Skip to content
This repository

Fix: Added support for the Java cacerts trust anchors #295

Merged
merged 1 commit into from over 1 year ago

2 participants

Patrick Toomey Charles Oliver Nutter
Patrick Toomey

This patch adds support for reading the Java cacerts keystore
to import the default trust anchors using the set_default_paths
API. This patch addresses the problem discussed here:
http://jira.codehaus.org/browse/JRUBY-6140

Patrick Toomey Added support for the Java cacerts trust anchors
This patch adds support for reading the Java cacerts keystore
to import the default trust anchors using the set_default_paths
API.  This patch addresses the problem discussed here:
http://jira.codehaus.org/browse/JRUBY-6140
590086a
Charles Oliver Nutter headius merged commit b21ceae into from September 28, 2012
Charles Oliver Nutter headius closed this September 28, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Sep 10, 2012
Patrick Toomey Added support for the Java cacerts trust anchors
This patch adds support for reading the Java cacerts keystore
to import the default trust anchors using the set_default_paths
API.  This patch addresses the problem discussed here:
http://jira.codehaus.org/browse/JRUBY-6140
590086a
This page is out of date. Refresh to see the latest.
6  src/org/jruby/ext/openssl/X509Store.java
@@ -156,11 +156,7 @@ public IRubyObject add_file(IRubyObject arg) {
156 156
     @JRubyMethod
157 157
     public IRubyObject set_default_paths() {
158 158
         try {
159  
-            RubyHash env = (RubyHash)getRuntime().getObject().fastGetConstant("ENV");
160  
-            String file = (String)env.get(getRuntime().newString(X509Utils.getDefaultCertificateFileEnvironment()));
161  
-            store.loadLocations(file, null);
162  
-            String path = (String)env.get(getRuntime().newString(X509Utils.getDefaultCertificateDirectoryEnvironment()));
163  
-            store.loadLocations(null, path);
  159
+            store.setDefaultPaths();
164 160
         }
165 161
         catch(Exception e) {
166 162
             raise("setting default path failed: " + e.getMessage());
38  src/org/jruby/ext/openssl/x509store/Lookup.java
@@ -46,12 +46,17 @@
46 46
 import java.util.Iterator;
47 47
 import java.util.List;
48 48
 import org.jruby.Ruby;
  49
+import org.jruby.RubyHash;
49 50
 import org.jruby.util.io.ChannelDescriptor;
50 51
 import org.jruby.util.io.ChannelStream;
51 52
 import org.jruby.util.io.FileExistsException;
52 53
 import org.jruby.util.io.InvalidValueException;
53 54
 import org.jruby.util.io.ModeFlags;
54 55
 
  56
+import java.security.KeyStore;
  57
+import java.security.cert.PKIXParameters;
  58
+import java.security.cert.TrustAnchor;
  59
+
55 60
 /**
56 61
  * X509_LOOKUP
57 62
  *
@@ -264,6 +269,31 @@ public int loadCertificateOrCRLFile(String file, int type) throws Exception {
264 269
         return count; 
265 270
     }
266 271
 
  272
+    public int loadDefaultJavaCACertsFile() throws Exception {
  273
+        int count = 0;
  274
+        String certsFile = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
  275
+        FileInputStream fin = new FileInputStream(certsFile);
  276
+        try {
  277
+            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
  278
+            // we pass a null password, as the cacerts file isn't password protected
  279
+            keystore.load(fin, null);
  280
+            PKIXParameters params = new PKIXParameters(keystore);
  281
+            for(TrustAnchor trustAnchor : params.getTrustAnchors()) {
  282
+                X509Certificate certificate = trustAnchor.getTrustedCert();
  283
+                store.addCertificate(certificate);
  284
+                count++;
  285
+            }    
  286
+        } finally {
  287
+            if (fin != null) {
  288
+                try {
  289
+                    fin.close();
  290
+                } catch (Exception ignored) {
  291
+                }
  292
+            }
  293
+        }
  294
+        return count;
  295
+    }
  296
+
267 297
     private InputStream wrapJRubyNormalizedInputStream(String file) throws IOException {
268 298
         Ruby runtime = Ruby.getGlobalRuntime();
269 299
         try {
@@ -398,13 +428,14 @@ public int call(Object _ctx, Object _cmd, Object _argp, Object _argl, Object _re
398 428
             case X509Utils.X509_L_FILE_LOAD:
399 429
                 if (argl == X509Utils.X509_FILETYPE_DEFAULT) {
400 430
                     try {
401  
-                        file = System.getenv(X509Utils.getDefaultCertificateFileEnvironment());
  431
+                        RubyHash env = (RubyHash)Ruby.getGlobalRuntime().getObject().fastGetConstant("ENV");
  432
+                        file = (String)env.get(Ruby.getGlobalRuntime().newString(X509Utils.getDefaultCertificateFileEnvironment()));
402 433
                     } catch (Error error) {
403 434
                     }
404 435
                     if (file != null) {
405 436
                         ok = ctx.loadCertificateOrCRLFile(file, X509Utils.X509_FILETYPE_PEM) != 0 ? 1 : 0;
406 437
                     } else {
407  
-                        ok = (ctx.loadCertificateOrCRLFile(X509Utils.getDefaultCertificateFile(), X509Utils.X509_FILETYPE_PEM) != 0) ? 1 : 0;
  438
+                        ok = (ctx.loadDefaultJavaCACertsFile() != 0) ? 1: 0;
408 439
                     }
409 440
                     if (ok == 0) {
410 441
                         X509Error.addError(X509Utils.X509_R_LOADING_DEFAULTS);
@@ -475,7 +506,8 @@ public int call(Object _ctx, Object _cmd, Object _argp, Object _argl, Object _re
475 506
             case X509Utils.X509_L_ADD_DIR:
476 507
                 if(argl == X509Utils.X509_FILETYPE_DEFAULT) {
477 508
                     try {
478  
-                        dir = System.getenv(X509Utils.getDefaultCertificateDirectoryEnvironment());
  509
+                        RubyHash env = (RubyHash)Ruby.getGlobalRuntime().getObject().fastGetConstant("ENV");
  510
+                        dir = (String)env.get(Ruby.getGlobalRuntime().newString(X509Utils.getDefaultCertificateDirectoryEnvironment()));
479 511
                     } catch (Error error) {
480 512
                     }
481 513
                     if(null != dir) {
4  src/org/jruby/ext/openssl/x509store/Store.java
@@ -325,9 +325,7 @@ public int loadLocations(String file, String path) throws Exception {
325 325
 
326 326
     /**
327 327
      * c: X509_STORE_set_default_paths
328  
-     * not used for now: invoking this method causes refering System.getenv("SSL_CERT_DIR") etc.
329  
-     * We need to get the dir via evaluating "ENV['SSL_CERT_DIR']" instead of it.
330  
-     */
  328
+     */     
331 329
     public int setDefaultPaths() throws Exception { 
332 330
         Lookup lookup;
333 331
 
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.