + "BEGIN ";
public static final String BEF_E = BEF + "END ";

@christopherwood

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.