Skip to content

Commit

Permalink
Replace incoming certs with newer versions from trust store.
Browse files Browse the repository at this point in the history 
Fixes jruby/jruby#4802
@headius
headius committed Nov 2, 2017
1 parent ec7b8e7 commit affc285
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions src/main/java/org/jruby/ext/openssl/x509store/StoreContext.java
View file
Original file line number Diff line number Diff line change
@@ -28,6 +28,7 @@
package org.jruby.ext.openssl.x509store;

import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
@@ -38,13 +39,16 @@
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.ListIterator;
import java.util.Set;

import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Sequence;
import org.jruby.ext.openssl.SecurityHelper;

import javax.security.auth.x500.X500Principal;

/**
* c: X509_STORE_CTX
*
@@ -661,6 +665,22 @@ public int verifyCertificate() throws Exception {
List<X509AuxCertificate> sktmp = null;
if ( untrusted != null ) {
sktmp = new ArrayList<X509AuxCertificate>(untrusted);

// replace certs in untrusted with trusted versions if found
X509Object[] objTmp = {null};
for (ListIterator<X509AuxCertificate> iter = sktmp.listIterator(); iter.hasNext();) {
X509AuxCertificate skCert = iter.next();
X500Principal principal = skCert.cert.getSubjectX500Principal();
int ok = getBySubject(X509Utils.X509_LU_X509, new Name(principal), objTmp);
if (ok == X509Utils.X509_LU_X509) {
// replace old with new and clear rest of untrusted
iter.set(((Certificate) objTmp[0]).x509);
while (iter.hasNext()) {
iter.next();
iter.remove();
}
}
}
}
num = chain.size();
x = chain.get(num - 1);

0 comments on commit affc285

Please sign in to comment.