Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JRuby 1.7 Bundles Invalid Bouncy Castle Security Provider #207

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
5 participants
@sgonyea
Copy link

sgonyea commented Aug 4, 2012

This does not pertain to Invoked Dynamic. This relates to a PGP decryption / encryption wrapper I've written, around the Bouncy Castle PGP library.

The following example works on JRuby 1.6 / OpenJDK 1.6, but fails on JRuby 1.7 / OpenJDK 1.6.

ruby -v's:

jruby 1.7.0.preview2.dev (ruby-1.9.3-p203) (2012-06-13 cfbb64d) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]
jruby 1.6.7.2 (ruby-1.8.7-p357) (2012-05-01 26e08ba) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]
jruby 1.6.7.2 (ruby-1.9.2-p312) (2012-05-01 26e08ba) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]

To reproduce, follow the instructions at the below repo:
https://github.com/sgonyea/bc_pgp_jruby1.7_bug

Let me know if you have any questions. Thank you!

@sgonyea

This comment has been minimized.

Copy link
Author

sgonyea commented Aug 3, 2012

FYI, this continues to be an issue in jruby-1.7.0-preview2. (cc, @headius).

@headius

This comment has been minimized.

Copy link
Member

headius commented Aug 3, 2012

I'll venture a guess that it's blowing up because of conflicting BC versions. Perhaps we should be mangling BC package into one of our own?

@headius

This comment has been minimized.

Copy link
Member

headius commented Aug 3, 2012

Ok, this is interesting. It fails on Java 6 and Java 7, but not on Java 8. Seems like it could be a conflict with some security policy + boot classpath combination.

https://gist.github.com/3250143

This won't be fixed in pre2, I guarantee that...but we'll work with you to figure it out.

First thing you could try would be to nuke all BC classes out of the JRuby jar and see if that makes your issue go away. Second would be to not load your BC and just assume BC is already present.

@sgonyea

This comment has been minimized.

Copy link
Author

sgonyea commented Aug 3, 2012

Awesome, thank you for looking into this. I'll do that and report what I run in to.

@sgonyea

This comment has been minimized.

Copy link
Author

sgonyea commented Aug 4, 2012

@headius This is now a pull-request. I've identified the issue, which has to do with how the BC JAR was being altered, when compiling JRuby. It seems that doing so invalidates its signing certificate, and it can no longer be used as a Security Provider.

begin
  encrypted_data = PGP.encrypt(string)
rescue Java::OrgBouncycastleOpenpgp::PGPException => e
  @e = e
end

@e.getUnderlyingException
 => java.lang.SecurityException: JCE cannot authenticate the provider BC 

edit: Or I guess, the security certificate was just being excluded all-together. Whatever :)

@sgonyea

This comment has been minimized.

Copy link
Author

sgonyea commented Aug 4, 2012

Updated the title, to more accurately reflect the issue.

@sgonyea

This comment has been minimized.

Copy link
Author

sgonyea commented Aug 4, 2012

On a separate note, you're damn good at ball-parking issues.

@sgonyea

This comment has been minimized.

Copy link
Author

sgonyea commented Aug 6, 2012

Nevermind. Looks like I "fixed" the issue by not bundling the JARs, thereby breaking something else. :( Sorry.

@headius

This comment has been minimized.

Copy link
Member

headius commented Aug 6, 2012

Yeah, I'm not sure the right way to handle this. I had to remove the signatures because they are for the unbundled jars, and including them confuses the JVM since the jar they're contained in (jruby.jar) doesn't match.

There might be a justification for including the jars within the JRuby jar and loading them via our jars-in-jars classloader, but that needs some testing...

@sgonyea

This comment has been minimized.

Copy link
Author

sgonyea commented Oct 22, 2012

Doh, so no luck on this guy for the 1.7 release?

@headius

This comment has been minimized.

Copy link
Member

headius commented Oct 27, 2012

Revisiting this...

We would like to figure this out, but we don't have a good direction at this point. Is there a path forward?

@sgonyea

This comment has been minimized.

Copy link
Author

sgonyea commented Nov 3, 2012

I'm hoping to spend some time on this soon.

Sent from my phone

On Nov 3, 2012, at 2:29 PM, Jess Hottenstein notifications@github.com wrote:

I recently ran into this problem while upgrading a project to jruby 1.7.0. Any thoughts on a timeframe?


Reply to this email directly or view it on GitHub.

@jhottenstein

This comment has been minimized.

Copy link

jhottenstein commented Nov 3, 2012

D'oh. Tried to edit my comment and deleted it. Here it is again for posterity.

I recently ran into this problem while upgrading a project to jruby 1.7.0. Any thoughts on a timeframe?

I was using OpenSSL::PKCS12.create but I assume the cause is the same. I'll see if I can put together a simplified test. Generating valid certs isn't trivial.

@mkristian

This comment has been minimized.

Copy link
Member

mkristian commented Nov 4, 2012

Reading this whole thread I have the feeling it appears the juby-ossl does
not use JCE-API directly. It looks like that repacking (jarjar) is possible
way to go. That would allow people to use the version of BC they want to
and not forced to use the version coming with jruby.

Unless someone already tried I could give it a trial.

Kristian

@tommay

This comment has been minimized.

Copy link

tommay commented Nov 5, 2012

I believe this is the same issue that I'm seeing while trying to upgrade from 1.6.7 to 1.7.0. My code is blowing out:

java.lang.SecurityException: JCE cannot authenticate the provider BC
....
Caused by: java.util.jar.JarException: Class is on the bootclasspath

In both 1.6.7 and 1.7.0, java is started with -Xbootclasspath/a:.../lib/jruby.jar. In 1.7.0, that jar contains the BC code, and in 1.6.7 it does not. I deleted the org/bouncycastle directory from the 1.7.0 jruby.jar and all is well. Except for this message at startup (bouncy-castle-java is installed):

OpenSSL ASN1/PKey/X509/Netscape/PKCS7 implementation unavailable
gem install bouncy-castle-java for full support.

I'm using java 6:
$ java -version
java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03, mixed mode)

@headius

This comment has been minimized.

Copy link
Member

headius commented Nov 6, 2012

Hmm. I wonder if the right option is for us to be simply including the BC jars in our lib dir, or preinstalling the as gems and loading them from there?

@headius

This comment has been minimized.

Copy link
Member

headius commented Nov 6, 2012

@mkristian That would absolutely be worth trying. Please give it a shot, and I'll experiment with leaving BC out of jruby.jar.

@tommay

This comment has been minimized.

Copy link

tommay commented Nov 6, 2012

I'm happy to help, test, whatever.

@mkristian

This comment has been minimized.

Copy link
Member

mkristian commented Nov 7, 2012

I did create a jruby.jar with rewritten bouncycastle files and run a little test:
https://gist.github.com/4030050

and got the expected result (as with the browser). the patch for jruby.jar (ant jar-dist)
mkristian@110f732

it seems to easy a fix - probably I missed something.

@tommay would appreciate if you could give it some testing too :)

@tommay

This comment has been minimized.

Copy link

tommay commented Nov 7, 2012

That patch fixes things for me, thanks!

@mkristian

This comment has been minimized.

Copy link
Member

mkristian commented Nov 8, 2012

I put a more complete version of the patch into a pull request
#377

with this jruby does NOT deliver any JCE security provider anymore.

@headius

This comment has been minimized.

Copy link
Member

headius commented Nov 8, 2012

I am running all our suites locally to ensure @mkristian's patch looks good. Hopefully this will be all we need!

@headius

This comment has been minimized.

Copy link
Member

headius commented Nov 8, 2012

The patch is good...marking this as closed!

@headius headius closed this Nov 8, 2012

@tommay

This comment has been minimized.

Copy link

tommay commented Nov 8, 2012

Works for me. FWIW, here's the script I used to verify this:

#!/usr/bin/env ruby
require "rubygems"
require "java"
require "bouncy-castle-java"
java.security.Security.addProvider(org.bouncycastle.jce.provider.BouncyCastleProvider.new)
javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding", "BC")
puts "ok"

Without the patch, getInstance would throw an exception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.