Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ClassCastException in X509Store.verify #114

Closed
wants to merge 1 commit into from
Closed

Fix ClassCastException in X509Store.verify #114

wants to merge 1 commit into from

Conversation

cprice404
Copy link
Contributor

This commit changes the logic of the X509StoreContext.initialize
method, to address some test failures that were showing up in
test_x509store.rb. The failures would occur during calls to
the verify method of X509Store.

It seems that the failures were introduced by the addition of the
X509Cert.toJava method in ecc1a05 .
The toJava method seems to be implicitly called when iterating over
a RubyArray in Java code, and the implementation of that method
now returns a BC object rather than the expected JRuby X509Cert
object.

This commit changes the iteration to use the .eltOk method to access
the underlying objects w/o the implicit call to toJava.

Fix ClassCastException in X509Store.verify
08c8b0b 
This commit changes the logic of the `X509StoreContext.initialize`
method, to address some test failures that were showing up in
`test_x509store.rb`.  The failures would occur during calls to
the `verify` method of `X509Store`.

It seems that the failures were introduced by the addition of the
`X509Cert.toJava` method in ecc1a05 .
The `toJava` method seems to be implicitly called when iterating over
a RubyArray in Java code, and the implementation of that method
now returns a BC object rather than the expected JRuby `X509Cert`
object.

This commit changes the iteration to use the `.eltOk` method to access
the underlying objects w/o the implicit call to `toJava`.
@cprice404
Copy link
Contributor Author

This is an attempt to address the issues described in #113 .

@kares I'm not sure if this is the right approach, and I don't fully understand how .eltOk works, but I was discussing the bug with @enebo in IRC and he suggested that I might need to call that method in order to avoid the implicit call to .toJava.

With this change, I can run the entire MRI test_x509store.rb suite locally and all tests pass.

I think that, if this change is accepted, it would also be a good idea to fix the CI for jruby-openssl and the master/9k branches of jruby to make sure that they are running the MRI openssl tests - I assume that they are expected to pass, since they are still run as part of the CI for JRuby 1.7.x.

@cprice404
Copy link
Contributor Author

If this doesn't seem like the best approach, and if someone who is more familiar than I am with this code isn't going to have time to look into this soon, I might be able to find a little more time to work on it next week if someone can give me some hints on a better implementation approach. Given that the X509Cert.toJava method may be implicitly called during seemingly benign operations like list iteration, it seems like it might be better to avoid having it return a BC object type by default, but I don't have a very good grasp of what other considerations led to that implementation of .toJava to begin with so I was afraid of breaking something else if I tried to make changes there.

@kares
Copy link
Member

kares commented Nov 24, 2016

This is excellent Chris, thank you! I mostly introduced the toJava for easier debugging (e.g. while testing).
Your PR is just fine -> where in a Ruby method unlikely to get any other Java collection type thus casting to a RubyArray and making sure we extract the raw ruby values seems like the very best approach here.

I haven't looked at the MRI test that identified this bug (somehow assumed its not that crucial since 9K passed fine) - would you consider copy-ing the test to our end to make sure we have a regression test?

@cprice404
Copy link
Contributor Author

The test that failed is, I believe, directly copied from the MRI test suite, and it already exists in both the jruby-openssl source and the jruby source (both 1.7 and master branches):

https://github.com/jruby/jruby-openssl/blob/master/src/test/ossl/1.9/test_x509store.rb#L36
https://github.com/jruby/jruby/blob/jruby-1_7/test/externals/ruby1.9/openssl/test_x509store.rb
https://github.com/jruby/jruby/blob/master/test/mri/openssl/test_x509store.rb

But for whatever reason, this test is being run in CI for JRuby 1.7, and is not being run in CI for jruby-openssl or JRuby 9k. I've run it in 9k and it fails.

You can run it in the jruby-openssl source tree via the following command, but I don't know how to add that to the CI configuration:

jruby -Ilib:. src/test/ossl/1.9/test_x509store.rb

@kares
Copy link
Member

kares commented Nov 29, 2016

unfortunately the src/test/ossl is not run - never finished the setup (needs working excludes) and we do rely on running the full JRuby suite before the final release push.

anyways, I can handle things from here just fine. thanks for the effort!

@kares
Copy link
Member

kares commented Nov 29, 2016

on master as b5bec3e

@kares kares closed this Nov 29, 2016
@kares kares mentioned this pull request Dec 2, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cprice404 @kares