Skip to content

Commit

Permalink
handle SecurityException from File().exists() on paths initialization
Browse files Browse the repository at this point in the history
kares authored and mkristian committed Sep 15, 2015
1 parent 91619ec commit 1c02ff6
Showing 1 changed file with 38 additions and 24 deletions.
62 changes: 38 additions & 24 deletions src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
Original file line number Diff line number Diff line change
@@ -294,45 +294,59 @@ else if ( keyUsage != null && ! keyUsage[5] ) { // KU_KEY_CERT_SIGN

static {
// roughly following the ideas from https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
// and falling back to trust store from java to be on the save side
// and falling back to trust store from java to be on the save side

// TODO usability in limited environments should be tested/reviewed
final String JAVA_HOME = SafePropertyAccessor.getProperty("java.home", "");

// if the default files/dirs exist we use them. with this a switch
// from MRI to JRuby produces the same results. otherwise we use the
// certs from JAVA_HOME.
final String MAYBE_CERT_FILE;
final String LINUX_CERT_AREA = "/etc/ssl";
final String MACOS_CERT_AREA = "/System/Library/OpenSSL";
final String MAYBE_PKI_CERT_FILE = "/etc/pki/tls/certs/ca-bundle.crt";
if (new File(LINUX_CERT_AREA).exists()) {
X509_CERT_AREA = LINUX_CERT_AREA;
X509_CERT_DIR = X509_CERT_AREA + "/certs";
X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
MAYBE_CERT_FILE = X509_CERT_DIR + "/cert.pem";
}
else if (new File(MACOS_CERT_AREA).exists()) {
X509_CERT_AREA = MACOS_CERT_AREA;
X509_CERT_DIR = X509_CERT_AREA + "/certs";
X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
MAYBE_CERT_FILE = X509_CERT_AREA + "/cert.pem";

String certArea, certDir, privateDir;
String maybeCertFile;
String maybePkiCertFile = "/etc/pki/tls/certs/ca-bundle.crt";
try {
if (new File(LINUX_CERT_AREA).exists()) {
certArea = LINUX_CERT_AREA;
certDir = certArea + "/certs";
privateDir = certArea + "/private";
maybeCertFile = certDir + "/cert.pem";
}
else if (new File(MACOS_CERT_AREA).exists()) {
certArea = MACOS_CERT_AREA;
certDir = certArea + "/certs";
privateDir = certArea + "/private";
maybeCertFile = certArea + "/cert.pem";
}
else {
certArea = JAVA_HOME + "/lib/security";
certDir = certArea;
privateDir = certArea;
maybeCertFile = maybePkiCertFile;
}
}
else {
X509_CERT_AREA = JAVA_HOME + "/lib/security";
X509_CERT_DIR = X509_CERT_AREA;
X509_PRIVATE_DIR = X509_CERT_AREA;
MAYBE_CERT_FILE = MAYBE_PKI_CERT_FILE;
catch (SecurityException e) {
maybeCertFile = null; maybePkiCertFile = null;
privateDir = certDir = certArea = JAVA_HOME + "/lib/security";
}
if (new File(MAYBE_PKI_CERT_FILE).exists()) {
X509_CERT_FILE = MAYBE_PKI_CERT_FILE;

X509_CERT_AREA = certArea;
X509_CERT_DIR = certDir;
X509_PRIVATE_DIR = privateDir;

if (maybePkiCertFile != null && new File(maybePkiCertFile).exists()) {
X509_CERT_FILE = maybePkiCertFile;
}
else if (new File(MAYBE_CERT_FILE).exists()) {
X509_CERT_FILE = MAYBE_CERT_FILE;
else if (maybeCertFile != null && new File(maybeCertFile).exists()) {
X509_CERT_FILE = maybeCertFile;
}
else {
X509_CERT_FILE = JAVA_HOME + "/lib/security/cacerts";
}

// keep it with some meaninful content as it is a public constant
OPENSSLDIR = X509_CERT_AREA;
}

0 comments on commit 1c02ff6

Please sign in to comment.