Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fix: Added support for the Java cacerts trust anchors #295

Merged
merged 1 commit into from

2 participants

@ptoomey3

This patch adds support for reading the Java cacerts keystore
to import the default trust anchors using the set_default_paths
API. This patch addresses the problem discussed here:
http://jira.codehaus.org/browse/JRUBY-6140

@ptoomey3 ptoomey3 Added support for the Java cacerts trust anchors
This patch adds support for reading the Java cacerts keystore
to import the default trust anchors using the set_default_paths
API.  This patch addresses the problem discussed here:
http://jira.codehaus.org/browse/JRUBY-6140
590086a
@headius headius merged commit b21ceae into jruby:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 10, 2012
  1. @ptoomey3

    Added support for the Java cacerts trust anchors

    ptoomey3 authored
    This patch adds support for reading the Java cacerts keystore
    to import the default trust anchors using the set_default_paths
    API.  This patch addresses the problem discussed here:
    http://jira.codehaus.org/browse/JRUBY-6140
This page is out of date. Refresh to see the latest.
View
6 src/org/jruby/ext/openssl/X509Store.java
@@ -156,11 +156,7 @@ public IRubyObject add_file(IRubyObject arg) {
@JRubyMethod
public IRubyObject set_default_paths() {
try {
- RubyHash env = (RubyHash)getRuntime().getObject().fastGetConstant("ENV");
- String file = (String)env.get(getRuntime().newString(X509Utils.getDefaultCertificateFileEnvironment()));
- store.loadLocations(file, null);
- String path = (String)env.get(getRuntime().newString(X509Utils.getDefaultCertificateDirectoryEnvironment()));
- store.loadLocations(null, path);
+ store.setDefaultPaths();
}
catch(Exception e) {
raise("setting default path failed: " + e.getMessage());
View
38 src/org/jruby/ext/openssl/x509store/Lookup.java
@@ -46,12 +46,17 @@
import java.util.Iterator;
import java.util.List;
import org.jruby.Ruby;
+import org.jruby.RubyHash;
import org.jruby.util.io.ChannelDescriptor;
import org.jruby.util.io.ChannelStream;
import org.jruby.util.io.FileExistsException;
import org.jruby.util.io.InvalidValueException;
import org.jruby.util.io.ModeFlags;
+import java.security.KeyStore;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+
/**
* X509_LOOKUP
*
@@ -264,6 +269,31 @@ public int loadCertificateOrCRLFile(String file, int type) throws Exception {
return count;
}
+ public int loadDefaultJavaCACertsFile() throws Exception {
+ int count = 0;
+ String certsFile = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
+ FileInputStream fin = new FileInputStream(certsFile);
+ try {
+ KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+ // we pass a null password, as the cacerts file isn't password protected
+ keystore.load(fin, null);
+ PKIXParameters params = new PKIXParameters(keystore);
+ for(TrustAnchor trustAnchor : params.getTrustAnchors()) {
+ X509Certificate certificate = trustAnchor.getTrustedCert();
+ store.addCertificate(certificate);
+ count++;
+ }
+ } finally {
+ if (fin != null) {
+ try {
+ fin.close();
+ } catch (Exception ignored) {
+ }
+ }
+ }
+ return count;
+ }
+
private InputStream wrapJRubyNormalizedInputStream(String file) throws IOException {
Ruby runtime = Ruby.getGlobalRuntime();
try {
@@ -398,13 +428,14 @@ public int call(Object _ctx, Object _cmd, Object _argp, Object _argl, Object _re
case X509Utils.X509_L_FILE_LOAD:
if (argl == X509Utils.X509_FILETYPE_DEFAULT) {
try {
- file = System.getenv(X509Utils.getDefaultCertificateFileEnvironment());
+ RubyHash env = (RubyHash)Ruby.getGlobalRuntime().getObject().fastGetConstant("ENV");
+ file = (String)env.get(Ruby.getGlobalRuntime().newString(X509Utils.getDefaultCertificateFileEnvironment()));
} catch (Error error) {
}
if (file != null) {
ok = ctx.loadCertificateOrCRLFile(file, X509Utils.X509_FILETYPE_PEM) != 0 ? 1 : 0;
} else {
- ok = (ctx.loadCertificateOrCRLFile(X509Utils.getDefaultCertificateFile(), X509Utils.X509_FILETYPE_PEM) != 0) ? 1 : 0;
+ ok = (ctx.loadDefaultJavaCACertsFile() != 0) ? 1: 0;
}
if (ok == 0) {
X509Error.addError(X509Utils.X509_R_LOADING_DEFAULTS);
@@ -475,7 +506,8 @@ public int call(Object _ctx, Object _cmd, Object _argp, Object _argl, Object _re
case X509Utils.X509_L_ADD_DIR:
if(argl == X509Utils.X509_FILETYPE_DEFAULT) {
try {
- dir = System.getenv(X509Utils.getDefaultCertificateDirectoryEnvironment());
+ RubyHash env = (RubyHash)Ruby.getGlobalRuntime().getObject().fastGetConstant("ENV");
+ dir = (String)env.get(Ruby.getGlobalRuntime().newString(X509Utils.getDefaultCertificateDirectoryEnvironment()));
} catch (Error error) {
}
if(null != dir) {
View
4 src/org/jruby/ext/openssl/x509store/Store.java
@@ -325,9 +325,7 @@ public int loadLocations(String file, String path) throws Exception {
/**
* c: X509_STORE_set_default_paths
- * not used for now: invoking this method causes refering System.getenv("SSL_CERT_DIR") etc.
- * We need to get the dir via evaluating "ENV['SSL_CERT_DIR']" instead of it.
- */
+ */
public int setDefaultPaths() throws Exception {
Lookup lookup;
Something went wrong with that request. Please try again.