fast-rsa-engine 0.1.0-java → 0.2.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 34ef8fe8898dc14764728ee5dd7fa4d53de8ad95
-  data.tar.gz: 6dc8fedd5cbe6811bc3ada4d4e41998d9c2f319b
+  metadata.gz: 96d190a299f9af91de79effb8cdc6c4c13b5de79
+  data.tar.gz: 2c0e0d1b2c13cba7d3f23a8281562f65863ceb24
 SHA512:
-  metadata.gz: 05d9be8088242e5514597463c0626e20ac2d6403f8467ca735b0a1df6115002a82670bfb0fe9ea2d24be97d01cb4716501e8b9f68130bfcea22f4bead783632a
-  data.tar.gz: a9953017c70958609774b7e4c6469f6fedde6a03695dc959ace5bdb6096a56f95cae944486e46dfb464d80627ecb4fa810e0b5fef5cfdf8a13e243cf395958a6
+  metadata.gz: 374093b969953632eef27bafaf22d4386979993b5d3577c2380d304924ce68a5325929fda792b76177b0c9a1dc0ac680520a2b5afb8fb8eb37865b5474fe14b1
+  data.tar.gz: 006515dd78e4186937745a885073f5197ab060caf43645e275ce0f08b0632b97a205e492cb5090a84ef7d97489358db26e3fe81d2fae98175b501a527433bd8f

data/.travis.yml

@@ -1,4 +1,18 @@
 language: ruby
+install: gem install bundler -v '~>1.10'; bundle install
+gemfile:
+  - Gemfile
+  - Gemfile096
+  - Gemfile098
 rvm:
-- jruby
-- jruby-9.0.0.0
+  - jruby-1.7.19
+  - jruby-1.7.21
+  - jruby-9.0.0.0
+jdk:
+  - openjdk7
+  - oraclejdk8
+matrix:
+  include:
+    - rvm: 1.9.3
+      gemfile: Gemfile
+      jdk: openjdk7

data/Gemfile096

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+
+gemspec
+
+gem 'jruby-openssl', '0.9.6'
+

data/Gemfile098

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+
+gemspec
+
+gem 'jruby-openssl', '0.9.8'

data/README.md

@@ -1,10 +1,12 @@
 # Fast RSA Engine for jruby-openssl gem
 
-this gem replaces the RSA signature and RSA ciphers from jruby-openssl by the must faster implementation of them. see [corner.squareup.com/2014/02/faster-rsa-jnagmp.html](https://corner.squareup.com/2014/02/faster-rsa-jnagmp.html)
+[![Build Status](https://travis-ci.org/lookout/fast-rsa-engine.svg?branch=master)](https://travis-ci.org/lookout/fast-rsa-engine)
+
+This gem replaces the RSA signature and RSA ciphers from jruby-openssl by the much faster implementation of them. See [corner.squareup.com/2014/02/faster-rsa-jnagmp.html](https://corner.squareup.com/2014/02/faster-rsa-jnagmp.html)
 
 but this works only for **darwin** and **linux-x84_64** platforms due to the library used from squareup.
 
-the improvement in performance brings JRuby verify and decrypy using RSA close to MRI.
+The improvement in performance brings JRuby verify and decrypy using RSA close to MRI.
 
 ## installation
 

data/Rakefile

@@ -1,22 +1,28 @@
 #-*- mode: ruby -*-
 
 require 'bundler/gem_tasks'
-require 'ruby-maven'
 
-desc "Pack fast-rsa-engine.jar with the compiled classes"
-task :jar do
-  RubyMaven.exec('prepare-package', '-Dmaven.test.skip')
+if RUBY_PLATFORM == 'java'
+  require 'ruby-maven'
+
+  desc "Pack fast-rsa-engine.jar with the compiled classes"
+  task :jar do
+    raise unless RubyMaven.exec('-f', 'fast-rsa-engine.gemspec', 'prepare-package', '-Dmaven.test.skip')
+  end
+else
+  task :jar do
+  end
 end
 
 require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new
 
-task :default => [ :jar, :spec ]
-
 require 'rubygems/package_task'
 Gem::PackageTask.new( eval File.read( './fast-rsa-engine.gemspec' ) ) do
-  desc 'Pack leafy-metrics.gem'
+  desc 'Pack fast-rsa-engine.gem'
   task :package => [:jar]
 end
 
+task :default => [ :jar, :spec ]
+
 # vim: syntax=ruby

data/fast-rsa-engine.gemspec

@@ -2,28 +2,33 @@
 
 Gem::Specification.new do |s|
   s.name = 'fast-rsa-engine'
-  s.version = '0.1.0'
-  s.author = 'Christian Meieier'
-  s.email = [ 'christian.meier@lookout.com' ]
-  s.platform = 'java'
+  s.version = '0.2.0'
+  s.author = 'Christian Meier'
+  s.email = [ 'christian.meier@lookout.com', 'rtyler.croy@lookout.com' ]
 
   s.license = 'MIT'
-  s.summary = %q(replaces the RSA signature and RSA ciphers from jruby-openssl by the must faster implementation of them)
+  s.summary = %q(replaces the RSA signature and RSA ciphers from jruby-openssl by a faster implementation of them)
   s.homepage = 'https://github.com/lookout/fast-rsa-engine'
-  s.description = %q(this gem replaces the RSA signature and RSA ciphers from jruby-openssl by the must faster implementation of them. see https://corner.squareup.com/2014/02/faster-rsa-jnagmp.html)
+  s.description = %q(this gem replaces the RSA signature and RSA ciphers from jruby-openssl by a faster implementation of them. see https://corner.squareup.com/2014/02/faster-rsa-jnagmp.html)
 
   s.files = `git ls-files`.split($/)
 
-  BC_VERSION = '1.50'
-  # needed for runtime
-  s.requirements << "jar com.squareup.jnagmp:bouncycastle-rsa, 1.0.0"
-  # needed for compilation
-  s.requirements << "jar org.bouncycastle:bcpkix-jdk15on, #{BC_VERSION}, :scope => :provided"
-  s.requirements << "jar org.bouncycastle:bcprov-jdk15on, #{BC_VERSION}, :scope => :provided"
-  s.requirements << "pom org.jruby:jruby-core, 1.7.21, :scope => :provided"
+  if RUBY_PLATFORM == 'java'
+    unless defined?(BC_VERSION)
+      BC_VERSION = '1.50'
+    end
+    s.platform = 'java'
+    # needed for runtime
+    s.requirements << "jar com.squareup.jnagmp:bouncycastle-rsa, 1.0.0"
+    # needed for compilation
+    s.requirements << "jar org.bouncycastle:bcpkix-jdk15on, #{BC_VERSION}, :scope => :provided"
+    s.requirements << "jar org.bouncycastle:bcprov-jdk15on, #{BC_VERSION}, :scope => :provided"
+    s.requirements << "pom org.jruby:jruby-core, 1.7.21, :scope => :provided"
+
+    s.add_runtime_dependency 'jar-dependencies', '~> 0.1'
+    s.add_development_dependency 'ruby-maven', '~> 3.3'
+  end
 
-  s.add_runtime_dependency 'jar-dependencies', '~> 0.1'
-  s.add_development_dependency 'ruby-maven', '~> 3.3'
   s.add_development_dependency 'rspec', '~> 3.3'
   s.add_development_dependency 'rake', '~> 10.2'
 end

data/lib/fast-rsa-engine.rb

@@ -1,13 +1,32 @@
-require 'fast-rsa-engine_jars.rb'
-require 'fast-rsa-engine.jar'
-require 'openssl'
+if RUBY_PLATFORM == 'java'
+  require 'fast-rsa-engine_jars.rb'
+  begin
+    Java::OrgJrubyExtOpenssl::SecurityHelper
+    warn 'openssl loaded before fast-rsa-engine'
+  rescue NameError
+    require 'fast-rsa-engine.jar'
+  end
+  require 'openssl'
 
-# keep the default name space clean and use tap
-tap do
-  engines = Java::OrgJrubyExtOpenssl::SecurityHelper.java_class.declared_field 'implEngines'
-  engines.accessible = true
-  com.github.lookout.fastrsa.SecurityHelperMap.setup( engines.value( Java::OrgJrubyExtOpenssl::SecurityHelper ))
-  use_internal = Java::OrgJrubyExtOpenssl::SecurityHelper.java_class.declared_field 'tryCipherInternal'
-  use_internal.accessible = true
-  use_internal.set_value( Java::OrgJrubyExtOpenssl::SecurityHelper, true )
+  # lexical compare is sufficient here
+  if Jopenssl::Version::VERSION > '0.9.5'
+    # keep the default name space clean and use tap
+    tap do
+      sign_names = [ "MD2", "MD4", "MD5",
+                     "RIPEMD128", "RIPEMD160", "RIPEMD256",
+                     "SHA1", "SHA224", "SHA256", "SHA384", "SHA512" ]
+      sign_names.each do |name|
+        full = "#{name}WITHRSA"
+        clazz = JRuby.runtime.jruby_class_loader.load_class( "com.github.lookout.fastrsa.FastDigestSignatureSpi$#{name}" )
+        Java::OrgJrubyExtOpenssl::SecurityHelper.add_signature(full, clazz)
+      end
+
+      Java::OrgJrubyExtOpenssl::SecurityHelper.add_cipher('RSA',
+                                                          com.github.lookout.fastrsa.FastCipherSpi::NoPadding.java_class)
+    end
+  else
+    warn "jruby-openssl gem #{Jopenssl::Version::VERSION} is too old"
+  end
+else
+  warn "fast-rsa-engine does not affect MRI"
 end

data/lib/fast-rsa-engine_jars.rb

@@ -1,6 +1,6 @@
 # this is a generated file, to avoid over-writing it just delete this comment
 require 'jar_dependencies'
 
-require_jar( 'net.java.dev.jna', 'jna', '4.0.0' )
 require_jar( 'com.squareup.jnagmp', 'bouncycastle-rsa', '1.0.0' )
+require_jar( 'net.java.dev.jna', 'jna', '4.0.0' )
 require_jar( 'com.squareup.jnagmp', 'jnagmp', '1.0.0' )

data/spec/cipher_spec.rb

@@ -15,9 +15,10 @@ describe 'Cipher' do
     public_key.public_encrypt("THIS IS A TEST")
   }
 
-  let( :rounds ) { 10 }
+  let( :rounds ) { 100 }
 
   it 'is faster the regular cipher' do
+    skip( 'jruby too old' ) if too_old
     # clear the fast engines
     engines.clear
 
@@ -28,6 +29,8 @@ describe 'Cipher' do
     delta1 = Time.new.to_f - start
 
     # setup the fast engines
+    engines.clear
+    # this creates a warning
     load( "${this}/../lib/fast-rsa-engine.rb" )
 
     start = Time.new.to_f

data/spec/security_helper_spec.rb

@@ -3,9 +3,10 @@ require_relative 'setup'
 describe 'SecurityHelper' do
 
   it 'registers signatures with SecurityHelper' do
+    skip( 'jruby too old' ) if too_old
     # clear the fast engines
     engines.clear
-    # setup the fast engines
+    # setup the fast engines - this creates a warning
     load( "${this}/../lib/fast-rsa-engine.rb" )
 
     expect( engines.size ).to eq( 12 )

data/spec/setup.rb

@@ -1,8 +1,15 @@
 $: << File.expand_path( '../../lib', __FILE__ )
 require 'fast-rsa-engine'
 
+def too_old
+  if defined? Jopenssl::Version
+    Jopenssl::Version::VERSION < '0.9.6'
+  else
+    true # we are in MRI
+  end
+end
 def engines
   engines = Java::OrgJrubyExtOpenssl::SecurityHelper.java_class.declared_field 'implEngines'
   engines.accessible = true
   engines.value( Java::OrgJrubyExtOpenssl::SecurityHelper )
-end
+end unless too_old

data/spec/signature_spec.rb

@@ -11,6 +11,7 @@ describe 'Signature' do
   let( :rounds ) { 10 }
 
   it 'is faster the regular signature' do
+    skip( 'jruby too old' ) if too_old
     # clear the fast engines
     engines.clear
 
@@ -21,6 +22,8 @@ describe 'Signature' do
     delta1 = Time.new.to_f - start
 
     # setup the fast engines
+    engines.clear
+    # this creates a warning
     load( "${this}/../lib/fast-rsa-engine.rb" )
 
     start = Time.new.to_f

data/src/main/java/com/github/lookout/fastrsa/FastCipherSpi.java

@@ -64,7 +64,6 @@ public class FastCipherSpi extends CipherSpi {
     {
         try {
             String pad = Strings.toUpperCase(padding);
-
             if (pad.equals("NOPADDING"))
                 {
                     cipher(new NativeRSAEngine());

data/src/main/java/org/jruby/ext/openssl/SecurityHelper.java

@@ -0,0 +1,751 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2014 Karol Bucek.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.jruby.ext.openssl;
+
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.KeyFactorySpi;
+import java.security.KeyPairGenerator;
+import java.security.KeyPairGeneratorSpi;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.MessageDigestSpi;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.SecureRandomSpi;
+import java.security.Security;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.SignatureSpi;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateFactorySpi;
+import java.security.cert.X509CRL;
+import java.security.interfaces.DSAParams;
+import java.security.interfaces.DSAPublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Locale;
+import java.util.Map;
+import java.util.StringTokenizer;
+import java.util.concurrent.ConcurrentHashMap;
+
+import javax.crypto.Cipher;
+import javax.crypto.CipherSpi;
+import javax.crypto.KeyGenerator;
+import javax.crypto.KeyGeneratorSpi;
+import javax.crypto.Mac;
+import javax.crypto.MacSpi;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.SecretKeyFactorySpi;
+import javax.net.ssl.SSLContext;
+
+import com.sun.crypto.provider.CipherWithWrappingSpi;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.CertificateList;
+import org.bouncycastle.cert.CertException;
+import org.bouncycastle.cert.X509CRLHolder;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.params.DSAParameters;
+import org.bouncycastle.crypto.params.DSAPublicKeyParameters;
+import org.bouncycastle.crypto.params.RSAKeyParameters;
+import org.bouncycastle.jce.provider.X509CRLObject;
+import org.bouncycastle.operator.ContentVerifierProvider;
+import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.OperatorException;
+import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder;
+import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder;
+
+/**
+ * Java Security (and JCE) helpers.
+ *
+ * @author kares
+ */
+public abstract class SecurityHelper {
+
+    private static String BC_PROVIDER_CLASS = "org.bouncycastle.jce.provider.BouncyCastleProvider";
+    static boolean setBouncyCastleProvider = true; // (package access for tests)
+    static Provider securityProvider; // 'BC' provider (package access for tests)
+    private static Boolean registerProvider = null;
+    private static final Map<String, Class> implEngines = new ConcurrentHashMap<String, Class>(16, 0.75f, 1);
+
+    public static void addCipher(String name, Class<? extends CipherSpi> clazz) {
+        implEngines.put("Cipher:" + name, clazz);
+        tryCipherInternal = true;
+    }
+
+    public static void addSignature(String name, Class<? extends SignatureSpi> clazz) {
+        implEngines.put("Signature:" + name, clazz);
+    }
+
+    public static Provider getSecurityProvider() {
+        if ( setBouncyCastleProvider && securityProvider == null ) {
+            synchronized(SecurityHelper.class) {
+                if ( setBouncyCastleProvider && securityProvider == null ) {
+                    setBouncyCastleProvider(); setBouncyCastleProvider = false;
+                }
+            }
+        }
+        doRegisterProvider();
+        return securityProvider;
+    }
+
+    public static synchronized void setSecurityProvider(final Provider provider) {
+        securityProvider = provider;
+    }
+
+    static synchronized void setBouncyCastleProvider() {
+        setSecurityProvider( newBouncyCastleProvider() );
+    }
+
+    private static Provider newBouncyCastleProvider() {
+        try {
+            return (Provider) Class.forName(BC_PROVIDER_CLASS).newInstance();
+        }
+        catch (Throwable ignored) { /* no bouncy castle available */ }
+        return null;
+    }
+
+    public static synchronized void setRegisterProvider(boolean register) {
+        registerProvider = Boolean.valueOf(register); doRegisterProvider();
+    }
+
+    static boolean isProviderAvailable(final String name) {
+        return Security.getProvider(name) != null;
+    }
+
+    static boolean isProviderRegistered() {
+        if ( securityProvider == null ) return false;
+        return Security.getProvider(securityProvider.getName()) != null;
+    }
+
+    private static void doRegisterProvider() {
+        if ( registerProvider != null ) {
+            synchronized(SecurityHelper.class) {
+                if ( registerProvider != null && registerProvider.booleanValue() ) {
+                    if ( securityProvider != null ) {
+                        Security.addProvider(securityProvider);
+                    }
+                }
+            }
+            registerProvider = null;
+        }
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static CertificateFactory getCertificateFactory(final String type)
+        throws CertificateException {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) return getCertificateFactory(type, provider);
+        }
+        catch (CertificateException e) { }
+        return CertificateFactory.getInstance(type);
+    }
+
+    static CertificateFactory getCertificateFactory(final String type, final Provider provider)
+        throws CertificateException {
+        final CertificateFactorySpi spi = (CertificateFactorySpi) getImplEngine("CertificateFactory", type);
+        if ( spi == null ) throw new CertificateException(type + " not found");
+        return newInstance(CertificateFactory.class,
+                new Class[]{ CertificateFactorySpi.class, Provider.class, String.class },
+                new Object[]{ spi, provider, type }
+        );
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static KeyFactory getKeyFactory(final String algorithm)
+        throws NoSuchAlgorithmException {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) return getKeyFactory(algorithm, provider);
+        }
+        catch (NoSuchAlgorithmException e) { }
+        return KeyFactory.getInstance(algorithm);
+    }
+
+    static KeyFactory getKeyFactory(final String algorithm, final Provider provider)
+        throws NoSuchAlgorithmException {
+        KeyFactorySpi spi = (KeyFactorySpi) getImplEngine("KeyFactory", algorithm);
+        if ( spi == null ) throw new NoSuchAlgorithmException(algorithm + " not found");
+        return newInstance(KeyFactory.class,
+            new Class[] { KeyFactorySpi.class, Provider.class, String.class },
+            new Object[] { spi, provider, algorithm }
+        );
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static KeyPairGenerator getKeyPairGenerator(final String algorithm)
+        throws NoSuchAlgorithmException {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) return getKeyPairGenerator(algorithm, provider);
+        }
+        catch (NoSuchAlgorithmException e) { }
+        return KeyPairGenerator.getInstance(algorithm);
+    }
+
+    @SuppressWarnings("unchecked")
+    static KeyPairGenerator getKeyPairGenerator(final String algorithm, final Provider provider)
+        throws NoSuchAlgorithmException {
+        final Object spi = getImplEngine("KeyPairGenerator", algorithm);
+        if ( spi == null ) {
+            throw new NoSuchAlgorithmException(algorithm + " KeyPairGenerator not available");
+        }
+
+        final KeyPairGenerator keyPairGenerator;
+        if ( spi instanceof KeyPairGenerator ) {
+            keyPairGenerator = (KeyPairGenerator) spi;
+        }
+        else {
+            final Class<? extends KeyPairGenerator> delegate;
+            try {
+                delegate = (Class<? extends KeyPairGenerator>)
+                    Class.forName(KeyPairGenerator.class.getName() + "$Delegate");
+            } catch (ClassNotFoundException e) { throw new RuntimeException(e); }
+
+            keyPairGenerator = newInstance(delegate,
+                new Class[] { KeyPairGeneratorSpi.class, String.class }, spi, algorithm
+            );
+        }
+        setField(keyPairGenerator, KeyPairGenerator.class, "provider", provider);
+        return keyPairGenerator;
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static KeyStore getKeyStore(final String type)
+        throws KeyStoreException {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) return getKeyStore(type, provider);
+        }
+        catch (KeyStoreException e) { }
+        return KeyStore.getInstance(type);
+    }
+
+    static KeyStore getKeyStore(final String type, final Provider provider)
+        throws KeyStoreException {
+        return KeyStore.getInstance(type, provider);
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static MessageDigest getMessageDigest(final String algorithm) throws NoSuchAlgorithmException {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) return getMessageDigest(algorithm, provider);
+        }
+        catch (NoSuchAlgorithmException e) { }
+        return MessageDigest.getInstance(algorithm);
+    }
+
+    @SuppressWarnings("unchecked")
+    static MessageDigest getMessageDigest(final String algorithm, final Provider provider)
+        throws NoSuchAlgorithmException {
+        final Object spi = getImplEngine("MessageDigest", algorithm);
+        if ( spi == null ) throw new NoSuchAlgorithmException(algorithm + " not found");
+
+        final MessageDigest messageDigest;
+        if ( spi instanceof MessageDigest ) {
+            messageDigest = (MessageDigest) spi;
+        }
+        else {
+            final Class<? extends MessageDigest> delegate;
+            try {
+                delegate = (Class<? extends MessageDigest>)
+                    Class.forName(MessageDigest.class.getName() + "$Delegate");
+            } catch (ClassNotFoundException e) { throw new RuntimeException(e); }
+
+            messageDigest = newInstance(delegate,
+                new Class[] { MessageDigestSpi.class, String.class }, spi, algorithm
+            );
+        }
+        setField(messageDigest, MessageDigest.class, "provider", provider);
+        return messageDigest;
+    }
+
+    public static SecureRandom getSecureRandom() {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) {
+                final String algorithm = getSecureRandomAlgorithm(provider);
+                if ( algorithm != null ) {
+                    return getSecureRandom(algorithm, provider);
+                }
+            }
+        }
+        catch (NoSuchAlgorithmException e) { }
+        return new SecureRandom(); // likely "SHA1PRNG" from SPI sun.security.provider.SecureRandom
+    }
+
+    private static SecureRandom getSecureRandom(final String algorithm, final Provider provider)
+        throws NoSuchAlgorithmException {
+        final SecureRandomSpi spi = (SecureRandomSpi) getImplEngine("SecureRandom", algorithm);
+        if ( spi == null ) throw new NoSuchAlgorithmException(algorithm + " not found");
+
+        return newInstance(SecureRandom.class,
+            new Class[] { SecureRandomSpi.class, Provider.class, String.class },
+            new Object[] { spi, provider, algorithm }
+        );
+    }
+
+    // NOTE: none (at least for BC 1.47)
+    private static String getSecureRandomAlgorithm(final Provider provider) {
+        for ( Provider.Service service : provider.getServices() ) {
+            if ( "SecureRandom".equals( service.getType() ) ) {
+                return service.getAlgorithm();
+            }
+        }
+        return null;
+    }
+
+    static void debugStackTrace(Exception e){
+	e.printStackTrace();
+    }
+    private static Boolean tryCipherInternal = Boolean.FALSE;
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static Cipher getCipher(final String transformation)
+        throws NoSuchAlgorithmException, NoSuchPaddingException {
+        try {
+            if ( tryCipherInternal == Boolean.FALSE ) {
+                final Provider provider = getSecurityProvider();
+                if ( provider != null ) {
+                    return getCipher(transformation, provider);
+                }
+            }
+        }
+        catch (NoSuchAlgorithmException e) { }
+        catch (NoSuchPaddingException e) { }
+        catch (SecurityException e) {
+            // java.lang.SecurityException: JCE cannot authenticate the provider BC
+            if ( tryCipherInternal != null ) tryCipherInternal = Boolean.TRUE;
+            debugStackTrace(e);
+        }
+        if ( tryCipherInternal == Boolean.TRUE ) {
+            try {
+                final Provider provider = getSecurityProvider();
+                if ( provider != null ) {
+                    return getCipherInternal(transformation, provider);
+                }
+            }
+            catch (NoSuchAlgorithmException e) { }
+            catch (RuntimeException e) {
+                // likely javax.crypto.JceSecurityManager.isCallerTrusted gets
+                // us a NPE from javax.crypto.Cipher.<init>(Cipher.java:264)
+                tryCipherInternal = null; // do not try BC at all
+                debugStackTrace(e);
+            }
+        }
+        return Cipher.getInstance(transformation);
+    }
+
+    static Cipher getCipher(final String transformation, final Provider provider)
+        throws NoSuchAlgorithmException, NoSuchPaddingException {
+        return Cipher.getInstance(transformation, provider);
+    }
+
+    private static final Class<?>[] STRING_PARAM = { String.class };
+
+    private static Cipher getCipherInternal(String transformation, final Provider provider)
+        throws NoSuchAlgorithmException {
+        CipherSpi spi = (CipherSpi) getImplEngine("Cipher", transformation);
+        if ( spi == null ) {
+            //
+            // try the long way
+            //
+            StringTokenizer tok = new StringTokenizer(transformation, "/");
+            final String algorithm = tok.nextToken();
+
+            spi = (CipherSpi) getImplEngine("Cipher", algorithm);
+            if ( spi == null ) {
+                // if ( silent ) return null;
+                throw new NoSuchAlgorithmException(transformation + " not found");
+            }
+
+            //
+            // make sure we don't get fooled by a "//" in the string
+            //
+            if ( tok.hasMoreTokens() && ! transformation.regionMatches(algorithm.length(), "//", 0, 2) ) {
+                // spi.engineSetMode(tok.nextToken()) :
+                invoke(spi, CipherSpi.class, "engineSetMode", STRING_PARAM, tok.nextToken());
+            }
+            if ( tok.hasMoreTokens() ) {
+                // spi.engineSetPadding(tok.nextToken()) :
+                invoke(spi, CipherSpi.class, "engineSetPadding", STRING_PARAM, tok.nextToken());
+            }
+
+        }
+        try {
+            return newInstance(Cipher.class,
+                new Class[] { CipherSpi.class, Provider.class, String.class },
+                new Object[] { spi, provider, transformation }
+            );
+        }
+        catch( IllegalStateException e ) {
+            // this can be due to trusted check in Cipher constructor
+            if (e.getCause().getClass() == NullPointerException.class) {
+                Cipher cipher = newInstance(Cipher.class,
+                    new Class[] { CipherSpi.class, String.class },
+                    new Object[] { spi, transformation }
+                );
+                setField(cipher, Cipher.class, "provider", provider);
+                return cipher;
+            }
+            throw e;
+        }
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static Signature getSignature(final String algorithm) throws NoSuchAlgorithmException {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) return getSignature(algorithm, provider);
+        }
+        catch (NoSuchAlgorithmException e) { }
+        return Signature.getInstance(algorithm);
+    }
+
+    @SuppressWarnings("unchecked")
+    static Signature getSignature(final String algorithm, final Provider provider)
+        throws NoSuchAlgorithmException {
+        final Object spi = getImplEngine("Signature", algorithm);
+        if ( spi == null ) throw new NoSuchAlgorithmException(algorithm + " Signature not available");
+
+        final Signature signature;
+        if ( spi instanceof Signature ) {
+            signature = (Signature) spi;
+        } else {
+            final Class<? extends Signature> delegate;
+            try {
+                delegate = (Class<? extends Signature>)
+                    Class.forName(Signature.class.getName() + "$Delegate");
+            } catch (ClassNotFoundException e) { throw new RuntimeException(e); }
+
+            signature = newInstance(delegate,
+                new Class[] { SignatureSpi.class, String.class }, spi, algorithm
+            );
+        }
+        setField(signature, Signature.class, "provider", provider);
+        return signature;
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static Mac getMac(final String algorithm) throws NoSuchAlgorithmException {
+        Mac mac = null;
+        final Provider provider = getSecurityProvider();
+        if ( provider != null ) {
+            mac = getMac(algorithm, provider, true);
+        }
+        if ( mac == null ) mac = Mac.getInstance(algorithm);
+        return mac;
+    }
+
+    static Mac getMac(final String algorithm, final Provider provider)
+        throws NoSuchAlgorithmException {
+        return getMac(algorithm, provider, false);
+    }
+
+    private static Mac getMac(final String algorithm, final Provider provider, boolean silent)
+        throws NoSuchAlgorithmException {
+        MacSpi spi = (MacSpi) getImplEngine("Mac", algorithm);
+        if ( spi == null ) {
+            if ( silent ) return null;
+            throw new NoSuchAlgorithmException(algorithm + " not found");
+        }
+        return newInstance(Mac.class,
+            new Class[] { MacSpi.class, Provider.class, String.class },
+            new Object[] { spi, provider, algorithm }
+        );
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static KeyGenerator getKeyGenerator(final String algorithm) throws NoSuchAlgorithmException {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) return getKeyGenerator(algorithm, provider);
+        }
+        catch (NoSuchAlgorithmException e) { }
+        catch (SecurityException e) { debugStackTrace(e); }
+        return KeyGenerator.getInstance(algorithm);
+    }
+
+    static KeyGenerator getKeyGenerator(final String algorithm, final Provider provider)
+        throws NoSuchAlgorithmException {
+        final KeyGeneratorSpi spi = (KeyGeneratorSpi) getImplEngine("KeyGenerator", algorithm);
+        if ( spi == null ) throw new NoSuchAlgorithmException(algorithm + " not found");
+
+        return newInstance(KeyGenerator.class,
+            new Class[] { KeyGeneratorSpi.class, Provider.class, String.class },
+            new Object[] { spi, provider, algorithm }
+        );
+    }
+
+    /**
+     * @note code calling this should not assume BC provider internals !
+     */
+    public static SecretKeyFactory getSecretKeyFactory(final String algorithm) throws NoSuchAlgorithmException {
+        try {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) return getSecretKeyFactory(algorithm, provider);
+        }
+        catch (NoSuchAlgorithmException e) { }
+        catch (SecurityException e) { debugStackTrace(e); }
+        return SecretKeyFactory.getInstance(algorithm);
+    }
+
+    static SecretKeyFactory getSecretKeyFactory(final String algorithm, final Provider provider)
+        throws NoSuchAlgorithmException {
+        final SecretKeyFactorySpi spi = (SecretKeyFactorySpi) getImplEngine("SecretKeyFactory", algorithm);
+        if ( spi == null ) throw new NoSuchAlgorithmException(algorithm + " not found");
+
+        return newInstance(SecretKeyFactory.class,
+            new Class[] { SecretKeyFactorySpi.class, Provider.class, String.class },
+            new Object[] { spi, provider, algorithm }
+        );
+    }
+
+    private static boolean providerSSLContext = false; // BC does not implement + JDK default is fine
+
+    public static SSLContext getSSLContext(final String protocol)
+        throws NoSuchAlgorithmException {
+        try {
+            if ( providerSSLContext ) {
+                final Provider provider = getSecurityProvider();
+                if ( provider != null ) {
+                    return getSSLContext(protocol, provider);
+                }
+            }
+        }
+        catch (NoSuchAlgorithmException e) { }
+        return SSLContext.getInstance(protocol);
+    }
+
+    private static SSLContext getSSLContext(final String protocol, final Provider provider)
+        throws NoSuchAlgorithmException {
+        return SSLContext.getInstance(protocol, provider);
+    }
+
+    public static boolean verify(final X509CRL crl, final PublicKey publicKey)
+        throws NoSuchAlgorithmException, CRLException, InvalidKeyException, SignatureException {
+        return verify(crl, publicKey, false);
+    }
+
+    static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolean silent)
+        throws NoSuchAlgorithmException, CRLException, InvalidKeyException, SignatureException {
+
+        if ( crl instanceof X509CRLObject ) {
+            final CertificateList crlList = (CertificateList) getCertificateList(crl);
+            final AlgorithmIdentifier tbsSignatureId = crlList.getTBSCertList().getSignature();
+            if ( ! crlList.getSignatureAlgorithm().equals(tbsSignatureId) ) {
+                if ( silent ) return false;
+                throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList.");
+            }
+
+            final Signature signature = getSignature(crl.getSigAlgName(), securityProvider);
+
+            signature.initVerify(publicKey);
+            signature.update(crl.getTBSCertList());
+
+            if ( ! signature.verify( crl.getSignature() ) ) {
+                if ( silent ) return false;
+                throw new SignatureException("CRL does not verify with supplied public key.");
+            }
+            return true;
+        }
+        else {
+            try {
+                final DigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder();
+                final ContentVerifierProvider verifierProvider;
+                if ( "DSA".equalsIgnoreCase( publicKey.getAlgorithm() )) {
+                    BigInteger y = ((DSAPublicKey) publicKey).getY();
+                    DSAParams params = ((DSAPublicKey) publicKey).getParams();
+                    DSAParameters parameters = new DSAParameters(params.getP(), params.getQ(), params.getG());
+                    AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters);
+                    verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey);
+                }
+                else {
+                    BigInteger mod = ((RSAPublicKey) publicKey).getModulus();
+                    BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent();
+                    AsymmetricKeyParameter rsaKey = new RSAKeyParameters(false, mod, exp);
+                    verifierProvider = new BcRSAContentVerifierProviderBuilder(digestAlgFinder).build(rsaKey);
+                }
+                return new X509CRLHolder(crl.getEncoded()).isSignatureValid( verifierProvider );
+            }
+            catch (OperatorException e) {
+                throw new SignatureException(e);
+            }
+            catch (CertException e) {
+                throw new SignatureException(e);
+            }
+	    // can happen if the input is DER but does not match expected strucure
+            catch (ClassCastException e) {
+                throw new SignatureException(e);
+            }
+            catch (IOException e) {
+                throw new SignatureException(e);
+            }
+        }
+    }
+
+    private static Object getCertificateList(final Object crl) { // X509CRLObject
+        try { // private CertificateList c;
+            final Field cField = X509CRLObject.class.getDeclaredField("c");
+            cField.setAccessible(true);
+            return cField.get(crl);
+        }
+        catch (NoSuchFieldException e) {
+            debugStackTrace(e); return null;
+        }
+        catch (IllegalAccessException e) { return null; }
+        catch (SecurityException e) { return null; }
+    }
+
+    // these are BC JCE (@see javax.crypto.JCEUtil) inspired internals :
+    // https://github.com/bcgit/bc-java/blob/master/jce/src/main/java/javax/crypto/JCEUtil.java
+
+    private static Object getImplEngine(String baseName, String algorithm) {
+        Object engine = findImplEngine(baseName, algorithm.toUpperCase(Locale.ENGLISH));
+        if (engine == null) {
+            engine = findImplEngine(baseName, algorithm);
+        }
+        return engine;
+    }
+
+    private static Object findImplEngine(final String baseName, String algorithm) {
+        Class implEngineClass = implEngines.get(baseName + ":" + algorithm);
+
+        if (implEngineClass == null) {
+            final Provider bcProvider = securityProvider;
+            String alias;
+            while ((alias = bcProvider.getProperty("Alg.Alias." + baseName + "." + algorithm)) != null) {
+                algorithm = alias;
+            }
+            final String className = bcProvider.getProperty(baseName + "." + algorithm);
+            if (className != null) {
+                try {
+                    ClassLoader loader = bcProvider.getClass().getClassLoader();
+                    if (loader != null) {
+                        implEngineClass = loader.loadClass(className);
+                    } else {
+                        implEngineClass = Class.forName(className);
+                    }
+                    implEngineClass.newInstance(); // this instance is thrown away to test newInstance, but only once
+                } catch (ClassNotFoundException e) {
+                    throw new IllegalStateException("algorithm " + algorithm + " in provider " + bcProvider.getName() + " but no class \"" + className + "\" found!");
+                } catch (Exception e) {
+                    throw new IllegalStateException("algorithm " + algorithm + " in provider " + bcProvider.getName() + " but class \"" + className + "\" inaccessible!");
+                }
+            } else {
+                return null;
+            }
+
+            implEngines.put(baseName + ":" + algorithm, implEngineClass);
+        }
+
+        try {
+            return implEngineClass.newInstance();
+        } catch (Exception e) {
+            final Provider bcProvider = securityProvider;
+            String className = implEngineClass.getName();
+            throw new IllegalStateException("algorithm " + algorithm + " in provider " + bcProvider.getName() + " but class \"" + className + "\" inaccessible!");
+        }
+    }
+
+    // the obligratory "reflection crap" :
+
+    private static <T> T newInstance(Class<T> klass, Class<?>[] paramTypes, Object... params) {
+        final Constructor<T> constructor;
+        try {
+            constructor = klass.getDeclaredConstructor(paramTypes);
+            constructor.setAccessible(true);
+            return constructor.newInstance(params);
+        } catch (NoSuchMethodException e) {
+            throw new IllegalStateException(e.getMessage(), e);
+        } catch (InvocationTargetException e) {
+            throw new IllegalStateException(e.getTargetException());
+        } catch (InstantiationException e) {
+            throw new IllegalStateException(e);
+        } catch (IllegalAccessException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    private static <T> T invoke(Object object, Class<?> klass, String methodName, Class<?>[] paramTypes, Object... params) {
+        final Method method;
+        try {
+            method = klass.getDeclaredMethod(methodName, paramTypes);
+            method.setAccessible(true);
+            return (T) method.invoke(object, params);
+        } catch (NoSuchMethodException e) {
+            throw new IllegalStateException(e.getMessage(), e);
+        } catch (InvocationTargetException e) {
+            throw new IllegalStateException(e.getTargetException());
+        } catch (IllegalAccessException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+
+    private static void setField(Object obj, Class<?> fieldOwner, String fieldName, Object value) {
+        final Field field;
+        try {
+            field = fieldOwner.getDeclaredField(fieldName);
+            field.setAccessible(true);
+            field.set(obj, value);
+        } catch (NoSuchFieldException e) {
+            throw new IllegalStateException("no field '" + fieldName + "' declared in " + fieldOwner + "", e);
+        } catch (IllegalAccessException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+}

metadata

@@ -1,74 +1,75 @@
 --- !ruby/object:Gem::Specification
 name: fast-rsa-engine
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: java
 authors:
-- Christian Meieier
+- Christian Meier
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-07-23 00:00:00.000000000 Z
+date: 2015-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: jar-dependencies
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.1'
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
+  name: jar-dependencies
   prerelease: false
   type: :runtime
-- !ruby/object:Gem::Dependency
-  name: ruby-maven
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '3.3'
+        version: '0.1'
+- !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.3'
+  name: ruby-maven
   prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: rspec
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.3'
+- !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.3'
+  name: rspec
   prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: rake
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '10.2'
+        version: '3.3'
+- !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '10.2'
+  name: rake
   prerelease: false
   type: :development
-description: this gem replaces the RSA signature and RSA ciphers from jruby-openssl by the must faster implementation of them. see https://corner.squareup.com/2014/02/faster-rsa-jnagmp.html
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.2'
+description: this gem replaces the RSA signature and RSA ciphers from jruby-openssl by a faster implementation of them. see https://corner.squareup.com/2014/02/faster-rsa-jnagmp.html
 email:
 - christian.meier@lookout.com
+- rtyler.croy@lookout.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -76,6 +77,10 @@ files:
 - .gitignore
 - .travis.yml
 - Gemfile
+- Gemfile096
+- Gemfile096.lock
+- Gemfile098
+- Gemfile098.lock
 - LICENSE
 - README.md
 - Rakefile
@@ -95,7 +100,7 @@ files:
 - spec/signature_spec.rb
 - src/main/java/com/github/lookout/fastrsa/FastCipherSpi.java
 - src/main/java/com/github/lookout/fastrsa/FastDigestSignatureSpi.java
-- src/main/java/com/github/lookout/fastrsa/SecurityHelperMap.java
+- src/main/java/org/jruby/ext/openssl/SecurityHelper.java
 homepage: https://github.com/lookout/fast-rsa-engine
 licenses:
 - MIT
@@ -123,5 +128,5 @@ rubyforge_project:
 rubygems_version: 2.4.8
 signing_key:
 specification_version: 4
-summary: replaces the RSA signature and RSA ciphers from jruby-openssl by the must faster implementation of them
+summary: replaces the RSA signature and RSA ciphers from jruby-openssl by a faster implementation of them
 test_files: []

data/src/main/java/com/github/lookout/fastrsa/SecurityHelperMap.java

@@ -1,29 +0,0 @@
-package com.github.lookout.fastrsa;
-
-import java.util.Map;
-
-public class SecurityHelperMap {
-
-    private SecurityHelperMap() {}
-
-    public static void setup( Map<String, Class<?>> engines ) {
-        String[] names = {
-            "MD2", "MD4", "MD5",
-            "RIPEMD128", "RIPEMD160", "RIPEMD256",
-            "SHA1", "SHA224", "SHA256", "SHA384", "SHA512"
-        };
-
-        ClassLoader classLoader = SecurityHelperMap.class.getClassLoader();
-        for (String name : names ) {
-            try {
-                engines.put( "Signature:" + name + "WITHRSA",
-                             classLoader.loadClass( FastDigestSignatureSpi.class.getName() + "$" + name ) );
-            }
-            catch( ClassNotFoundException e ) {
-                System.err.println( "signature class not found for: " + name + " ( " + e.getMessage() + " )" );
-            }
-        }
-
-        engines.put( "Cipher:RSA", FastCipherSpi.NoPadding.class );
-    }
-}