Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

JRuby 1.7 Bundles Invalid Bouncy Castle Security Provider #207

Closed
wants to merge 1 commit into from

5 participants

@sgonyea

This does not pertain to Invoked Dynamic. This relates to a PGP decryption / encryption wrapper I've written, around the Bouncy Castle PGP library.

The following example works on JRuby 1.6 / OpenJDK 1.6, but fails on JRuby 1.7 / OpenJDK 1.6.

ruby -v's:

jruby 1.7.0.preview2.dev (ruby-1.9.3-p203) (2012-06-13 cfbb64d) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]
jruby 1.6.7.2 (ruby-1.8.7-p357) (2012-05-01 26e08ba) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]
jruby 1.6.7.2 (ruby-1.9.2-p312) (2012-05-01 26e08ba) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_31) [darwin-x86_64-java]

To reproduce, follow the instructions at the below repo:
https://github.com/sgonyea/bc_pgp_jruby1.7_bug

Let me know if you have any questions. Thank you!

@sgonyea

FYI, this continues to be an issue in jruby-1.7.0-preview2. (cc, @headius).

@headius
Owner

I'll venture a guess that it's blowing up because of conflicting BC versions. Perhaps we should be mangling BC package into one of our own?

@headius
Owner

Ok, this is interesting. It fails on Java 6 and Java 7, but not on Java 8. Seems like it could be a conflict with some security policy + boot classpath combination.

https://gist.github.com/3250143

This won't be fixed in pre2, I guarantee that...but we'll work with you to figure it out.

First thing you could try would be to nuke all BC classes out of the JRuby jar and see if that makes your issue go away. Second would be to not load your BC and just assume BC is already present.

@sgonyea

Awesome, thank you for looking into this. I'll do that and report what I run in to.

@sgonyea

@headius This is now a pull-request. I've identified the issue, which has to do with how the BC JAR was being altered, when compiling JRuby. It seems that doing so invalidates its signing certificate, and it can no longer be used as a Security Provider.

begin
  encrypted_data = PGP.encrypt(string)
rescue Java::OrgBouncycastleOpenpgp::PGPException => e
  @e = e
end

@e.getUnderlyingException
 => java.lang.SecurityException: JCE cannot authenticate the provider BC 

edit: Or I guess, the security certificate was just being excluded all-together. Whatever :)

@sgonyea

Updated the title, to more accurately reflect the issue.

@sgonyea

On a separate note, you're damn good at ball-parking issues.

@sgonyea

Nevermind. Looks like I "fixed" the issue by not bundling the JARs, thereby breaking something else. :( Sorry.

@headius
Owner

Yeah, I'm not sure the right way to handle this. I had to remove the signatures because they are for the unbundled jars, and including them confuses the JVM since the jar they're contained in (jruby.jar) doesn't match.

There might be a justification for including the jars within the JRuby jar and loading them via our jars-in-jars classloader, but that needs some testing...

@sgonyea

Doh, so no luck on this guy for the 1.7 release?

@headius
Owner

Revisiting this...

We would like to figure this out, but we don't have a good direction at this point. Is there a path forward?

@sgonyea
@jhottenstein

D'oh. Tried to edit my comment and deleted it. Here it is again for posterity.

I recently ran into this problem while upgrading a project to jruby 1.7.0. Any thoughts on a timeframe?

I was using OpenSSL::PKCS12.create but I assume the cause is the same. I'll see if I can put together a simplified test. Generating valid certs isn't trivial.

@mkristian
Collaborator
@tommay

I believe this is the same issue that I'm seeing while trying to upgrade from 1.6.7 to 1.7.0. My code is blowing out:

java.lang.SecurityException: JCE cannot authenticate the provider BC
....
Caused by: java.util.jar.JarException: Class is on the bootclasspath

In both 1.6.7 and 1.7.0, java is started with -Xbootclasspath/a:.../lib/jruby.jar. In 1.7.0, that jar contains the BC code, and in 1.6.7 it does not. I deleted the org/bouncycastle directory from the 1.7.0 jruby.jar and all is well. Except for this message at startup (bouncy-castle-java is installed):

OpenSSL ASN1/PKey/X509/Netscape/PKCS7 implementation unavailable
gem install bouncy-castle-java for full support.

I'm using java 6:
$ java -version
java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03, mixed mode)

@headius
Owner

Hmm. I wonder if the right option is for us to be simply including the BC jars in our lib dir, or preinstalling the as gems and loading them from there?

@headius
Owner

@mkristian That would absolutely be worth trying. Please give it a shot, and I'll experiment with leaving BC out of jruby.jar.

@tommay

I'm happy to help, test, whatever.

@mkristian
Collaborator

I did create a jruby.jar with rewritten bouncycastle files and run a little test:
https://gist.github.com/4030050

and got the expected result (as with the browser). the patch for jruby.jar (ant jar-dist)
mkristian@110f732

it seems to easy a fix - probably I missed something.

@tommay would appreciate if you could give it some testing too :)

@tommay

That patch fixes things for me, thanks!

@mkristian
Collaborator

I put a more complete version of the patch into a pull request
#377

with this jruby does NOT deliver any JCE security provider anymore.

@headius
Owner

I am running all our suites locally to ensure @mkristian's patch looks good. Hopefully this will be all we need!

@headius
Owner

The patch is good...marking this as closed!

@headius headius closed this
@tommay

Works for me. FWIW, here's the script I used to verify this:

#!/usr/bin/env ruby
require "rubygems"
require "java"
require "bouncy-castle-java"
java.security.Security.addProvider(org.bouncycastle.jce.provider.BouncyCastleProvider.new)
javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding", "BC")
puts "ok"

Without the patch, getInstance would throw an exception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 4, 2012
  1. Modifying the JAR in this way causes JCE to puke

    Scott Gonyea authored
This page is out of date. Refresh to see the latest.
Showing with 0 additions and 21 deletions.
  1. +0 −21 build.xml
View
21 build.xml
@@ -390,13 +390,6 @@
<fileset dir="${jruby.classes.dir}"/>
<zipgroupfileset dir="${build.lib.dir}" includes="${jruby.jar.zip.includes}"/>
- <zipfileset src="${build.lib.dir}/bcmail-jdk15-146.jar">
- <exclude name="META-INF/BCKEY.*"/>
- </zipfileset>
- <zipfileset src="${build.lib.dir}/bcprov-jdk15-146.jar">
- <exclude name="META-INF/BCKEY.*"/>
- </zipfileset>
-
<metainf dir="spi">
<include name="services/**"/>
</metainf>
@@ -453,13 +446,6 @@ other than ASM, which is rewritten to avoid conflicts. -->
<fileset dir="${jruby.classes.dir}"/>
<zipgroupfileset dir="${build.lib.dir}" includes="${jruby.jar.zip.includes}"/>
- <zipfileset src="${build.lib.dir}/bcmail-jdk15-146.jar">
- <exclude name="META-INF/BCKEY.*"/>
- </zipfileset>
- <zipfileset src="${build.lib.dir}/bcprov-jdk15-146.jar">
- <exclude name="META-INF/BCKEY.*"/>
- </zipfileset>
-
<metainf dir="spi">
<include name="services/**"/>
</metainf>
@@ -581,13 +567,6 @@ other than ASM, which is rewritten to avoid conflicts. -->
<fileset dir="${build.dir}/jar-complete"/>
<zipgroupfileset dir="${build.lib.dir}" includes="${jruby.jar.zip.includes}"/>
- <zipfileset src="${build.lib.dir}/bcmail-jdk15-146.jar">
- <exclude name="META-INF/BCKEY.*"/>
- </zipfileset>
- <zipfileset src="${build.lib.dir}/bcprov-jdk15-146.jar">
- <exclude name="META-INF/BCKEY.*"/>
- </zipfileset>
-
<metainf dir="spi">
<include name="services/**"/>
</metainf>
Something went wrong with that request. Please try again.