Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: jruby/jruby-openssl
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: dc4599c3efa4
Choose a base ref
...
head repository: jruby/jruby-openssl
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: b1bac76f5e47
Choose a head ref
  • 5 commits
  • 9 files changed
  • 1 contributor

Commits on Jan 19, 2017

  1. Copy the full SHA
    46f5f10 View commit details
  2. Copy the full SHA
    b802212 View commit details

Commits on Jan 23, 2017

  1. invent a JCE crypto security hack to disable restrictions

    ... NOT meant for production use!
    kares committed Jan 23, 2017
    Copy the full SHA
    2816b73 View commit details
  2. Copy the full SHA
    7e872b7 View commit details
  3. be less fatal on Java 9 -> will still require a lot of refactoring

    ... won't attempt reflective SPIs when accessibility checks fail!
    kares committed Jan 23, 2017
    Copy the full SHA
    b1bac76 View commit details
17 changes: 0 additions & 17 deletions src/main/java/org/jruby/ext/openssl/Attribute.java

This file was deleted.

31 changes: 25 additions & 6 deletions src/main/java/org/jruby/ext/openssl/OpenSSL.java
Original file line number Diff line number Diff line change
@@ -36,6 +36,7 @@
import org.jruby.anno.JRubyMethod;
import org.jruby.anno.JRubyModule;
import org.jruby.runtime.ThreadContext;
import org.jruby.runtime.Visibility;
import org.jruby.runtime.builtin.IRubyObject;
import org.jruby.util.ByteList;
import org.jruby.util.SafePropertyAccessor;
@@ -188,22 +189,35 @@ public static IRubyObject set_fips_mode(ThreadContext context, IRubyObject self,

// internal (package-level) helpers :

/**
* PRIMARILY MEANT FOR TESTING ONLY, USAGE IS DISCOURAGED!
* @see org.jruby.ext.openssl.util.CryptoSecurity
*/
@JRubyMethod(name = "_disable_security_restrictions!", visibility = Visibility.PRIVATE, meta = true)
public static IRubyObject _disable_security_restrictions(ThreadContext context, IRubyObject self) {
Boolean unrestrict = org.jruby.ext.openssl.util.CryptoSecurity.unrestrictSecurity();
Boolean allPerm = org.jruby.ext.openssl.util.CryptoSecurity.setAllPermissionPolicy();
if ( unrestrict == null || allPerm == null ) return context.nil;
return context.runtime.newBoolean( unrestrict && allPerm );
}


private static boolean debug;

// on by default, warnings can be disabled using -Djruby.openssl.warn=false
private static boolean warn = true;

static boolean isDebug() { return debug; }

static void debugStackTrace(final Throwable e) {
public static void debugStackTrace(final Throwable e) {
if ( isDebug() ) e.printStackTrace(System.out);
}

static void debug(final String msg) {
public static void debug(final String msg) {
if ( isDebug() ) System.out.println(msg);
}

static void debug(final String msg, final Throwable e) {
public static void debug(final String msg, final Throwable e) {
if ( isDebug() ) System.out.println(msg + ' ' + e);
}

@@ -237,7 +251,7 @@ static void warn(final ThreadContext context, final IRubyObject msg) {
if ( warn ) context.runtime.getModule("OpenSSL").callMethod(context, "warn", msg);
}

private static String javaVersion(final String def) {
public static String javaVersion(final String def) {
final String javaVersionProperty =
SafePropertyAccessor.getProperty("java.version", def);
if ( javaVersionProperty == "0" ) return "1.7.0"; // Android
@@ -254,6 +268,11 @@ static boolean javaVersion8(final boolean atLeast) {
return atLeast ? gt <= 0 : gt == 0;
}

static boolean javaVersion9(final boolean atLeast) {
final int gt = "9".compareTo( javaVersion("0").substring(0, 1) );
return atLeast ? gt <= 0 : gt == 0;
}

private static String javaName(final String def) {
// Sun Java 6 or Oracle Java 7/8
// "Java HotSpot(TM) Server VM" or "Java HotSpot(TM) 64-Bit Server VM"
@@ -262,11 +281,11 @@ private static String javaName(final String def) {
return SafePropertyAccessor.getProperty("java.vm.name", def);
}

static boolean javaHotSpot() {
public static boolean javaHotSpot() {
return javaName("").contains("HotSpot(TM)");
}

static boolean javaOpenJDK() {
public static boolean javaOpenJDK() {
return javaName("").contains("OpenJDK");
}

17 changes: 0 additions & 17 deletions src/main/java/org/jruby/ext/openssl/Request.java

This file was deleted.

57 changes: 44 additions & 13 deletions src/main/java/org/jruby/ext/openssl/SecurityHelper.java
Original file line number Diff line number Diff line change
@@ -139,7 +139,38 @@ public static Provider getSecurityProvider() {
return securityProvider;
}

static final boolean SPI_ACCESSIBLE;

static {
boolean canSetAccessible = true;
if ( OpenSSL.javaVersion9(true) ) {
final Provider provider = getSecurityProvider();
if ( provider != null ) {
try {
// NOTE: some getXxx pieces might still work
// where SPI are returned directly + there's a public <init> e.g. MessageDigest(...)
getCertificateFactory("X.509", provider); // !!! disables EVERYTHING :(
}
catch (CertificateException ex) {
debugStackTrace(ex);
canSetAccessible = false;
}
catch (RuntimeException ex) {
debugStackTrace(ex);
// java.lang.reflect.InaccessibleObjectException (extends RuntimeException)
canSetAccessible = false;
}
}
}
SPI_ACCESSIBLE = canSetAccessible;
}

static Provider getSecurityProviderIfAccessible() {
return SPI_ACCESSIBLE ? getSecurityProvider() : null;
}

public static synchronized void setSecurityProvider(final Provider provider) {
if ( provider != null ) OpenSSL.debug("using provider: " + provider);
securityProvider = provider;
}

@@ -165,7 +196,7 @@ static boolean isProviderAvailable(final String name) {
return Security.getProvider(name) != null;
}

static boolean isProviderRegistered() {
public static boolean isProviderRegistered() {
if ( securityProvider == null ) return false;
return Security.getProvider(securityProvider.getName()) != null;
}
@@ -190,7 +221,7 @@ private static void doRegisterProvider() {
public static CertificateFactory getCertificateFactory(final String type)
throws CertificateException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getCertificateFactory(type, provider);
}
catch (CertificateException e) { debugStackTrace(e); }
@@ -227,7 +258,7 @@ static CertificateFactory getCertificateFactory(final String type, final Provide
public static KeyFactory getKeyFactory(final String algorithm)
throws NoSuchAlgorithmException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getKeyFactory(algorithm, provider);
}
catch (NoSuchAlgorithmException e) { }
@@ -250,7 +281,7 @@ static KeyFactory getKeyFactory(final String algorithm, final Provider provider)
public static KeyPairGenerator getKeyPairGenerator(final String algorithm)
throws NoSuchAlgorithmException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getKeyPairGenerator(algorithm, provider);
}
catch (NoSuchAlgorithmException e) { }
@@ -290,7 +321,7 @@ static KeyPairGenerator getKeyPairGenerator(final String algorithm, final Provid
public static KeyStore getKeyStore(final String type)
throws KeyStoreException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getKeyStore(type, provider);
}
catch (KeyStoreException e) { }
@@ -307,7 +338,7 @@ static KeyStore getKeyStore(final String type, final Provider provider)
*/
public static MessageDigest getMessageDigest(final String algorithm) throws NoSuchAlgorithmException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getMessageDigest(algorithm, provider);
}
catch (NoSuchAlgorithmException e) { }
@@ -341,7 +372,7 @@ static MessageDigest getMessageDigest(final String algorithm, final Provider pro

public static SecureRandom getSecureRandom() {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) {
final String algorithm = getSecureRandomAlgorithm(provider);
if ( algorithm != null ) {
@@ -473,7 +504,7 @@ private static Cipher getCipherInternal(String transformation, final Provider pr
*/
public static Signature getSignature(final String algorithm) throws NoSuchAlgorithmException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getSignature(algorithm, provider);
}
catch (NoSuchAlgorithmException e) { }
@@ -509,7 +540,7 @@ static Signature getSignature(final String algorithm, final Provider provider)
*/
public static Mac getMac(final String algorithm) throws NoSuchAlgorithmException {
Mac mac = null;
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) {
mac = getMac(algorithm, provider, true);
}
@@ -540,7 +571,7 @@ private static Mac getMac(final String algorithm, final Provider provider, boole
*/
public static KeyGenerator getKeyGenerator(final String algorithm) throws NoSuchAlgorithmException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getKeyGenerator(algorithm, provider);
}
catch (NoSuchAlgorithmException e) { }
@@ -564,7 +595,7 @@ static KeyGenerator getKeyGenerator(final String algorithm, final Provider provi
*/
public static KeyAgreement getKeyAgreement(final String algorithm) throws NoSuchAlgorithmException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getKeyAgreement(algorithm, provider);
}
catch (NoSuchAlgorithmException e) { }
@@ -588,7 +619,7 @@ static KeyAgreement getKeyAgreement(final String algorithm, final Provider provi
*/
public static SecretKeyFactory getSecretKeyFactory(final String algorithm) throws NoSuchAlgorithmException {
try {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) return getSecretKeyFactory(algorithm, provider);
}
catch (NoSuchAlgorithmException e) { }
@@ -613,7 +644,7 @@ public static SSLContext getSSLContext(final String protocol)
throws NoSuchAlgorithmException {
try {
if ( providerSSLContext ) {
final Provider provider = getSecurityProvider();
final Provider provider = getSecurityProviderIfAccessible();
if ( provider != null ) {
return getSSLContext(protocol, provider);
}
59 changes: 0 additions & 59 deletions src/main/java/org/jruby/ext/openssl/X509Extensions.java

This file was deleted.

51 changes: 0 additions & 51 deletions src/main/java/org/jruby/ext/openssl/X509StoreCtx.java

This file was deleted.

Loading