Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fix: Added support for the Java cacerts trust anchors #295

Merged
merged 1 commit into from

2 participants

@ptoomey3

This patch adds support for reading the Java cacerts keystore
to import the default trust anchors using the set_default_paths
API. This patch addresses the problem discussed here:
http://jira.codehaus.org/browse/JRUBY-6140

@ptoomey3 ptoomey3 Added support for the Java cacerts trust anchors
This patch adds support for reading the Java cacerts keystore
to import the default trust anchors using the set_default_paths
API.  This patch addresses the problem discussed here:
http://jira.codehaus.org/browse/JRUBY-6140
590086a
@headius headius merged commit b21ceae into jruby:master

1 check passed

Details default The Travis build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 10, 2012
  1. @ptoomey3

    Added support for the Java cacerts trust anchors

    ptoomey3 authored
    This patch adds support for reading the Java cacerts keystore
    to import the default trust anchors using the set_default_paths
    API.  This patch addresses the problem discussed here:
    http://jira.codehaus.org/browse/JRUBY-6140
This page is out of date. Refresh to see the latest.
View
6 src/org/jruby/ext/openssl/X509Store.java
@@ -156,11 +156,7 @@ public IRubyObject add_file(IRubyObject arg) {
@JRubyMethod
public IRubyObject set_default_paths() {
try {
- RubyHash env = (RubyHash)getRuntime().getObject().fastGetConstant("ENV");
- String file = (String)env.get(getRuntime().newString(X509Utils.getDefaultCertificateFileEnvironment()));
- store.loadLocations(file, null);
- String path = (String)env.get(getRuntime().newString(X509Utils.getDefaultCertificateDirectoryEnvironment()));
- store.loadLocations(null, path);
+ store.setDefaultPaths();
}
catch(Exception e) {
raise("setting default path failed: " + e.getMessage());
View
38 src/org/jruby/ext/openssl/x509store/Lookup.java
@@ -46,12 +46,17 @@
import java.util.Iterator;
import java.util.List;
import org.jruby.Ruby;
+import org.jruby.RubyHash;
import org.jruby.util.io.ChannelDescriptor;
import org.jruby.util.io.ChannelStream;
import org.jruby.util.io.FileExistsException;
import org.jruby.util.io.InvalidValueException;
import org.jruby.util.io.ModeFlags;
+import java.security.KeyStore;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+
/**
* X509_LOOKUP
*
@@ -264,6 +269,31 @@ public int loadCertificateOrCRLFile(String file, int type) throws Exception {
return count;
}
+ public int loadDefaultJavaCACertsFile() throws Exception {
+ int count = 0;
+ String certsFile = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
+ FileInputStream fin = new FileInputStream(certsFile);
+ try {
+ KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+ // we pass a null password, as the cacerts file isn't password protected
+ keystore.load(fin, null);
+ PKIXParameters params = new PKIXParameters(keystore);
+ for(TrustAnchor trustAnchor : params.getTrustAnchors()) {
+ X509Certificate certificate = trustAnchor.getTrustedCert();
+ store.addCertificate(certificate);
+ count++;
+ }
+ } finally {
+ if (fin != null) {
+ try {
+ fin.close();
+ } catch (Exception ignored) {
+ }
+ }
+ }
+ return count;
+ }
+
private InputStream wrapJRubyNormalizedInputStream(String file) throws IOException {
Ruby runtime = Ruby.getGlobalRuntime();
try {
@@ -398,13 +428,14 @@ public int call(Object _ctx, Object _cmd, Object _argp, Object _argl, Object _re
case X509Utils.X509_L_FILE_LOAD:
if (argl == X509Utils.X509_FILETYPE_DEFAULT) {
try {
- file = System.getenv(X509Utils.getDefaultCertificateFileEnvironment());
+ RubyHash env = (RubyHash)Ruby.getGlobalRuntime().getObject().fastGetConstant("ENV");
+ file = (String)env.get(Ruby.getGlobalRuntime().newString(X509Utils.getDefaultCertificateFileEnvironment()));
} catch (Error error) {
}
if (file != null) {
ok = ctx.loadCertificateOrCRLFile(file, X509Utils.X509_FILETYPE_PEM) != 0 ? 1 : 0;
} else {
- ok = (ctx.loadCertificateOrCRLFile(X509Utils.getDefaultCertificateFile(), X509Utils.X509_FILETYPE_PEM) != 0) ? 1 : 0;
+ ok = (ctx.loadDefaultJavaCACertsFile() != 0) ? 1: 0;
}
if (ok == 0) {
X509Error.addError(X509Utils.X509_R_LOADING_DEFAULTS);
@@ -475,7 +506,8 @@ public int call(Object _ctx, Object _cmd, Object _argp, Object _argl, Object _re
case X509Utils.X509_L_ADD_DIR:
if(argl == X509Utils.X509_FILETYPE_DEFAULT) {
try {
- dir = System.getenv(X509Utils.getDefaultCertificateDirectoryEnvironment());
+ RubyHash env = (RubyHash)Ruby.getGlobalRuntime().getObject().fastGetConstant("ENV");
+ dir = (String)env.get(Ruby.getGlobalRuntime().newString(X509Utils.getDefaultCertificateDirectoryEnvironment()));
} catch (Error error) {
}
if(null != dir) {
View
4 src/org/jruby/ext/openssl/x509store/Store.java
@@ -325,9 +325,7 @@ public int loadLocations(String file, String path) throws Exception {
/**
* c: X509_STORE_set_default_paths
- * not used for now: invoking this method causes refering System.getenv("SSL_CERT_DIR") etc.
- * We need to get the dir via evaluating "ENV['SSL_CERT_DIR']" instead of it.
- */
+ */
public int setDefaultPaths() throws Exception {
Lookup lookup;
Something went wrong with that request. Please try again.