Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl 'BC' (security provider) leak #1543

Closed
wants to merge 84 commits into from
Closed
Show file tree
Hide file tree
Changes from 36 commits
Commits
Show all changes
84 commits
Select commit Hold shift + click to select a range
f35f34d
cleanup and re-arrange some imports to be more readable
kares Feb 28, 2014
cc3b088
implement BC specific (factory) helpers using BC APIs "directly"
kares Feb 28, 2014
4ce51c1
start using our factory methods instead of the java.security stuff di…
kares Feb 28, 2014
888d8f3
replace Signature.getInstance usage with a BC first than rest of prov…
kares Mar 1, 2014
da145e2
cleanup PKeyDSA to use our own factories - added `getKeyPairGenerator`
kares Mar 1, 2014
8a15ff9
setup our own getMac factory and use it + some minor HMAC cleanup
kares Mar 1, 2014
e9f5ced
building strings ( the Java "way" :)
kares Mar 1, 2014
d1fe0bd
deprecate doWithBCProvider and avoid it in code base (NetscapeSPKI)
kares Mar 1, 2014
22c3981
NetscapeSPKI now loadable even without the BC API (fails on invocation)
kares Mar 1, 2014
db5ade6
introducing our own NetscapeCertRequest with the get "BC" provider av…
kares Mar 1, 2014
6803e3c
cleanup Ruby Cipher impl - use our getCipher factory instead of the J…
kares Mar 1, 2014
2ac74c5
finally, we seem to be able to deprecate getWithBCProvider - not used…
kares Mar 1, 2014
89775c3
setup tests for our factories and tune them out + initialize BC when …
kares Mar 1, 2014
c6291c4
Cipher.getInstance gets tricky due JCE internals - but seems fine the…
kares Mar 3, 2014
39110c9
move factories into a new SecurityHelper - allows to change/register …
kares Mar 4, 2014
f639e02
cleanup the `OpenSSL::X509::CRL` impl a bit - as it seemed hard to read
kares Mar 4, 2014
9fa27c2
avoid Jave Security get_instance factories and registering BC in pkcs…
kares Mar 4, 2014
f2e8624
avoid direct getInstance and use our own + more ("jruby-style") cleanup
kares Apr 9, 2014
e1f810d
implement (and use) getKeyGenerator and getSecureRandom factory
kares Mar 4, 2014
da1493e
use getSecureRandom + re-invent RandomHolder & cleanup JRuby methods
kares Mar 4, 2014
ecb2cdd
setup getSSLContext (for completeness) and cleanup SSL impl classes some
kares Mar 4, 2014
a4c1119
allow to set the OpenSSL.debug with a system property + isDebug helpe…
kares Apr 9, 2014
e7c0d80
deprecate the PEMHandler (seems no longer used)
kares Mar 5, 2014
4aa6ef7
provider PEMUtils that are JS getInstance call free + all the noise a…
kares Mar 5, 2014
4ba25a1
PEMReader (BC API depending on provider being registered) avoided
kares Mar 5, 2014
2c73de5
use Ruby runtime's STDOUT instead of Java System.err
kares Apr 9, 2014
6efc3ca
BC's `X509CRLObject` depends on security provider being installed (av…
kares Apr 9, 2014
6021e2e
more internal "JRuby" cleanup + renamed `X509StoreCtx` in a binary co…
kares Apr 9, 2014
0abfdd0
generate some serialVersionUIDs since they've been (on purpose) remov…
kares Apr 9, 2014
9488c4d
genericsize our Function-al interfaces
kares Apr 10, 2014
6bcac12
use an unify function iterface generics + start hiding private/packag…
kares Apr 10, 2014
9cefe6d
allow sharing of our custom `java.security.X509CRL.verify` logic (wit…
kares Apr 10, 2014
318096b
avoid `X509CRL.verify` call and use our helper built to do that (with…
kares Apr 10, 2014
e4a611d
hide more of the OpenSSLImpl internals that are only used within the …
kares Apr 15, 2014
f875b88
Cipher cleanup + use our OpenSSL debug helper to have "debugging" a b…
kares Apr 15, 2014
0cfbe0b
refactor Cipher into one class and test that supported cipher list is…
kares Apr 15, 2014
24a5d9e
should catch NoSuchPaddingException as well ... to re-try cipher with…
kares Apr 15, 2014
871b3de
allow to force provider registration with **-Djruby.openssl.provider.…
kares Apr 15, 2014
202ce00
no need to close StringReader + rescue IOException since PEMIO should…
kares Apr 15, 2014
973f96e
some mangling trying to handle getCipher in a more smart way "around …
kares Apr 15, 2014
7fb85ff
use a hash set for supportedCiphers + more Cipher cleanup and some un…
kares Apr 16, 2014
86e621b
SSLContext internal cleanup + support `SSLContext::METHODS` correctly…
kares Apr 16, 2014
00eae9e
make sure code actually compiles against JRuby 1.7.x (as well as 1.6.8)
kares Apr 16, 2014
f79d44c
internal cleanup - avoid Utils.checkKind calls as in places used an i…
kares Apr 16, 2014
6da8359
speed-up SSLSocket OpenSSL::SSL constant resolution + deprecate Utils…
kares Apr 16, 2014
571f8e0
change extension's type to a list of <X509Extensions.Extension> and m…
kares Apr 16, 2014
4cf2ae6
add a test that checks `OpenSSL::SSL::SSLContext::METHODS` work (fixe…
kares Apr 16, 2014
5b79ccc
simplify ASN1's runtime mappings (preparing to avoid leakage) + clean…
kares Apr 16, 2014
427c169
X509Cert cleanup
kares Apr 17, 2014
71c8fd2
unify error location and naming convention as well as OpenSSL::X cons…
kares Apr 17, 2014
2b74ca5
improved HMAC internals & less string/bytes garbage on digests + re-i…
kares Apr 17, 2014
48cf947
review ASN1.decode usage in Attribute#value= there was a "double" to_…
kares Apr 17, 2014
0889827
less of our own deprecations + cleanup (some left over 1.7 incompatib…
kares Apr 17, 2014
b1cd971
more X509Name cleanup - added a debug for suspicious exception + revi…
kares Apr 18, 2014
ff108c7
more stack trace debugging - esp. due "strange" occasional failures R…
kares Apr 18, 2014
88a88a2
decrade GeneralSecurityException signature + allow to pass key factor…
kares Apr 18, 2014
04b85ea
tune debugging and align DSA/RSA PKey impls - share some common initi…
kares Apr 18, 2014
395976f
some less traces from RSA/DSA while running with `-J-Djruby.openssl.d…
kares Apr 18, 2014
fd5d4dc
sharing `Utils.toHex` implementation caused a HMAC regression
kares Apr 18, 2014
45fb7a2
PKCS7 internal cleanup
kares Apr 18, 2014
a60d0c2
remove unused imports
kares Apr 18, 2014
0a647e0
handle HMAC's key/data arguments using `to_s` instead of `to_str`
kares Apr 18, 2014
95c0124
improve BN's (to_i) conversion to happen without the "middle-man"
kares Apr 18, 2014
8ddd849
reformat SSLSocket and add debug-ing around exceptions + fix some met…
kares Apr 18, 2014
d96c72a
these seems to prefer `to_s` over `to_str` conversion
kares Apr 18, 2014
d04b218
avoid getClassFromPath since `X509.wrap` is called from a loop
kares Apr 18, 2014
d28d3b9
toASN1: use `to_s` & "optimize" for the BN case - avoid the need to r…
kares Apr 18, 2014
c58b30b
internalize (ASN1) default objects initialization
kares Apr 22, 2014
a8c285e
avoid initializing the ASN1Registry class from ASN1 (for now) + dry-u…
kares Apr 22, 2014
7d133e3
ASN1Registry review - optimize OBJ_ constants used - do not look the…
kares Apr 22, 2014
db1bb65
(internal) code cleanup
kares Apr 22, 2014
dcaa686
ASNRegistry minor optimization - no need to be calling to add these w…
kares Apr 22, 2014
0c43646
at last - avoid ASN1's static maps leaking as multiple runtimes start…
kares Apr 22, 2014
f9bf7fe
backported MiscPEMGenerator class from bcpkix latest (master)
kares Apr 22, 2014
fb4b230
MiscPEMGenerator tuned to work on BC 1.47 as well as 1.48+
kares Apr 22, 2014
3280c3a
support for compiling source under BC 1.48 (1.47 is still working as …
kares Apr 22, 2014
850d87e
PKey (internal) cleanup - make sure we do not concatenate strings unl…
kares Apr 22, 2014
c7d7d8a
add a spec for `OpenSSL::PKey::RSA.new` regression - working fine as …
kares Apr 23, 2014
8b1af11
cleanup our internal PEMUtilities copy-pasted from BC to only the par…
kares Apr 23, 2014
4b8e3a6
good idea to synchronize while updating the maps programatically (fro…
kares Apr 23, 2014
a389571
one more hidden place where we're not using SecurityHelper but securi…
kares Apr 23, 2014
cbd7e4a
de-ja-vu BC 1.49 (binary) compatibility while still maintaining 1.47 …
kares Apr 23, 2014
eb81669
only use ASN1Integer(BigInteger) constructor for better compatibility…
kares Apr 23, 2014
3541583
(still) compile JRuby-OpenSSL as Java 1.6 compatible
kares Apr 23, 2014
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
377 changes: 210 additions & 167 deletions ext/openssl/src/main/java/org/jruby/ext/openssl/ASN1.java

Large diffs are not rendered by default.

23 changes: 13 additions & 10 deletions ext/openssl/src/main/java/org/jruby/ext/openssl/Attribute.java
Expand Up @@ -12,7 +12,7 @@
* rights and limitations under the License.
*
* Copyright (C) 2006 Ola Bini <ola@ologix.com>
*
*
* Alternatively, the contents of this file may be used under the terms of
* either of the GNU General Public License Version 2 or later (the "GPL"),
* or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
Expand All @@ -32,12 +32,15 @@
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.DERSet;

import org.jruby.Ruby;
import org.jruby.RubyClass;
import org.jruby.RubyModule;
import org.jruby.RubyObject;
import org.jruby.anno.JRubyMethod;
import org.jruby.runtime.Arity;
import org.jruby.runtime.ObjectAllocator;
import org.jruby.runtime.ThreadContext;
import org.jruby.runtime.builtin.IRubyObject;
import org.jruby.runtime.Visibility;

Expand All @@ -52,7 +55,7 @@ public IRubyObject allocate(Ruby runtime, RubyClass klass) {
return new Attribute(runtime, klass);
}
};

public static void createAttribute(Ruby runtime, RubyModule mX509) {
RubyClass cAttribute = mX509.defineClassUnder("Attribute",runtime.getObject(), ATTRIBUTE_ALLOCATOR);

Expand Down Expand Up @@ -92,14 +95,13 @@ ASN1Primitive toASN1() {
}

@JRubyMethod(name="initialize", required=1, optional=1, visibility = Visibility.PRIVATE)
public IRubyObject _initialize(IRubyObject[] str) {
if(org.jruby.runtime.Arity.checkArgumentCount(getRuntime(),str,1,2) == 1) {
IRubyObject _oid = OpenSSLImpl.to_der_if_possible(str[0]);
set_oid(_oid);
public IRubyObject _initialize(final ThreadContext context, IRubyObject[] str) {
if ( Arity.checkArgumentCount(context.runtime, str, 1, 2) == 1 ) {
set_oid( OpenSSLImpl.to_der_if_possible(context, str[0]) );
return this;
}
set_oid(str[0]);
set_value(str[1]);
set_value(context, str[1]);
return this;
}

Expand All @@ -126,9 +128,10 @@ public IRubyObject value() {
}

@JRubyMethod(name="value=")
public IRubyObject set_value(IRubyObject val) {
IRubyObject tmp = OpenSSLImpl.to_der_if_possible(val);
this.value = ASN1.decode(getRuntime().getClassFromPath("OpenSSL::ASN1"), tmp);
public IRubyObject set_value(final ThreadContext context, IRubyObject val) {
IRubyObject tmp = OpenSSLImpl.to_der_if_possible(context, val);
this.value = ASN1.decode(context, context.runtime.getClassFromPath("OpenSSL::ASN1"), tmp);
return val;
}

}// Attribute