-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClassCastException error in X509Store.verify #113
Comments
Asking about this in IRC, and was told that the MRI tests for JRuby9k are run in CI via |
I did a bisect and it appears to me that the UPDATE - the test failure that started showing up in v0.9.14 appears to be an |
@cprice404 Thank you for digging. About the next version (after 1.54): BouncyCastle 1.55 release notes had this perhaps-interesting line:
|
w/rt the BC version:
|
Here is a minimal reproducer test that I've been using in case anyone else looks into this: def test_foo
now = Time.at(Time.now.to_i)
ca_exts = [
["basicConstraints","CA:TRUE",true],
["keyUsage","cRLSign,keyCertSign",true],
]
ee_exts = [
["keyUsage","keyEncipherment,digitalSignature",true],
]
ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, ca_exts,
nil, nil, OpenSSL::Digest::SHA1.new)
ca2_cert = issue_cert(@ca2, @rsa1024, 2, now, now+1800, ca_exts,
ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
ee1_cert = issue_cert(@ee1, @dsa256, 10, now, now+1800, ee_exts,
ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
puts "EE1CERT: #{ee1_cert.class}"
puts "CA2CERT: #{ca2_cert.class}"
# puts "EE1CERT.to_java: #{ee1_cert.to_java.class}"
# puts "CA2CERT.to_java: #{ca2_cert.to_java.class}"
# puts "[EE1CERT].to_java: #{[ee1_cert].to_java(java.util.List)[0].to_java.class}"
# puts "[CA2CERT].to_java: #{[ca2_cert].to_java(java.util.List)[0].to_java.class}"
store = OpenSSL::X509::Store.new
store.verify(ee1_cert, [ca2_cert])
# store.verify(ee1_cert, [ee1_cert])
end |
A few more interesting things that I've learned:
[ca2_cert].to_java(java.util.List)
I still don't understand exactly what's going on here but it seems like the implicit calls to |
fixed with #114 ... (in >= 0.9.19) |
I've been debugging an issue that surfaced when I filed a PR to upgrade JRuby 1.7 to jruby-openssl 0.9.18.
The issue is that when the jruby external tests for x509store are run, there is a stack trace that looks like this:
After some investigation I discovered that there is a test that looks very similar included directly in the
jruby-openssl
repo:https://github.com/jruby/jruby-openssl/blob/master/src/test/ossl/1.9/test_x509store.rb#L36
If I check out the 0.9.18 tag of
jruby-openssl
, and run this test locally by setting up JRuby 1.7.26 as my local jruby and running:I get the same error. Examining the
travis.yml
file, and doing some local experimenting with the various rake tasks for running tests, it appears that this test is never being run by CI.I can debug the failure itself and with any luck maybe file a PR to fix it, but I don't know how to go about modifying the code so that the test would be run in CI. It seems like, if these tests are useful, they should be run in CI?
I'm also trying to figure out why this hasn't shown up in JRuby9k, which appears to have already been upgraded to
jruby-openssl
0.9.18. If I clone a fresh copy of the jruby repo and run from the HEAD of the master branch:I'm able to reproduce basically the same error:
It seems unlikely that these tests wouldn't be getting run in CI for JRuby9k, so maybe I'm messing something up in my local environment?
The text was updated successfully, but these errors were encountered: