JRuby 1.7 Bundles Invalid Bouncy Castle Security Provider #207

Closed
wants to merge 1 commit into
from

Projects

None yet

5 participants

@sgonyea
sgonyea commented Jun 14, 2012

This does not pertain to Invoked Dynamic. This relates to a PGP decryption / encryption wrapper I've written, around the Bouncy Castle PGP library.

The following example works on JRuby 1.6 / OpenJDK 1.6, but fails on JRuby 1.7 / OpenJDK 1.6.

ruby -v's:

jruby 1.7.0.preview2.dev (ruby-1.9.3-p203) (2012-06-13 cfbb64d) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]
jruby 1.6.7.2 (ruby-1.8.7-p357) (2012-05-01 26e08ba) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]
jruby 1.6.7.2 (ruby-1.9.2-p312) (2012-05-01 26e08ba) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]

To reproduce, follow the instructions at the below repo:
https://github.com/sgonyea/bc_pgp_jruby1.7_bug

Let me know if you have any questions. Thank you!

@sgonyea
sgonyea commented Aug 3, 2012

FYI, this continues to be an issue in jruby-1.7.0-preview2. (cc, @headius).

@headius
Member
headius commented Aug 3, 2012

I'll venture a guess that it's blowing up because of conflicting BC versions. Perhaps we should be mangling BC package into one of our own?

@headius
Member
headius commented Aug 3, 2012

Ok, this is interesting. It fails on Java 6 and Java 7, but not on Java 8. Seems like it could be a conflict with some security policy + boot classpath combination.

https://gist.github.com/3250143

This won't be fixed in pre2, I guarantee that...but we'll work with you to figure it out.

First thing you could try would be to nuke all BC classes out of the JRuby jar and see if that makes your issue go away. Second would be to not load your BC and just assume BC is already present.

@sgonyea
sgonyea commented Aug 3, 2012

Awesome, thank you for looking into this. I'll do that and report what I run in to.

@sgonyea
sgonyea commented Aug 4, 2012

@headius This is now a pull-request. I've identified the issue, which has to do with how the BC JAR was being altered, when compiling JRuby. It seems that doing so invalidates its signing certificate, and it can no longer be used as a Security Provider.

begin
  encrypted_data = PGP.encrypt(string)
rescue Java::OrgBouncycastleOpenpgp::PGPException => e
  @e = e
end

@e.getUnderlyingException
 => java.lang.SecurityException: JCE cannot authenticate the provider BC 

edit: Or I guess, the security certificate was just being excluded all-together. Whatever :)

@sgonyea
sgonyea commented Aug 4, 2012

Updated the title, to more accurately reflect the issue.

@sgonyea
sgonyea commented Aug 4, 2012

On a separate note, you're damn good at ball-parking issues.

@sgonyea
sgonyea commented Aug 6, 2012

Nevermind. Looks like I "fixed" the issue by not bundling the JARs, thereby breaking something else. :( Sorry.

@headius
Member
headius commented Aug 6, 2012

Yeah, I'm not sure the right way to handle this. I had to remove the signatures because they are for the unbundled jars, and including them confuses the JVM since the jar they're contained in (jruby.jar) doesn't match.

There might be a justification for including the jars within the JRuby jar and loading them via our jars-in-jars classloader, but that needs some testing...

@sgonyea
sgonyea commented Oct 22, 2012

Doh, so no luck on this guy for the 1.7 release?

@headius
Member
headius commented Oct 27, 2012

Revisiting this...

We would like to figure this out, but we don't have a good direction at this point. Is there a path forward?

@sgonyea
sgonyea commented Nov 3, 2012

I'm hoping to spend some time on this soon.

Sent from my phone

On Nov 3, 2012, at 2:29 PM, Jess Hottenstein notifications@github.com wrote:

I recently ran into this problem while upgrading a project to jruby 1.7.0. Any thoughts on a timeframe?


Reply to this email directly or view it on GitHub.

@jhottenstein

D'oh. Tried to edit my comment and deleted it. Here it is again for posterity.

I recently ran into this problem while upgrading a project to jruby 1.7.0. Any thoughts on a timeframe?

I was using OpenSSL::PKCS12.create but I assume the cause is the same. I'll see if I can put together a simplified test. Generating valid certs isn't trivial.

@mkristian
Member

Reading this whole thread I have the feeling it appears the juby-ossl does
not use JCE-API directly. It looks like that repacking (jarjar) is possible
way to go. That would allow people to use the version of BC they want to
and not forced to use the version coming with jruby.

Unless someone already tried I could give it a trial.

Kristian

@tommay
tommay commented Nov 5, 2012

I believe this is the same issue that I'm seeing while trying to upgrade from 1.6.7 to 1.7.0. My code is blowing out:

java.lang.SecurityException: JCE cannot authenticate the provider BC
....
Caused by: java.util.jar.JarException: Class is on the bootclasspath

In both 1.6.7 and 1.7.0, java is started with -Xbootclasspath/a:.../lib/jruby.jar. In 1.7.0, that jar contains the BC code, and in 1.6.7 it does not. I deleted the org/bouncycastle directory from the 1.7.0 jruby.jar and all is well. Except for this message at startup (bouncy-castle-java is installed):

OpenSSL ASN1/PKey/X509/Netscape/PKCS7 implementation unavailable
gem install bouncy-castle-java for full support.

I'm using java 6:
$ java -version
java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03, mixed mode)

@headius
Member
headius commented Nov 6, 2012

Hmm. I wonder if the right option is for us to be simply including the BC jars in our lib dir, or preinstalling the as gems and loading them from there?

@headius
Member
headius commented Nov 6, 2012

@mkristian That would absolutely be worth trying. Please give it a shot, and I'll experiment with leaving BC out of jruby.jar.

@tommay
tommay commented Nov 6, 2012

I'm happy to help, test, whatever.

@mkristian
Member

I did create a jruby.jar with rewritten bouncycastle files and run a little test:
https://gist.github.com/4030050

and got the expected result (as with the browser). the patch for jruby.jar (ant jar-dist)
mkristian@110f732

it seems to easy a fix - probably I missed something.

@tommay would appreciate if you could give it some testing too :)

@tommay
tommay commented Nov 7, 2012

That patch fixes things for me, thanks!

@mkristian
Member

I put a more complete version of the patch into a pull request
#377

with this jruby does NOT deliver any JCE security provider anymore.

@headius
Member
headius commented Nov 8, 2012

I am running all our suites locally to ensure @mkristian's patch looks good. Hopefully this will be all we need!

@headius
Member
headius commented Nov 8, 2012

The patch is good...marking this as closed!

@headius headius closed this Nov 8, 2012
@tommay
tommay commented Nov 8, 2012

Works for me. FWIW, here's the script I used to verify this:

#!/usr/bin/env ruby
require "rubygems"
require "java"
require "bouncy-castle-java"
java.security.Security.addProvider(org.bouncycastle.jce.provider.BouncyCastleProvider.new)
javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding", "BC")
puts "ok"

Without the patch, getInstance would throw an exception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment