jruby-openssl 0.9.4 → 0.14.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (67) hide show
  1. checksums.yaml +7 -0
  2. data/History.md +652 -0
  3. data/LICENSE.txt +37 -0
  4. data/Mavenfile +163 -5
  5. data/README.md +75 -0
  6. data/Rakefile +52 -2
  7. data/lib/jopenssl/_compat23.rb +71 -0
  8. data/lib/jopenssl/load.rb +75 -16
  9. data/lib/jopenssl/version.rb +9 -4
  10. data/lib/jopenssl.jar +0 -0
  11. data/lib/openssl/bn.rb +40 -5
  12. data/lib/openssl/buffering.rb +477 -4
  13. data/lib/openssl/cipher.rb +67 -5
  14. data/lib/openssl/config.rb +500 -4
  15. data/lib/openssl/digest.rb +73 -5
  16. data/lib/openssl/hmac.rb +13 -0
  17. data/lib/openssl/marshal.rb +30 -0
  18. data/lib/openssl/pkcs12.rb +60 -99
  19. data/lib/openssl/pkcs5.rb +22 -0
  20. data/lib/openssl/pkey.rb +42 -0
  21. data/lib/openssl/ssl.rb +542 -4
  22. data/lib/openssl/x509.rb +368 -4
  23. data/lib/openssl.rb +3 -1
  24. data/lib/org/bouncycastle/bcpkix-jdk18on/1.71/bcpkix-jdk18on-1.71.jar +0 -0
  25. data/lib/org/bouncycastle/bcprov-jdk18on/1.71/bcprov-jdk18on-1.71.jar +0 -0
  26. data/lib/org/bouncycastle/bctls-jdk18on/1.71/bctls-jdk18on-1.71.jar +0 -0
  27. data/lib/org/bouncycastle/bcutil-jdk18on/1.71/bcutil-jdk18on-1.71.jar +0 -0
  28. data/pom.xml +772 -0
  29. metadata +40 -107
  30. data/History.txt +0 -218
  31. data/License.txt +0 -30
  32. data/README.txt +0 -13
  33. data/TODO-1_9-support.txt +0 -23
  34. data/lib/jopenssl18/openssl/bn.rb +0 -35
  35. data/lib/jopenssl18/openssl/buffering.rb +0 -241
  36. data/lib/jopenssl18/openssl/cipher.rb +0 -65
  37. data/lib/jopenssl18/openssl/config.rb +0 -316
  38. data/lib/jopenssl18/openssl/digest.rb +0 -61
  39. data/lib/jopenssl18/openssl/pkcs7.rb +0 -25
  40. data/lib/jopenssl18/openssl/ssl-internal.rb +0 -179
  41. data/lib/jopenssl18/openssl/ssl.rb +0 -1
  42. data/lib/jopenssl18/openssl/x509-internal.rb +0 -153
  43. data/lib/jopenssl18/openssl/x509.rb +0 -1
  44. data/lib/jopenssl18/openssl.rb +0 -67
  45. data/lib/jopenssl19/openssl/bn.rb +0 -35
  46. data/lib/jopenssl19/openssl/buffering.rb +0 -449
  47. data/lib/jopenssl19/openssl/cipher.rb +0 -65
  48. data/lib/jopenssl19/openssl/config.rb +0 -313
  49. data/lib/jopenssl19/openssl/digest.rb +0 -72
  50. data/lib/jopenssl19/openssl/ssl-internal.rb +0 -177
  51. data/lib/jopenssl19/openssl/ssl.rb +0 -2
  52. data/lib/jopenssl19/openssl/x509-internal.rb +0 -158
  53. data/lib/jopenssl19/openssl/x509.rb +0 -2
  54. data/lib/jopenssl19/openssl.rb +0 -23
  55. data/lib/openssl/pkcs7.rb +0 -5
  56. data/lib/openssl/ssl-internal.rb +0 -5
  57. data/lib/openssl/x509-internal.rb +0 -5
  58. data/test/java/pkcs7_mime_enveloped.message +0 -19
  59. data/test/java/pkcs7_mime_signed.message +0 -30
  60. data/test/java/pkcs7_multipart_signed.message +0 -45
  61. data/test/java/test_java_attribute.rb +0 -25
  62. data/test/java/test_java_bio.rb +0 -42
  63. data/test/java/test_java_mime.rb +0 -173
  64. data/test/java/test_java_pkcs7.rb +0 -772
  65. data/test/java/test_java_smime.rb +0 -177
  66. data/test/test_java.rb +0 -98
  67. data/test/ut_eof.rb +0 -128
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 2548bc2fe716c409cd989bf2d8dadfae326993f955aca85cfe03ca4bf3afb659
4
+ data.tar.gz: 5f6606773272d521abefb77c475d80a6437091d33b37c15d5daf6c8ccdb87e9b
5
+ SHA512:
6
+ metadata.gz: 05f1f9700cd0e52761a80c4c841dc5afa80f1dbffcb47dadc1761ccf59bb3315b6baa8cbff18b3d611b6094f0ef9b1e930800f07ed2cc1cad4f5c3951047fca8
7
+ data.tar.gz: 5ca2d93939853cdc3ae2055db4e32ba71e9c6127297ec14c5de5745db2ebbe27c4182ee7325045123a91d8b3b8bac5cebf80471aaab2e67ec5458803ba85805c
data/History.md ADDED
@@ -0,0 +1,652 @@
1
+ ## 0.14.0
2
+
3
+ This version upgraded to latest Bouncy-Castle (1.71) and is only compatible with
4
+ the new version mostly due artifact naming and breaking chances in BC itself.
5
+
6
+ - [deps] upgrade BC to latest 1.71
7
+ - [fix] make set_minmax_proto_version private
8
+
9
+ ## 0.13.0
10
+
11
+ * [fix] ASN1::EndOfContent ancestor hierarchy (#228)
12
+ * [fix] handle X509::Name type conversion (#206)
13
+ * [fix] handle invalid type when creating `X509::Name`
14
+ * [fix] `OpenSSL::X509::Name#inspect` compatibility
15
+ * [fix] escaping with `OpenSSL::X509::Name::RFC2253`
16
+ * [feat] implement `OpenSSL::X509::Name#to_utf8`
17
+ * [fix] compat missing `OpenSSL::SSL::OP_NO_TLSv1_3`
18
+ * [refactor] performance - do not encode/decode cert objects
19
+ * [fix] make sure `Context.ciphers` are not mutated (#219)
20
+ * [feat] support `to_java` conversion for CRL
21
+ * [feat] support `to_java` protocol for PKey (#250)
22
+
23
+ ## 0.12.2
24
+
25
+ * [fix] work-around JRuby 9.2 autoload behavior (#248)
26
+ to be able to install jruby-openssl >= 0.12 on JRuby 9.2
27
+ while the default gem (shipped with JRuby) is < 0.12
28
+ * [feat] support alpn negotiation in ssl context (#247)
29
+ * [feat] support Java cipher names on `SSLContext#ciphers=`
30
+ * [fix] properly handle `require_jar` fallback
31
+
32
+ ## 0.12.1
33
+
34
+ * improved compatibility with the openssl gem (version 2.2.1)
35
+ * JOSSL now ships with a single set of openssl .rb files
36
+ - providing compat with `required_ruby_version = '>= 2.3.0'`
37
+ - flat set of .rb files at *lib/openssl/* (based on openssl gem)
38
+ * revisited `OpenSSL::SSL::SSLContext::DEFAULT_PARAMS` defaults
39
+ - implicit `verify_hostname` default .rb callback still a noop
40
+ - TLS continues to rely on the Java SSL engine for hostname checks
41
+ * working TLS 1.3 support
42
+ * droped Java 1.7 support (at least Java 8 needed to use the gem)
43
+ * fixed `SSLContext#options` matches C OpenSSL (using `OP_ALL`)
44
+ * no longer filter out SSLv2 (for improved OpenSSL compatibility)
45
+ * implemented naive `SSLContext#ciphers` caching to speed-up TLS
46
+ * `StoreError` raised due a Java exception now retain native cause
47
+
48
+ ## 0.12.0 (yanked)
49
+
50
+ There were Java 8 and JRuby 9.3 regressions in this release, use 0.12.1 instead.
51
+
52
+ ## 0.11.0
53
+
54
+ NOTE: This release aims to adapt the certificate verification logic to be aligned
55
+ with OpenSSL 1.1.1 as a resolution to issues due *DST Root CA X3* expiration, more
56
+ details at: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
57
+
58
+ The port is expected to be superior compared to the simple legacy verification,
59
+ however in case of issues the previous algorithm is still around and can be toggled
60
+ using `JRUBY_OPTS="-J-Djruby.openssl.x509.store.verify=legacy"` system property.
61
+
62
+ * **OpenSSL 1.1.1 cert verification port** (fixes #236) (#239)
63
+ - as a side-effect part of the PR to "allow multiple certs with same SubjectDN"
64
+ (#198) got reverted, this has been causing verification regressions (since 0.10.5)
65
+ for some users (#232) and is expected to be fixed
66
+ * [fix] replace deprecated getPeerCertificateChain (#231)
67
+
68
+ ## 0.10.7
69
+
70
+ * [feat] upgrade BC library to 1.68
71
+ * [fix] SSLContext#ciphers= (fixes #221 and jruby/jruby#3100) (#222)
72
+ * [fix] Java::JavaLang::StringIndexOutOfBoundsException on ctx.cipher=[] (fixes #220) (#223)
73
+ * [fix] SSLContext#ciphers= compatibility (fixes #223) (#220)
74
+ * [fix] Match OpenSSL::X509::Name.hash implementation with Ruby (#216, #218)
75
+ * [fix] OpenSSL::SSL::SSLContext#min_version= failure (#215)
76
+ * [fix] adds OpenSSL::Cipher#iv_len= setter (#208)
77
+
78
+ ## 0.10.6 (yanked)
79
+
80
+ Due several regressions please update to version 0.10.7 or higher.
81
+
82
+ ## 0.10.5
83
+
84
+ * [fix] EC key sign/verify (#193)
85
+ * [feat] upgrade BC library to 1.65
86
+ * [refactor] clean security helpers to avoid reflection (#197)
87
+ * Just use normal getInstance to get KeyFactory (fixes #197)
88
+ * Allow multiple Certificates with the same SubjectDN in the store (#198)
89
+ * Try direct path for MessageDigest before invasive path (#194)
90
+ (relates to jruby/jruby#6098)
91
+ * [refactor] avoid NativeException usage (jruby/jruby#5646)
92
+
93
+ ## 0.10.4
94
+
95
+ * Use CertificateFactory.getInstance rather than reflection
96
+ eliminates one of the module warnings we have been seeing (#161)
97
+
98
+ ## 0.10.3
99
+
100
+ * [fix] implement (missing) PKey::DSA#params
101
+ * [fix] authorityKeyIdentifier ext (general-name) value
102
+ * [fix] authority keyid extension's :always part optional (#174)
103
+ * [fix] work-around for not setting certificate serial
104
+ raise a more friendly error (jruby/jruby#1691)
105
+ * [fix] PKey.read not parsing RSA pub-key (#176)
106
+ * [feat] support reading DSA (public key) in full DER
107
+ * [fix] RSA key DER format to closely follow OpenSSL
108
+ * [fix] add missing ASN1 factory methods (Null, EndOfContent)
109
+ * [fix] support getting password from block for PKeys
110
+ * [fix] incorrect ASN.1 for wrapped Integer type
111
+ * [fix] correct public key for subjectKeyIdentifier ext (#173)
112
+ * [fix] invalid Cert#sign handling -> raise (instead of ClassCastException)
113
+ * [feat] more TLS (GCM) ciphers - supported on Java 8+
114
+ * [feat] add ECDHE-RSA-AES128-GCM-SHA256 as supported cipher (#185)
115
+ * [feat] add support for ECDHE-RSA-AES256-GCM-SHA384 (#187)
116
+ * [fix] try hard not to fail on unkown oids (OpenSSL::X509::Certificate#to_text)
117
+ * update Bouncy-Castle to 1.62 (and handle supported BC compatibility)
118
+
119
+ ## 0.10.2
120
+
121
+ * update Bouncy-Castle to 1.61 (and handle supported BC compatibility)
122
+ * [fix] avoid NPE when CRL fails to parse (invalid str) (jruby/jruby#5619)
123
+ * hide (deprecated) Jopenssl constant
124
+ * default OpenSSL.warn to warnings-enabled flag
125
+ * only un-restrict jce when its restricted
126
+ * OpenSSL::Cipher#update additional buffer argument (#170) (jruby/jruby#5242)
127
+
128
+ ## 0.10.1
129
+
130
+ * loading JOpenSSL's native ext part the JRuby 9.2 (internal) way
131
+ * avoid, once again, installing BC provider on boot (due OCSP support)
132
+ * [feat] support OpenSSL::KDF as a (semi) OpenSSL::PKCS5 replacement
133
+ * rename ugly-sh "Jopenssl" constant to **JOpenSSL**
134
+ * support PKCS7#decrypt with 1 argument (pkey only - without certificate)
135
+ * undo some of the call-sites in SSLSocket - account for sub-classes (#165)
136
+ * follow-up to provide == for X.509 types (like C-OpenSSL does in 2.1)
137
+ * validate iter parameter on Cipher#pkcs5_keyivgen (since OpenSSL 2.0.8)
138
+ * remove openssl/pkcs7.rb -> since 1.8 no longer supported
139
+
140
+ ## 0.10.0
141
+
142
+ **NOTE:** dropped support for anything below ~ JRuby 1.7.20
143
+
144
+ * drop support for Java 1.6 and compile using Java 7
145
+ * improve java.version detection for Java 9/10 (pre-releases)
146
+ * subject alt name parsing fixes (#140) - thanks @roadrunner2
147
+ * fix loading of Subject/Issuer-Alt-Name extensions. (#144)
148
+ * normalize all constants in CipherStrings as public (#146)
149
+ * upgrade BC to **1.59** and dropped support for BC < 1.55
150
+ * include BC's JSSE provider as we're planning on using it, eventually
151
+ * setup OpenSSL::ExtConfig emulation - mostly (conservative) guesses
152
+ * at last, do BN comparison `==` vs `eql?` properly - just like MRI
153
+ * get `BN.new("...", 0)` working as OpenSSL does - using MPI format
154
+ * allow for SSLContext#dup to work (copy-ing Ruby level i-vars only)
155
+ * fix signature-alg to default to NULL and report it as 0.0 (like MRI)
156
+ * account for ASN1Integers when transforming issuer serial numbers
157
+ to_text in AuthorityKeyIdentifier extensions (#147) - thanks @lampad
158
+ * copy bytes since it might be a shared (unsafe) buffer (#150)
159
+ * don't use padding for streaming cipher modes (#155) - thanks @dgolombek
160
+ * avoid ByteList#length() usage for forward (JRuby 9.2) compatibility
161
+ * prepare for using BC's JSSE implementation as an SSL support backend
162
+ allow to set SSL provider name (-Djruby.openssl.ssl.provider=...)
163
+
164
+ ## 0.9.21
165
+
166
+ * adjust X.509 value handling to parse subjectAltName recursively (#134)
167
+ * SKI expected to be always octet wrapped - do not check for length (#131)
168
+ * respect jruby.preferred.prng and use/tune its SecureRandom defaults
169
+ trying to avoid BC generator's constant attempts for seeding itself
170
+ as an attempt to 'fix' low-entropy systems wating for */dev/random*
171
+ * Random#add; Random#egd shall return true on JVM
172
+ * move "DEFAULT" special case handling to match OpenSSL behaviour (#136)
173
+ (jruby/jruby#2193)
174
+ * If data is not provided, extract it from the PKCS7 instance (#132)
175
+ * Add cipher suite strings for IBM JRE (#126) - thanks @ysohda
176
+ * use the helper to printStackTrace (no System.err printing by default)
177
+ * add OCSP support (#124) - thanks so very much @lampad
178
+ * add support for renegotiation_cb on SSLContext (#121) - thanks @lampad
179
+
180
+ ## 0.9.20
181
+
182
+ * upgrade Bouncy-Castle to 1.56 http://bouncycastle.org/releasenotes.html
183
+ (additional security and robustness with 10 CVEs submitted as a result)
184
+ * add a dummy SSLContext#security_level= implementation
185
+ * no dup-ing for SSLContext/SSLSocket and X509 Store/StoreContext
186
+ * implement PKey initialize_copy (dup-ing)
187
+ * digest can be passed in as a String on PKey#sign/verify
188
+ * DSA+SHA1 is actually a supported algorithm
189
+ * reset signed-request -> sub-sequent req.verify will work correctly
190
+ * allow for digest name to be passed into Cert#sign
191
+ * be less fatal on Java 9
192
+ won't attempt reflective SPIs when accessibility checks fail!
193
+ * remove obsolete (deprecated) renamed classes
194
+ * verify correct WaitReadable is raised on connect_nonblock (jruby/jruby#1716)
195
+ * non-connected ssl socket raises EPIPE on connect_nonblock (MRI compat)
196
+ * fine to close a SSLSocket which is not-yet-connected (like in MRI)
197
+ * fix NPE when reading private keys (with passwd) (jruby/jruby#1784)
198
+
199
+ ## 0.9.19
200
+
201
+ * re-use secure random from thread-context on SSL context initialization
202
+ * preliminary OpenSSL 1.1 (Ruby 2.4) compatibility bits (#112)
203
+ * try using thread-shared secure random gen (in PKey-s) where possible
204
+ * implement PKeyDSA#syssign and PKeyDSA#sysverify methods
205
+ * avoid (unnecessary) byte[] copies in PKey#sign/verify
206
+ * fix ClassCastException error in X509Store.verify (#113)
207
+ * align BH#hash with eql? (+ equals/hashCode on Java)
208
+
209
+ ## 0.9.18
210
+
211
+ * handle X.509 authorityKeyIdentifier parsing somehow right (#102)
212
+ * simple resolution for handling subjectAltName multiple DNS: names (#102)
213
+ * upgrading BC to 1.55
214
+ normalize "brainpoolP512t1" curve name for BC 1.55 compatibility
215
+ * allow for X509::Certificate to be converted to a Java certificate
216
+ * at least OpenSSL.debug potential env read failure on set_default_paths
217
+ * negative BN values are always considered not prime.
218
+ * Don't print a warning for missing client certs (#110)
219
+
220
+ ## 0.9.17
221
+
222
+ * temporarily register BC provider on X.509 factory (work-around for #94)
223
+ * support Cipher#auth_tag and auth_data for GCM ciphers (e.g. aes-128-gcm)
224
+ * need to drop support for BC <= 1.50 due EC support (N/A in older BCs)
225
+ * (somehow working) draft at implementing PKey::EC (elliptic curve support)
226
+ DH encryption expected to behave correctly
227
+ * make sure (initial) BC security provider registration works!
228
+ ... when **-Djruby.openssl.provider.register=true** (due #94)
229
+ * Make ALL cipherstring match ECDHE cihphers (#91)
230
+ * fix X.509 indexBySubject returning correct index
231
+ * try to handle `SSLContext.session=` and also try answering `session_reused?`
232
+ * handle equals/hashCode on SSL::Session and raise on timeout int overflow
233
+ * Allow DSA private keys to be initialized from parameters. (#83)
234
+ * Instantiate both the private and public keys when setting parameters. (#82)
235
+
236
+ ## 0.9.16
237
+
238
+ * add hard dependency to jar-dependencies (#74)
239
+ * Recognize Android java.version (#81)
240
+
241
+ ## 0.9.15
242
+
243
+ * always return a Fixnum from `OpenSSL::SSL::Session#timeout`, OpenSSL defaults
244
+ to 300 (been causing net/http.rb issues with timeouts on JRuby 9K)
245
+
246
+ ## 0.9.14
247
+
248
+ * upgrade to using BC **1.54** as default (all versions >= 1.49 are supported)
249
+ for Bouncy-Castle release notes see http://bouncycastle.org/releasenotes.html
250
+ * basic support for prompting for PEM password (working for RSA/DSA priv.key)
251
+ * avoid NPE due version field in X509Cert - make sure it's treated as 0 (#78)
252
+ and fix settting ceritificate.serial = number
253
+ * default WairReadable/Writable backtraces to JRuby's -Xerrno.backtrace
254
+ * use hardcoded jks type for loading cacerts - for Java 9 compatibility (#79)
255
+
256
+ ## 0.9.13
257
+
258
+ JRuby-OpenSSL is the first release that aims to be Ruby **2.3** compatible.
259
+
260
+ * SSLSocket#sysread do not copy bytes from buffer - re-use the backing array
261
+ * handle read_nonblock EOF as nil when exception: false (Ruby 2.3 compatibility)
262
+ * start exposing VERSION constant(s) directly on Jopenssl module
263
+ * better not throw EOF on SSLSocket#sysclose for compatibility with MRI
264
+ * setup "dummy" OpenSSL::OPENSSL_LIBRARY_VERSION constant for compatibility
265
+ * Ruby 2.3 compatibility - adjust to changes in MRI's openssl .rb parts
266
+ * update openssl/ssl.rb based on MRI 2.2's version
267
+ * disable backtrace generation for wait non-block errors (use an empty array)
268
+ * support SSLSocket#accept_nonblock/connect_nonblock with exception: false
269
+ * support `exception: false` with syswrite_nonblock and sysread_nonblock
270
+ * remove 'RSA' from RSA public key headers (#76)
271
+
272
+ ## 0.9.12
273
+
274
+ * when the Cipher/Signature needs to be created via java reflection use a constructor
275
+ which avoids verifying the bouncy-castle jars (which is the main reason for using
276
+ reflection since some classloader setups fails to verify those jars) (#73)
277
+ * force US locale for date formatting
278
+ otherwise it uses system locale, which is inconsistent with MRI.
279
+ * X509::Store.set_default_paths ignores FileNotFound errors like MRI does (#68)
280
+ * check type on X509::Store.verify
281
+ throw a TypeError if the argument is not a OpenSSL::X509::Certificate (#69)
282
+ * keep the default x509 certs and directories in line with MRI, only if
283
+ they do not exists fallback on cacerts from the java.home/lib/security/cacerts
284
+ * bring the default ca-certs paths/location more in line with MRI and fallback on
285
+ jvm truststore (java.home/lib/security/cacerts) when needed
286
+
287
+ ## 0.9.11
288
+
289
+ * add TLSv1_1_client, TLSv1_1_server, TLSv1_2_client and TLSv1_2_server options
290
+ to ssl_version (#65)
291
+ * **regression** make sure we hold a buffered reader so that the loop continues
292
+ reading PEMs - previously introduced an incompatibility with cert verify (#67)
293
+ * support negotiating up to TLS1_1 and TLS1_2 when the server supports these
294
+ ssl_versions (#63)
295
+
296
+ ## 0.9.10
297
+
298
+ * **regression** reverted fix for #49 (as it needs more work/testing) :
299
+ keep the default x509 certs and directories in line with MRI (#49), only if
300
+ they do not exists fallback on cacerts from the java.home/lib/security/cacerts
301
+
302
+ ## 0.9.9
303
+
304
+ * **regression** causing to re-package a RaiseException in `SSLSocket#accept`
305
+ * fix load error: jopenssl/load -- java.lang.VerifyError: using BC 1.51 or 1.52 (#62)
306
+ * keep the default x509 certs and directories in line with MRI (#49), only if
307
+ they do not exists fallback on cacerts from the java.home/lib/security/cacerts
308
+
309
+ ## 0.9.8
310
+
311
+ * refactor `PKCS5.pbkdf2_hmac_sha1` to use BC APIs
312
+ thus less dependent on provider internals (jruby/jruby#3025)
313
+ * HMAC - use our SimpleKey impl so that there's less[] copy
314
+ ... also allows for an empty key to work like MRI (jruby/jruby#2854)
315
+ * fixing oaep encryption to use correct algorithm (#54)
316
+ * [experimental] support NOT loading any (BC) jars on our own ... (#10)
317
+ * disable DHE (by default) on Java <= 7 ... on Java 8 we (still) force 1024/2048
318
+ (see jruby/jruby#2872 and #45)
319
+ * **regression** handle parsing of "incomplete" X.509 certs like MRI does (#42)
320
+ * implement a CRL/certificate caching (for now off by default) in Lookup
321
+ ... set *-J-Djruby.openssl.x509.lookup.cache=true* to enable
322
+ * improve Store helper concurrency (with less synchronization)
323
+ * reviewed OpenSSL's .rb parts to match those present in MRI 1.9.3 / 2.2.2
324
+ * initial support for `OpenSSL::SSL::Session` (id, time, timeout work)
325
+ * session_cache_mode as present in OpenSSL makes no sense with Java APIs
326
+ * use the set SSLContext#session_cache_size on the underlying javax.net API
327
+ * tidy up SSLSocket's internals + add stack-trace debugging on accept/connect
328
+ * add SSLSocket ssl_version property like MRI has (#38)
329
+ * avoid unnecessary `_initialize` naming - it's confusing to see in JVM tools
330
+ * use SecurityHelper to get a X.509 certificate factory
331
+ we'll know prefer BC's X.509 factory over the built-in (Sun provider) one
332
+
333
+ ## 0.9.7
334
+
335
+ * put in some more ossl to jsse mappings for SSL/TLS
336
+ (SSL_DHE_xxx, TLS_ECDH_xxx, TLS_ECDHE_xxx)
337
+ * exclude SSLv2 in reported METHODS (all fine to close jruby/jruby#1874)
338
+ * support passing ssl_version as an argument to initialize SSLContext.new ...
339
+ * now that we've matched w MRI's SSLContext::METHODS don't report custom ones
340
+ * more ssl_version= compatibility fixes that match MRI (jruby/jruby#1736)
341
+ * support setting ssl_version = "TLSv1_1" (or "TLSv1_2") just like MRI
342
+ * **regression** make sure version is set when reading encoded certificate
343
+ + signature algorithm should be read as well when decoding certificate (#39)
344
+ * better accept handshake errors instead of "General SSLEngine problem (#37)
345
+ * trying to decode DER application specific objects (based on patch from #36)
346
+ * we've not been compatible with MRI's DES (EDE) - partly due DES(3) ECB
347
+ fixing jruby/jruby#2617 as well as jruby/jruby#931
348
+ * exclude reporting algorithms with CFB-1 cipher mode as supported (due #35)
349
+ * do not change CFB1 to CFB ... it's something different (although broken on BC)
350
+ * attempt to deal with update/final buffering incompatibility with MRI
351
+ * fix HMAC digest incorrect when data contains invalid characters (#33)
352
+ * add Gemfile and specify ruby-maven as dependency
353
+ * use SafePropertyAccessor to access properties instead of directly (#28)
354
+ * make sure SSLSocket's cipher and hostname are nil by default (avoids NPE)
355
+ * update to (packed) BC version 1.50 + start declaring 1.51 as semi-supported
356
+
357
+ ## 0.9.6
358
+
359
+ * ClassCastException still happen deep within BC - turn them into SignatureExeption
360
+ * make sure empty object can be serialize via to_pem
361
+ * use the classname as message in case the exception has no message (jruby/jruby#2249)
362
+ * make sure X509Object list is synchronized properly
363
+ * use JRubyFile to get input-stream to file-resource fixes #11
364
+ * Cache the discovered classes for digest engines. Fixes #15.
365
+ * avoid the rest of Ruby.getGlobalRuntime usages - only worked in 1 runtime envs
366
+ * refactored CRL - using light-weight BC API (avoids deprecated X.509 generator)
367
+ * implement X509::Certificate#to_text for happiness (the MRI-way - only RSA for now)
368
+ * allow to "fake" our inspect() support and match MRI's X509::Certificate#inspect
369
+ * decode BC's ASN1Enumarated into a OpenSSL::ASN1::Enumerated
370
+ * we can (ASN.1) encode an infinite-length bit-string constructive
371
+ * turns out all ASN1 primitives in MRI have the infinite_length attribute
372
+ * support (so-far only dummy) @servername_cb attribute on SSLSocket
373
+ * handle (CRL) extension's issuerAltName wrapping without an exception
374
+ * fix SSL (cert) verification - now working on 1.8/1.9 better than before
375
+ * do not skip first 2 bytes of key identifier hash when encoding to hex!
376
+ * match X.509 extension short-comings of the Java API in order to align with MRI
377
+ * improve cert.extension's value - *extendedKeyUsage* was not returned correctly
378
+ * make sure ASN1::ObjectId.new(...).ln and ASN1::ObjectId.new(...).sn are correct!
379
+ * better working to_der conversion esp. with constructives (indefinite lengths)
380
+ * improve our ASN1 decoding for better MRI compatibility
381
+ * avoiding Krypt gem dependency completely (was used for OpenSSL::PKCS5)
382
+ * cleanup OpenSSL::Digest internals - make sure block_length works for more
383
+ * OpenSSL deprecated_warning_flag and check_func API compatibility stubs
384
+ * do not force loading of jar-dependencies + possibly respect jars skipped
385
+ * X509::Name.to_a compatibility - MRI seems to never return "UNDEF"
386
+ experimental support for passing down "real" Java JCE cipher names
387
+ * rewriten Cipher internals - now faster, slimmer and more compatible than ever!
388
+ * rebuilt our global ASN1Registry and refactored it (back) internally to use string oids
389
+ * report OpenSSL::VERSION **1.1.0** since 1.9.3
390
+ * fill RaiseException's cause whenever we use a factory passing down a Throwable
391
+ * allow X509::Revoked.serial= to receive an integer
392
+ * make sure X509::CRL's to_text representation si (fully) MRI compatible
393
+ * handle authority key-id unwrapping correctly in X509::Extension#value
394
+ * long time coming - OpenSSL::X509::CRL support for loading revoked entries (#5)
395
+ * Reflect Java cacert location in DEFAULT_CERT_* constants (jruby/jruby#1953)
396
+ * X509::Certificate.new MRI compatibility + make sure inspect works the same
397
+ * BN.inspect() and make sure BN.new(0) works just fine (both as in MRI)
398
+ * X509::CRL instantiation compatibility with MRI
399
+ * inspect() X509::Certificate an X509::CRL just like MRI does
400
+ * handle OpenSSL::X509::Store.add error messages correctly (fix based on #6)
401
+ * update to using BC 1.49 by default (still compatible with older versions)
402
+ * implement X509::StoreContext#current_crl method
403
+ * support X509::StoreContext cleanup and error_depth instance methods
404
+ * support disabling of warnings using system property -Djruby.openssl.warn
405
+ * Throw error when chain certs are *not* OpenSSL::X509::Certificate (#3)
406
+ * avoid using JRuby IO APIs (will likely not work in 9k)
407
+ * make 'jopenssl/load' also work on jruby-1.6.8 mode 1.9
408
+
409
+ ## 0.9.5
410
+
411
+ MASSIVE internal "rewrite" to avoid depending on a registered (BC) security
412
+ provider. This releases restores compatibility with BC version 1.47 while being
413
+ compatible with newer bouncy-castle jars as well (1.48, 1.49 and 1.50).
414
+
415
+ * handle SSLErrorWaitReadable/Writable as SSLErrors on Ruby 1.8 and 1.9 mode
416
+ * Treat SSL NOT_HANDSHAKING as FINISHED
417
+ * only add DER.TRUE when encoding X.509 extension when non-critical
418
+ * do not der encode non-critical flag in X509::Extension (jruby/jruby#389)
419
+ * SSLContext internals + support `SSLContext::METHODS` correctly (jruby/jruby#1596)
420
+ * correct visibility of initialize* and respond_to_missing? methods
421
+ * fix spinning indefinitely on partial TLS record (jruby/jruby#1280)
422
+ * Support file input for PKey::RSA.new
423
+ * fix bug https://github.com/jruby/jruby/issues/1156
424
+ * openssl: add handling for base 0 to new and to_s
425
+
426
+ ## 0.9.4
427
+
428
+ * Fix compatibility wiht Bouncy Castle 1.49.
429
+
430
+ ## 0.9.3
431
+
432
+ * Allow options passed to nonblock methods (not impl'ed yet)
433
+ * Make ClassIndex into an enum, to prevent issues like jruby/jruby#1004
434
+
435
+
436
+ == ...
437
+
438
+
439
+ ## 0.7.7
440
+
441
+ This release includes bug fixes.
442
+
443
+ * JRUBY-6622: Support loading encrypted RSA key with PBES2
444
+ * JRUBY-4326: Confusing (and late) OpenSSL error message
445
+ * JRUBY-6579: Avoid ClassCastException for public key loading
446
+ * JRUBY-6515: sending UTF-8 data over SSL can hang with openssl
447
+ * Update tests to sync with CRuby ruby_1_9_3
448
+
449
+ ## 0.7.6
450
+
451
+ This release includes initial implementation of PKCS12 by Owen Ou.
452
+
453
+ * JRUBY-5066: Implement OpenSSL::PKCS12 (only for simple case)
454
+ * JRUBY-6385: Assertion failure with -J-ea
455
+
456
+ ## 0.7.5
457
+
458
+ This release improved 1.9 mode support with help of
459
+ Duncan Mak <duncan@earthaid.net>. Now jruby-ossl gem includes both 1.8 and 1.9
460
+ libraries and part of features should work fine on 1.9 mode, too.
461
+
462
+ * JRUBY-6270: Wrong keyUsage check for SSL server
463
+ * JRUBY-6260: OpenSSL::ASN1::Integer#value incompatibility
464
+ * JRUBY-6044: Improve Ecrypted RSA/DSA pem support
465
+ * JRUBY-5972: Allow to load/dump empty PKCS7 data
466
+ * JRUBY-5834: Fix X509Name handling; X509Name RDN can include multiple elements
467
+ * JRUBY-5362: Improved 1.9 support
468
+ * JRUBY-4992: Warn if loaded by non JRuby interpreter
469
+
470
+ ## 0.7.4
471
+
472
+ * JRUBY-5519: Avoid String encoding dependency in DER loading. PEM loading
473
+ failed on JRuby 1.6.x. Fixed.
474
+ * JRUBY-5510: Add debug information to released jar
475
+ * JRUBY-5478: Update bouncycastle jars to the latest version. (1.46)
476
+
477
+ ## 0.7.3
478
+
479
+ * JRUBY-5200: Net::IMAP + SSL(imaps) login could hang. Fixed.
480
+ * JRUBY-5253: Allow to load the certificate file which includes private
481
+ key for activemarchant compatibility.
482
+ * JRUBY-5267: Added SSL socket error-checks to avoid busy loop under an
483
+ unknown condition.
484
+ * JRUBY-5316: Improvements for J9's IBMJCE support. Now all testcases
485
+ pass on J9 JDK 6.
486
+
487
+ ## 0.7.2
488
+
489
+ * JRUBY-5126: Ignore Cipher#reset and Cipher#iv= when it's a stream
490
+ cipher (Net::SSH compatibility)
491
+ * JRUBY-5125: let Cipher#name for 'rc4' to be 'RC4' (Net::SSH
492
+ compatibility)
493
+ * JRUBY-5096: Fixed inconsistent Certificate verification behavior
494
+ * JRUBY-5060: Avoid NPE from to_pem for empty X509 Objects
495
+ * JRUBY-5059: SSLSocket ignores Timeout (Fixed)
496
+ * JRUBY-4965: implemented OpenSSL::Config
497
+ * JRUBY-5023: make Certificate#signature_algorithm return correct algo
498
+ name; "sha1WithRSAEncryption" instead of "SHA1"
499
+ * JRUBY-5024: let HMAC.new accept a String as a digest name
500
+ * JRUBY-5018: SSLSocket holds selectors, keys, preventing quick
501
+ cleanup of resources when dereferenced
502
+
503
+ ## 0.7.1
504
+
505
+ NOTE: Now BouncyCastle jars has moved out to its own gem "bouncy-castle-java"
506
+ http://rubygems.org/gems/bouncy-castle-java. You don't need to care about it
507
+ because "jruby-openssl" gem depends on it from now on.
508
+
509
+ * JRUBY-4826 net/https client possibly raises "rbuf_fill': End of file
510
+ reached (EOFError)" for HTTP chunked read.
511
+
512
+ * JRUBY-4900: Set proper String to OpenSSL::OPENSSL_VERSION. Make sure
513
+ it's not an OpenSSL artifact: "OpenSSL 0.9.8b 04 May 2006
514
+ (JRuby-OpenSSL fake)" -> "jruby-ossl 0.7.1"
515
+ * JRUBY-4975: Moving BouncyCastle jars out to its own gem.
516
+
517
+ ## 0.7
518
+
519
+ * Follow MRI 1.8.7 openssl API changes
520
+ * Fixes so that jruby-openssl can run on appengine
521
+ * Many bug and compatibility fixes, see below.
522
+ * This is the last release that will be compatible with JRuby 1.4.x.
523
+ * Compatibility issues
524
+ - JRUBY-4342: Follow ruby-openssl of CRuby 1.8.7.
525
+ - JRUBY-4346: Sync tests with tests for ruby-openssl of CRuby 1.8.7.
526
+ - JRUBY-4444: OpenSSL crash running RubyGems tests
527
+ - JRUBY-4075: Net::SSH gives OpenSSL::Cipher::CipherError "No message
528
+ available"
529
+ - JRUBY-4076: Net::SSH padding error using 3des-cbc on Solaris
530
+ - JRUBY-4541: jruby-openssl doesn't load on App Engine.
531
+ - JRUBY-4077: Net::SSH "all authorization methods failed" Solaris -> Solaris
532
+ - JRUBY-4535: Issues with the BouncyCastle provider
533
+ - JRUBY-4510: JRuby-OpenSSL crashes when JCE fails a initialise bcprov
534
+ - JRUBY-4343: Update BouncyCastle jar to upstream version; jdk14-139 ->
535
+ jdk15-144
536
+ Cipher issues
537
+ - JRUBY-4012: Initialization vector length handled differently than in MRI
538
+ (longer IV sequence are trimmed to fit the required)
539
+ - JRUBY-4473: Implemented DSA key generation
540
+ - JRUBY-4472: Cipher does not support RC4 and CAST
541
+ - JRUBY-4577: InvalidParameterException 'Wrong keysize: must be equal to 112 or
542
+ 168' for DES3 + SunJCE
543
+ SSL and X.509(PKIX) issues
544
+ - JRUBY-4384: TCP socket connection causes busy loop of SSL server
545
+ - JRUBY-4370: Implement SSLContext#ciphers
546
+ - JRUBY-4688: SSLContext#ciphers does not accept 'DEFAULT'
547
+ - JRUBY-4357: SSLContext#{setup,ssl_version=} are not implemented
548
+ - JRUBY-4397: SSLContext#extra_chain_cert and SSLContext#client_ca
549
+ - JRUBY-4684: SSLContext#verify_depth is ignored
550
+ - JRUBY-4398: SSLContext#options does not affect to SSL sessions
551
+ - JRUBY-4360: Implement SSLSocket#verify_result and dependents
552
+ - JRUBY-3829: SSLSocket#read should clear given buffer before concatenating
553
+ (ByteBuffer.java:328:in `allocate': java.lang.IllegalArgumentException when
554
+ returning SOAP queries over a certain size)
555
+ - JRUBY-4686: SSLSocket can drop last chunk of data just before inbound channel
556
+ close
557
+ - JRUBY-4369: X509Store#verify_callback is not called
558
+ - JRUBY-4409: OpenSSL::X509::Store#add_file corrupts when it includes
559
+ certificates which have the same subject (problem with
560
+ ruby-openid-apps-discovery (github jruby-openssl issue #2))
561
+ - JRUBY-4333: PKCS#8 formatted privkey read
562
+ - JRUBY-4454: Loading Key file as a Certificate causes NPE
563
+ - JRUBY-4455: calling X509::Certificate#sign for the Certificate initialized
564
+ from PEM causes IllegalStateException
565
+ PKCS#7 issues
566
+ - JRUBY-4379: PKCS7#sign failed for DES3 cipher algorithm
567
+ - JRUBY-4428: Allow to use DES-EDE3-CBC in PKCS#7 w/o the Policy Files (rake
568
+ test doesn't finish on JDK5 w/o policy files update)
569
+ Misc
570
+ - JRUBY-4574: jruby-openssl deprecation warning cleanup
571
+ - JRUBY-4591: jruby-1.4 support
572
+
573
+ ## 0.6
574
+
575
+ * This is a recommended upgrade to jruby-openssl. A security problem
576
+ involving peer certificate verification was found where failed
577
+ verification silently did nothing, making affected applications
578
+ vulnerable to attackers. Attackers could lead a client application
579
+ to believe that a secure connection to a rogue SSL server is
580
+ legitimate. Attackers could also penetrate client-validated SSL
581
+ server applications with a dummy certificate. Your application would
582
+ be vulnerable if you're using the 'net/https' library with
583
+ OpenSSL::SSL::VERIFY_PEER mode and any version of jruby-openssl
584
+ prior to 0.6. Thanks to NaHi (NAKAMURA Hiroshi) for finding the
585
+ problem and providing the fix. See
586
+ http://www.jruby.org/2009/12/07/vulnerability-in-jruby-openssl.html
587
+ for details.
588
+ * This release addresses CVE-2009-4123 which was reserved for the
589
+ above vulnerability.
590
+ * Many fixes from NaHi, including issues related to certificate
591
+ verification and certificate store purpose verification.
592
+ - implement OpenSSL::X509::Store#set_default_paths
593
+ - MRI compat. fix: OpenSSL::X509::Store#add_file
594
+ - Fix nsCertType handling.
595
+ - Fix Cipher#key_len for DES-EDE3: 16 should be 24.
596
+ - Modified test expectations around Cipher#final.
597
+ * Public keys are lazily instantiated when the
598
+ X509::Certificate#public_key method is called (Dave Garcia)
599
+
600
+ ## 0.5.2
601
+
602
+ Multiple bugs fixed:
603
+
604
+ * JRUBY-3895 Could not verify server signature with net-ssh against Cygwin
605
+ * JRUBY-3864 jruby-openssl depends on Base64Coder from JvYAMLb
606
+ * JRUBY-3790 JRuby-OpenSSL test_post_connection_check is not passing
607
+ * JRUBY-3767 OpenSSL ssl implementation doesn't support client auth
608
+ * JRUBY-3673 jRuby-OpenSSL does not properly load certificate authority file
609
+
610
+ ## 0.5.1
611
+
612
+ * Multiple fixes by Brice Figureau to get net/ssh working. Requires JRuby 1.3.1
613
+ to be 100%
614
+ * Fix by Frederic Jean for a character-decoding issue for some certificates
615
+
616
+ ## 0.5
617
+
618
+ * Fixed JRUBY-3614: Unsupported HMAC algorithm (HMACSHA-256)
619
+ * Fixed JRUBY-3570: ActiveMerchant's AuthorizeNet Gateway throws OpenSSL Cert
620
+ Validation Error, when there should be no error
621
+ * Fixed JRUBY-3557 Class cast exception in PKeyRSA.java
622
+ * Fixed JRUBY-3468 X.509 certificates: subjectKeyIdentifier corrupted
623
+ * Fixed JRUBY-3285 Unsupported HMAC algorithm (HMACSHA1) error when generating
624
+ digest
625
+ * Misc code cleanup
626
+
627
+ ## 0.2
628
+
629
+ * Enable remaining tests; fix a nil string issue in SSLSocket.sysread
630
+ (JRUBY-1888)
631
+ * Fix socket buffering issue by setting socket IO sync = true
632
+ * Fix bad file descriptor issue caused by unnecessary close (JRUBY-2152)
633
+ * Fix AES key length (JRUBY-2187)
634
+ * Fix cipher initialization (JRUBY-1100)
635
+ * Now, only compatible with JRuby 1.1
636
+
637
+ ## 0.1.1
638
+
639
+ * Fixed blocker issue preventing HTTPS/SSL from working (JRUBY-1222)
640
+
641
+ ## 0.1
642
+
643
+ * PLEASE NOTE: This release is not compatible with JRuby releases earlier than
644
+ 1.0.3 or 1.1b2. If you must use JRuby 1.0.2 or earlier, please install the
645
+ 0.6 release.
646
+ * Release coincides with JRuby 1.0.3 and JRuby 1.1b2 releases
647
+ * Simultaneous support for JRuby trunk and 1.0 branch
648
+ * Start of support for OpenSSL::BN
649
+
650
+ ## 0.0.5 and prior
651
+
652
+ * Initial versions with maintenance updates