jruby-openssl 0.9.20-java → 0.10.7-java

data/lib/jopenssl23/openssl/ssl.rb

@@ -16,70 +16,82 @@ require "io/nonblock"
 module OpenSSL
   module SSL
     class SSLContext
-      DEFAULT_PARAMS = {
-        :ssl_version => "SSLv23",
+      unless const_defined? :DEFAULT_PARAMS # JRuby does it in Java
+      DEFAULT_PARAMS = { # :nodoc:
+        :min_version => OpenSSL::SSL::TLS1_VERSION,
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
-        :ciphers => %w{
-          ECDHE-ECDSA-AES128-GCM-SHA256
-          ECDHE-RSA-AES128-GCM-SHA256
-          ECDHE-ECDSA-AES256-GCM-SHA384
-          ECDHE-RSA-AES256-GCM-SHA384
-          DHE-RSA-AES128-GCM-SHA256
-          DHE-DSS-AES128-GCM-SHA256
-          DHE-RSA-AES256-GCM-SHA384
-          DHE-DSS-AES256-GCM-SHA384
-          ECDHE-ECDSA-AES128-SHA256
-          ECDHE-RSA-AES128-SHA256
-          ECDHE-ECDSA-AES128-SHA
-          ECDHE-RSA-AES128-SHA
-          ECDHE-ECDSA-AES256-SHA384
-          ECDHE-RSA-AES256-SHA384
-          ECDHE-ECDSA-AES256-SHA
-          ECDHE-RSA-AES256-SHA
-          DHE-RSA-AES128-SHA256
-          DHE-RSA-AES256-SHA256
-          DHE-RSA-AES128-SHA
-          DHE-RSA-AES256-SHA
-          DHE-DSS-AES128-SHA256
-          DHE-DSS-AES256-SHA256
-          DHE-DSS-AES128-SHA
-          DHE-DSS-AES256-SHA
-          AES128-GCM-SHA256
-          AES256-GCM-SHA384
-          AES128-SHA256
-          AES256-SHA256
-          AES128-SHA
-          AES256-SHA
-          ECDHE-ECDSA-RC4-SHA
-          ECDHE-RSA-RC4-SHA
-          RC4-SHA
-        }.join(":"),
+        :verify_hostname => true,
         :options => -> {
           opts = OpenSSL::SSL::OP_ALL
-          opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
-          opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
-          opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
-          opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+          opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+          opts |= OpenSSL::SSL::OP_NO_COMPRESSION
           opts
         }.call
-      } unless const_defined? :DEFAULT_PARAMS # JRuby does it in Java
+      }
 
-      unless const_defined? :DEFAULT_CERT_STORE # JRuby specific
-      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
-      DEFAULT_CERT_STORE.set_default_paths
-      if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
-        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
+           OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+        DEFAULT_PARAMS.merge!(
+          ciphers: %w{
+            ECDHE-ECDSA-AES128-GCM-SHA256
+            ECDHE-RSA-AES128-GCM-SHA256
+            ECDHE-ECDSA-AES256-GCM-SHA384
+            ECDHE-RSA-AES256-GCM-SHA384
+            DHE-RSA-AES128-GCM-SHA256
+            DHE-DSS-AES128-GCM-SHA256
+            DHE-RSA-AES256-GCM-SHA384
+            DHE-DSS-AES256-GCM-SHA384
+            ECDHE-ECDSA-AES128-SHA256
+            ECDHE-RSA-AES128-SHA256
+            ECDHE-ECDSA-AES128-SHA
+            ECDHE-RSA-AES128-SHA
+            ECDHE-ECDSA-AES256-SHA384
+            ECDHE-RSA-AES256-SHA384
+            ECDHE-ECDSA-AES256-SHA
+            ECDHE-RSA-AES256-SHA
+            DHE-RSA-AES128-SHA256
+            DHE-RSA-AES256-SHA256
+            DHE-RSA-AES128-SHA
+            DHE-RSA-AES256-SHA
+            DHE-DSS-AES128-SHA256
+            DHE-DSS-AES256-SHA256
+            DHE-DSS-AES128-SHA
+            DHE-DSS-AES256-SHA
+            AES128-GCM-SHA256
+            AES256-GCM-SHA384
+            AES128-SHA256
+            AES256-SHA256
+            AES128-SHA
+            AES256-SHA
+          }.join(":"),
+        )
+      end
       end
+
+      if defined?(OpenSSL::PKey::DH)
+        DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
+JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
+VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
+YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
+1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
+7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
+-----END DH PARAMETERS-----
+        _end_of_pem_
+        private_constant :DEFAULT_2048
+
+        DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
+          warn "using default DH parameters." if $VERBOSE
+          DEFAULT_2048
+        }
       end
 
-      INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
-        "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
-        "verify_callback", "cert_store", "extra_chain_cert",
-        "client_cert_cb", "session_id_context", "tmp_dh_callback",
-        "session_get_cb", "session_new_cb", "session_remove_cb",
-        "tmp_ecdh_callback", "servername_cb", "npn_protocols",
-        "alpn_protocols", "alpn_select_cb",
-        "npn_select_cb"].map { |x| "@#{x}" }
+      begin
+        DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
+        DEFAULT_CERT_STORE.set_default_paths
+        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      end unless const_defined? :DEFAULT_CERT_STORE # JRuby
 
       # A callback invoked when DH parameters are required.
       #
@@ -92,44 +104,130 @@ module OpenSSL
 
       attr_accessor :tmp_dh_callback
 
-      #if ExtConfig::HAVE_TLSEXT_HOST_NAME
-        # A callback invoked at connect time to distinguish between multiple
-        # server names.
-        #
-        # The callback is invoked with an SSLSocket and a server name.  The
-        # callback must return an SSLContext for the server name or nil.
-        attr_accessor :servername_cb
-      #end
+      # A callback invoked at connect time to distinguish between multiple
+      # server names.
+      #
+      # The callback is invoked with an SSLSocket and a server name.  The
+      # callback must return an SSLContext for the server name or nil.
+      attr_accessor :servername_cb
 
       # call-seq:
-      #    SSLContext.new => ctx
-      #    SSLContext.new(:TLSv1) => ctx
-      #    SSLContext.new("SSLv23_client") => ctx
+      #    SSLContext.new           -> ctx
+      #    SSLContext.new(:TLSv1)   -> ctx
+      #    SSLContext.new("SSLv23") -> ctx
+      #
+      # Creates a new SSL context.
       #
-      # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
-      def initialize(version = nil)
-        self.options |= OpenSSL::SSL::OP_ALL
-        self.ssl_version = version if version
-      end unless defined? JRUBY_VERSION # JRuby: handled in "native" Java
+      # If an argument is given, #ssl_version= is called with the value. Note
+      # that this form is deprecated. New applications should use #min_version=
+      # and #max_version= as necessary.
+      # def initialize(version = nil)
+      #   self.options |= OpenSSL::SSL::OP_ALL
+      #   self.ssl_version = version if version
+      # end
 
       ##
-      # Sets the parameters for this SSL context to the values in +params+.
-      # The keys in +params+ must be assignment methods on SSLContext.
+      # call-seq:
+      #   ctx.set_params(params = {}) -> params
+      #
+      # Sets saner defaults optimized for the use with HTTP-like protocols.
+      #
+      # If a Hash _params_ is given, the parameters are overridden with it.
+      # The keys in _params_ must be assignment methods on SSLContext.
       #
       # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
       # cert_store are not set then the system default certificate store is
       # used.
-
       def set_params(params={})
         params = DEFAULT_PARAMS.merge(params)
-        params.each{|name, value| self.__send__("#{name}=", value) }
+        # TODO JRuby: need to support SSLContext#options (since Ruby 2.5)
+        #self.options = params.delete(:options) # set before min_version/max_version
+        params.each { |name, value| self.__send__("#{name}=", value) }
         if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
           unless self.ca_file or self.ca_path or self.cert_store
             self.cert_store = DEFAULT_CERT_STORE
           end
         end
         return params
-      end unless method_defined? :set_params # JRuby: hooked up in "native" Java
+      end unless method_defined? :set_params
+
+      # call-seq:
+      #    ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
+      #    ctx.min_version = :TLS1_2
+      #    ctx.min_version = nil
+      #
+      # Sets the lower bound on the supported SSL/TLS protocol version. The
+      # version may be specified by an integer constant named
+      # OpenSSL::SSL::*_VERSION, a Symbol, or +nil+ which means "any version".
+      #
+      # Be careful that you don't overwrite OpenSSL::SSL::OP_NO_{SSL,TLS}v*
+      # options by #options= once you have called #min_version= or
+      # #max_version=.
+      #
+      # === Example
+      #   ctx = OpenSSL::SSL::SSLContext.new
+      #   ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION
+      #   ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
+      #
+      #   sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
+      #   sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2
+      def min_version=(version)
+        set_minmax_proto_version(version, @max_proto_version ||= nil)
+        @min_proto_version = version
+      end
+
+      # call-seq:
+      #    ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
+      #    ctx.max_version = :TLS1_2
+      #    ctx.max_version = nil
+      #
+      # Sets the upper bound of the supported SSL/TLS protocol version. See
+      # #min_version= for the possible values.
+      def max_version=(version)
+        set_minmax_proto_version(@min_proto_version ||= nil, version)
+        @max_proto_version = version
+      end
+
+      # call-seq:
+      #    ctx.ssl_version = :TLSv1
+      #    ctx.ssl_version = "SSLv23"
+      #
+      # Sets the SSL/TLS protocol version for the context. This forces
+      # connections to use only the specified protocol version. This is
+      # deprecated and only provided for backwards compatibility. Use
+      # #min_version= and #max_version= instead.
+      #
+      # === History
+      # As the name hints, this used to call the SSL_CTX_set_ssl_version()
+      # function which sets the SSL method used for connections created from
+      # the context. As of Ruby/OpenSSL 2.1, this accessor method is
+      # implemented to call #min_version= and #max_version= instead.
+      def ssl_version=(meth)
+        meth = meth.to_s if meth.is_a?(Symbol)
+        if /(?<type>_client|_server)\z/ =~ meth
+          meth = $`
+          if $VERBOSE
+            warn "#{caller(1, 1)[0]}: method type #{type.inspect} is ignored"
+          end
+        end
+        version = METHODS_MAP[meth.intern] or
+          raise ArgumentError, "unknown SSL method `%s'" % meth
+        set_minmax_proto_version(version, version)
+        @min_proto_version = @max_proto_version = version
+      end unless method_defined? :ssl_version=
+
+      METHODS_MAP = {
+        SSLv23: 0,
+        SSLv2: OpenSSL::SSL::SSL2_VERSION,
+        SSLv3: OpenSSL::SSL::SSL3_VERSION,
+        TLSv1: OpenSSL::SSL::TLS1_VERSION,
+        TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION,
+        TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION,
+      }.freeze
+      private_constant :METHODS_MAP
+      
+      # METHODS setup from native (JRuby)
+      # deprecate_constant :METHODS
     end
 
     module SocketForwarder
@@ -254,55 +352,36 @@ module OpenSSL
       include Buffering
       include SocketForwarder
 
-      if ExtConfig::OPENSSL_NO_SOCK
-        def initialize(io, ctx = nil); raise NotImplementedError; end
-      else
-        if ExtConfig::HAVE_TLSEXT_HOST_NAME
-          attr_accessor :hostname
-        end
-
-        attr_reader :io, :context
-        attr_accessor :sync_close
-        alias :to_io :io
-
-        # call-seq:
-        #    SSLSocket.new(io) => aSSLSocket
-        #    SSLSocket.new(io, ctx) => aSSLSocket
-        #
-        # Creates a new SSL socket from +io+ which must be a real ruby object (not an
-        # IO-like object that responds to read/write).
-        #
-        # If +ctx+ is provided the SSL Sockets initial params will be taken from
-        # the context.
-        #
-        # The OpenSSL::Buffering module provides additional IO methods.
-        #
-        # This method will freeze the SSLContext if one is provided;
-        # however, session management is still allowed in the frozen SSLContext.
-
-        def initialize(io, context = OpenSSL::SSL::SSLContext.new)
-          @io         = io
-          @context    = context
-          @sync_close = false
-          @hostname   = nil
-          @io.nonblock = true if @io.respond_to?(:nonblock=)
-          context.setup
-          super()
-        end
-      end unless defined? JRUBY_VERSION # JRuby: handled in "native" Java
+      # attr_reader :hostname
+      #
+      # # The underlying IO object.
+      # attr_reader :io
+      # alias :to_io :io
+      #
+      # # The SSLContext object used in this connection.
+      # attr_reader :context
+      #
+      # # Whether to close the underlying socket as well, when the SSL/TLS
+      # # connection is shut down. This defaults to +false+.
+      # attr_accessor :sync_close
 
       # call-seq:
       #    ssl.sysclose => nil
       #
-      # Shuts down the SSL connection and prepares it for another connection.
+      # Sends "close notify" to the peer and tries to shut down the SSL
+      # connection gracefully.
+      #
+      # If sync_close is set to +true+, the underlying IO is also closed.
       def sysclose
         return if closed?
         stop
         io.close if sync_close
-      end unless defined? JRUBY_VERSION # JRuby: handled in "native" Java
+      end unless method_defined? :sysclose
 
-      ##
-      # Perform hostname verification after an SSL connection is established
+      # call-seq:
+      #   ssl.post_connection_check(hostname) -> true
+      #
+      # Perform hostname verification following RFC 6125.
       #
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
@@ -310,7 +389,8 @@ module OpenSSL
         if peer_cert.nil?
           msg = "Peer verification enabled, but no certificate received."
           if using_anon_cipher?
-            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
+                   "Anonymous suites must be disabled to use peer verification."
           end
           raise SSLError, msg
         end
@@ -321,11 +401,16 @@ module OpenSSL
         return true
       end
 
-      #def session
-      #  SSL::Session.new(self)
-      #rescue SSL::Session::SessionError
-      #  nil
-      #end
+      # call-seq:
+      #   ssl.session -> aSession
+      #
+      # Returns the SSLSession object currently used, or nil if the session is
+      # not established.
+      def session
+        SSL::Session.new(self)
+      rescue SSL::Session::SessionError
+        nil
+      end unless method_defined? :session # JRuby
 
       private
 
@@ -340,7 +425,7 @@ module OpenSSL
       end
 
       def tmp_dh_callback
-        @context.tmp_dh_callback || OpenSSL::PKey::DEFAULT_TMP_DH_CALLBACK
+        @context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK
       end
 
       def tmp_ecdh_callback
@@ -364,8 +449,8 @@ module OpenSSL
       attr_accessor :start_immediately
 
       # Creates a new instance of SSLServer.
-      # * +srv+ is an instance of TCPServer.
-      # * +ctx+ is an instance of OpenSSL::SSL::SSLContext.
+      # * _srv_ is an instance of TCPServer.
+      # * _ctx_ is an instance of OpenSSL::SSL::SSLContext.
       def initialize(svr, ctx)
         @svr = svr
         @ctx = ctx

data/lib/jopenssl23/openssl/x509.rb

@@ -14,6 +14,54 @@
 
 module OpenSSL
   module X509
+    # class ExtensionFactory
+    #   def create_extension(*arg)
+    #     if arg.size > 1
+    #       create_ext(*arg)
+    #     else
+    #       send("create_ext_from_"+arg[0].class.name.downcase, arg[0])
+    #     end
+    #   end
+    #
+    #   def create_ext_from_array(ary)
+    #     raise ExtensionError, "unexpected array form" if ary.size > 3
+    #     create_ext(ary[0], ary[1], ary[2])
+    #   end
+    #
+    #   def create_ext_from_string(str) # "oid = critical, value"
+    #     oid, value = str.split(/=/, 2)
+    #     oid.strip!
+    #     value.strip!
+    #     create_ext(oid, value)
+    #   end
+    #
+    #   def create_ext_from_hash(hash)
+    #     create_ext(hash["oid"], hash["value"], hash["critical"])
+    #   end
+    # end
+    #
+    # class Extension
+    #   def ==(other)
+    #     return false unless Extension === other
+    #     to_der == other.to_der
+    #   end
+    #
+    #   def to_s # "oid = critical, value"
+    #     str = self.oid
+    #     str << " = "
+    #     str << "critical, " if self.critical?
+    #     str << self.value.gsub(/\n/, ", ")
+    #   end
+    #
+    #   def to_h # {"oid"=>sn|ln, "value"=>value, "critical"=>true|false}
+    #     {"oid"=>self.oid,"value"=>self.value,"critical"=>self.critical?}
+    #   end
+    #
+    #   def to_a
+    #     [ self.oid, self.value, self.critical? ]
+    #   end
+    # end
+
     class Name
       module RFC2253DN
         Special = ',=+<>#;'
@@ -96,7 +144,13 @@ module OpenSSL
         end
 
         def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE)
-          ary = str.scan(/\s*([^\/,]+)\s*/).collect{|i| i[0].split("=", 2) }
+          if str.start_with?("/")
+            # /A=B/C=D format
+            ary = str[1..-1].split("/").map { |i| i.split("=", 2) }
+          else
+            # Comma-separated
+            ary = str.split(",").map { |i| i.strip.split("=", 2) }
+          end
           self.new(ary, template)
         end
 
@@ -111,6 +165,13 @@ module OpenSSL
       end
     end
 
+    # class Attribute
+    #   def ==(other)
+    #     return false unless Attribute === other
+    #     to_der == other.to_der
+    #   end
+    # end
+
     class StoreContext
       def cleanup
         warn "(#{caller.first}) OpenSSL::X509::StoreContext#cleanup is deprecated with no replacement" if $VERBOSE
@@ -129,5 +190,19 @@ module OpenSSL
         }
       end
     end
+
+    # class CRL
+    #   def ==(other)
+    #     return false unless CRL === other
+    #     to_der == other.to_der
+    #   end
+    # end
+
+    # class Request
+    #   def ==(other)
+    #     return false unless Request === other
+    #     to_der == other.to_der
+    #   end
+    # end
   end
 end

data/lib/jopenssl23/openssl.rb

@@ -13,7 +13,7 @@
 require 'openssl/bn'
 require 'openssl/pkey'
 require 'openssl/cipher'
-require 'openssl/config'
+require 'openssl/config' if OpenSSL.const_defined?(:Config, false)
 require 'openssl/digest'
 require 'openssl/x509'
 require 'openssl/ssl'

data/lib/openssl/bn.rb

@@ -4,8 +4,6 @@ elsif RUBY_VERSION > '2.2'
   load "jopenssl22/openssl/#{File.basename(__FILE__)}"
 elsif RUBY_VERSION > '2.1'
   load "jopenssl21/openssl/#{File.basename(__FILE__)}"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 end

data/lib/openssl/buffering.rb

@@ -4,8 +4,6 @@ elsif RUBY_VERSION > '2.2'
   load "jopenssl22/openssl/#{File.basename(__FILE__)}"
 elsif RUBY_VERSION > '2.1'
   load "jopenssl21/openssl/#{File.basename(__FILE__)}"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 end

data/lib/openssl/cipher.rb

@@ -4,8 +4,6 @@ elsif RUBY_VERSION > '2.2'
   load "jopenssl22/openssl/#{File.basename(__FILE__)}"
 elsif RUBY_VERSION > '2.1'
   load "jopenssl21/openssl/#{File.basename(__FILE__)}"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 end

data/lib/openssl/config.rb

@@ -4,8 +4,14 @@ elsif RUBY_VERSION > '2.2'
   load "jopenssl22/openssl/#{File.basename(__FILE__)}"
 elsif RUBY_VERSION > '2.1'
   load "jopenssl21/openssl/#{File.basename(__FILE__)}"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
-end
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
+end
+
+# @note moved from JOpenSSL native bits.
+module OpenSSL
+  class Config
+    DEFAULT_CONFIG_FILE = nil
+  end
+  class ConfigError < OpenSSLError; end
+end

data/lib/openssl/digest.rb

@@ -4,8 +4,6 @@ elsif RUBY_VERSION > '2.2'
   load "jopenssl22/openssl/#{File.basename(__FILE__)}"
 elsif RUBY_VERSION > '2.1'
   load "jopenssl21/openssl/#{File.basename(__FILE__)}"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 end

data/lib/openssl/pkcs12.rb

@@ -28,10 +28,8 @@ module OpenSSL
         @der = str
       end
 
-      p12_input_stream = java.io.StringBufferInputStream.new(@der)
-
       store = SecurityHelper.getKeyStore("PKCS12")
-      store.load(p12_input_stream, password.to_java.to_char_array)
+      store.load(java.io.ByteArrayInputStream.new(@der.to_java_bytes), password.to_java.to_char_array)
 
       aliases = store.aliases
       aliases.each do |alias_name|

data/lib/openssl/pkcs5.rb

@@ -0,0 +1,22 @@
+#--
+# Ruby/OpenSSL Project
+# Copyright (C) 2017 Ruby/OpenSSL Project Authors
+#++
+
+# JOpenSSL has these - here for explicit require 'openssl/pkcs5' compatibility
+
+# module OpenSSL
+#   module PKCS5
+#     module_function
+#
+#     # OpenSSL::PKCS5.pbkdf2_hmac has been renamed to OpenSSL::KDF.pbkdf2_hmac.
+#     # This method is provided for backwards compatibility.
+#     def pbkdf2_hmac(pass, salt, iter, keylen, digest)
+#       OpenSSL::KDF.pbkdf2_hmac(pass, salt: salt, iterations: iter, length: keylen, hash: digest)
+#     end
+#
+#     def pbkdf2_hmac_sha1(pass, salt, iter, keylen)
+#       pbkdf2_hmac(pass, salt, iter, keylen, "sha1")
+#     end
+#   end
+# end

data/lib/openssl/ssl-internal.rb

@@ -1,7 +1,5 @@
 if RUBY_VERSION > '2.1'
   raise LoadError, "no such library in #{RUBY_VERSION}: openssl/ssl-internal.rb"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 end

data/lib/openssl/ssl.rb

@@ -4,8 +4,6 @@ elsif RUBY_VERSION > '2.2'
   load "jopenssl22/openssl/#{File.basename(__FILE__)}"
 elsif RUBY_VERSION > '2.1'
   load "jopenssl21/openssl/#{File.basename(__FILE__)}"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 end

data/lib/openssl/x509-internal.rb

@@ -1,7 +1,5 @@
 if RUBY_VERSION > '2.1'
   raise LoadError, "no such library in #{RUBY_VERSION}: openssl/x509-internal.rb"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 end

data/lib/openssl/x509.rb

@@ -4,8 +4,6 @@ elsif RUBY_VERSION > '2.2'
   load "jopenssl22/openssl/#{File.basename(__FILE__)}"
 elsif RUBY_VERSION > '2.1'
   load "jopenssl21/openssl/#{File.basename(__FILE__)}"
-elsif RUBY_VERSION > '1.9'
-  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 else
-  load "jopenssl18/openssl/#{File.basename(__FILE__)}"
+  load "jopenssl19/openssl/#{File.basename(__FILE__)}"
 end