jruby-openssl 0.9.7-java → 0.9.8-java

data/lib/jopenssl22/openssl/cipher.rb

@@ -0,0 +1,28 @@
+#--
+#
+# $RCSfile$
+#
+# = Ruby-space predefined Cipher subclasses
+#
+# = Info
+# 'OpenSSL for Ruby 2' project
+# Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
+# All rights reserved.
+#
+# = Licence
+# This program is licenced under the same licence as Ruby.
+# (See the file 'LICENCE'.)
+#
+# = Version
+# $Id$
+#
+#++
+
+module OpenSSL
+  class Cipher
+    # This class is only provided for backwards compatibility.  Use OpenSSL::Cipher in the future.
+    class Cipher < Cipher
+      # add warning
+    end
+  end # Cipher
+end # OpenSSL

data/lib/jopenssl22/openssl/config.rb

@@ -0,0 +1,313 @@
+=begin
+= Ruby-space definitions that completes C-space funcs for Config
+
+= Info
+  Copyright (C) 2010  Hiroshi Nakamura <nahi@ruby-lang.org>
+
+= Licence
+  This program is licenced under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+
+=end
+
+require 'stringio'
+
+module OpenSSL
+  class Config
+    include Enumerable
+
+    class << self
+      def parse(str)
+        c = new()
+        parse_config(StringIO.new(str)).each do |section, hash|
+          c[section] = hash
+        end
+        c
+      end
+
+      alias load new
+
+      def parse_config(io)
+        begin
+          parse_config_lines(io)
+        rescue ConfigError => e
+          e.message.replace("error in line #{io.lineno}: " + e.message)
+          raise
+        end
+      end
+
+      def get_key_string(data, section, key) # :nodoc:
+        if v = data[section] && data[section][key]
+          return v
+        elsif section == 'ENV'
+          if v = ENV[key]
+            return v
+          end
+        end
+        if v = data['default'] && data['default'][key]
+          return v
+        end
+      end
+
+    private
+
+      def parse_config_lines(io)
+        section = 'default'
+        data = {section => {}}
+        while definition = get_definition(io)
+          definition = clear_comments(definition)
+          next if definition.empty?
+          if definition[0] == ?[
+            if /\[([^\]]*)\]/ =~ definition
+              section = $1.strip
+              data[section] ||= {}
+            else
+              raise ConfigError, "missing close square bracket"
+            end
+          else
+            if /\A([^:\s]*)(?:::([^:\s]*))?\s*=(.*)\z/ =~ definition
+              if $2
+                section = $1
+                key = $2
+              else
+                key = $1
+              end
+              value = unescape_value(data, section, $3)
+              (data[section] ||= {})[key] = value.strip
+            else
+              raise ConfigError, "missing equal sign"
+            end
+          end
+        end
+        data
+      end
+
+      # escape with backslash
+      QUOTE_REGEXP_SQ = /\A([^'\\]*(?:\\.[^'\\]*)*)'/
+      # escape with backslash and doubled dq
+      QUOTE_REGEXP_DQ = /\A([^"\\]*(?:""[^"\\]*|\\.[^"\\]*)*)"/
+      # escaped char map
+      ESCAPE_MAP = {
+        "r" => "\r",
+        "n" => "\n",
+        "b" => "\b",
+        "t" => "\t",
+      }
+
+      def unescape_value(data, section, value)
+        scanned = []
+        while m = value.match(/['"\\$]/)
+          scanned << m.pre_match
+          c = m[0]
+          value = m.post_match
+          case c
+          when "'"
+            if m = value.match(QUOTE_REGEXP_SQ)
+              scanned << m[1].gsub(/\\(.)/, '\\1')
+              value = m.post_match
+            else
+              break
+            end
+          when '"'
+            if m = value.match(QUOTE_REGEXP_DQ)
+              scanned << m[1].gsub(/""/, '').gsub(/\\(.)/, '\\1')
+              value = m.post_match
+            else
+              break
+            end
+          when "\\"
+            c = value.slice!(0, 1)
+            scanned << (ESCAPE_MAP[c] || c)
+          when "$"
+            ref, value = extract_reference(value)
+            refsec = section
+            if ref.index('::')
+              refsec, ref = ref.split('::', 2)
+            end
+            if v = get_key_string(data, refsec, ref)
+              scanned << v
+            else
+              raise ConfigError, "variable has no value"
+            end
+          else
+            raise 'must not reaced'
+          end
+        end
+        scanned << value
+        scanned.join
+      end
+
+      def extract_reference(value)
+        rest = ''
+        if m = value.match(/\(([^)]*)\)|\{([^}]*)\}/)
+          value = m[1] || m[2]
+          rest = m.post_match
+        elsif [?(, ?{].include?(value[0])
+          raise ConfigError, "no close brace"
+        end
+        if m = value.match(/[a-zA-Z0-9_]*(?:::[a-zA-Z0-9_]*)?/)
+          return m[0], m.post_match + rest
+        else
+          raise
+        end
+      end
+
+      def clear_comments(line)
+        # FCOMMENT
+        if m = line.match(/\A([\t\n\f ]*);.*\z/)
+          return m[1]
+        end
+        # COMMENT
+        scanned = []
+        while m = line.match(/[#'"\\]/)
+          scanned << m.pre_match
+          c = m[0]
+          line = m.post_match
+          case c
+          when '#'
+            line = nil
+            break
+          when "'", '"'
+            regexp = (c == "'") ? QUOTE_REGEXP_SQ : QUOTE_REGEXP_DQ
+            scanned << c
+            if m = line.match(regexp)
+              scanned << m[0]
+              line = m.post_match
+            else
+              scanned << line
+              line = nil
+              break
+            end
+          when "\\"
+            scanned << c
+            scanned << line.slice!(0, 1)
+          else
+            raise 'must not reaced'
+          end
+        end
+        scanned << line
+        scanned.join
+      end
+
+      def get_definition(io)
+        if line = get_line(io)
+          while /[^\\]\\\z/ =~ line
+            if extra = get_line(io)
+              line += extra
+            else
+              break
+            end
+          end
+          return line.strip
+        end
+      end
+
+      def get_line(io)
+        if line = io.gets
+          line.gsub(/[\r\n]*/, '')
+        end
+      end
+    end
+
+    def initialize(filename = nil)
+      @data = {}
+      if filename
+        File.open(filename.to_s) do |file|
+          Config.parse_config(file).each do |section, hash|
+            self[section] = hash
+          end
+        end
+      end
+    end
+
+    def get_value(section, key)
+      if section.nil?
+        raise TypeError.new('nil not allowed')
+      end
+      section = 'default' if section.empty?
+      get_key_string(section, key)
+    end
+
+    def value(arg1, arg2 = nil)
+      warn('Config#value is deprecated; use Config#get_value')
+      if arg2.nil?
+        section, key = 'default', arg1
+      else
+        section, key = arg1, arg2
+      end
+      section ||= 'default'
+      section = 'default' if section.empty?
+      get_key_string(section, key)
+    end
+
+    def add_value(section, key, value)
+      check_modify
+      (@data[section] ||= {})[key] = value
+    end
+
+    def [](section)
+      @data[section] || {}
+    end
+
+    def section(name)
+      warn('Config#section is deprecated; use Config#[]')
+      @data[name] || {}
+    end
+
+    def []=(section, pairs)
+      check_modify
+      @data[section] ||= {}
+      pairs.each do |key, value|
+        self.add_value(section, key, value)
+      end
+    end
+
+    def sections
+      @data.keys
+    end
+
+    def to_s
+      ary = []
+      @data.keys.sort.each do |section|
+        ary << "[ #{section} ]\n"
+        @data[section].keys.each do |key|
+          ary << "#{key}=#{@data[section][key]}\n"
+        end
+        ary << "\n"
+      end
+      ary.join
+    end
+
+    def each
+      @data.each do |section, hash|
+        hash.each do |key, value|
+          yield [section, key, value]
+        end
+      end
+    end
+
+    def inspect
+      "#<#{self.class.name} sections=#{sections.inspect}>"
+    end
+
+  protected
+
+    def data
+      @data
+    end
+
+  private
+
+    def initialize_copy(other)
+      @data = other.data.dup
+    end
+
+    def check_modify
+      raise TypeError.new("Insecure: can't modify OpenSSL config") if frozen?
+    end
+
+    def get_key_string(section, key)
+      Config.get_key_string(@data, section, key)
+    end
+  end
+end

data/lib/jopenssl22/openssl/digest.rb

@@ -0,0 +1,54 @@
+#--
+#
+# $RCSfile$
+#
+# = Ruby-space predefined Digest subclasses
+#
+# = Info
+# 'OpenSSL for Ruby 2' project
+# Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
+# All rights reserved.
+#
+# = Licence
+# This program is licenced under the same licence as Ruby.
+# (See the file 'LICENCE'.)
+#
+# = Version
+# $Id$
+#
+#++
+
+module OpenSSL
+  class Digest
+    # Deprecated.
+    #
+    # This class is only provided for backwards compatibility.
+    class Digest < Digest # :nodoc:
+      # Deprecated.
+      #
+      # See OpenSSL::Digest.new
+      def initialize(*args)
+        warn('Digest::Digest is deprecated; use Digest')
+        super(*args)
+      end
+    end
+
+  end # Digest
+
+  # Returns a Digest subclass by +name+.
+  #
+  #   require 'openssl'
+  #
+  #   OpenSSL::Digest("MD5")
+  #   # => OpenSSL::Digest::MD5
+  #
+  #   Digest("Foo")
+  #   # => NameError: wrong constant name Foo
+
+  def Digest(name)
+    OpenSSL::Digest.const_get(name)
+  end
+
+  module_function :Digest
+
+end # OpenSSL

data/lib/jopenssl22/openssl/ssl.rb

@@ -0,0 +1,193 @@
+=begin
+= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL
+
+= Info
+  'OpenSSL for Ruby 2' project
+  Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
+  All rights reserved.
+
+= Licence
+  This program is licenced under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+
+= Version
+  $Id$
+=end
+
+require "openssl/buffering"
+require 'fcntl' # used by OpenSSL::SSL::Nonblock (if loaded)
+
+module OpenSSL
+  module SSL
+
+    # FIXME: Using the old non-ASN1 logic here because our ASN1 appears to
+    # return the wrong types for some decoded objects.
+    # @see https://github.com/jruby/jruby/issues/1102
+    # @private
+    def verify_certificate_identity(cert, hostname)
+      should_verify_common_name = true
+      cert.extensions.each { |ext|
+        next if ext.oid != "subjectAltName"
+        ext.value.split(/,\s+/).each { |general_name|
+          # MRI 1.9.3 (since we parse ASN.1 differently)
+          # when 2 # dNSName in GeneralName (RFC5280)
+          if /\ADNS:(.*)/ =~ general_name
+            should_verify_common_name = false
+            return true if verify_hostname(hostname, $1)
+          # MRI 1.9.3 (since we parse ASN.1 differently)
+          # when 7 # iPAddress in GeneralName (RFC5280)
+          elsif /\AIP(?: Address)?:(.*)/ =~ general_name
+            should_verify_common_name = false
+            return true if $1 == hostname
+            # NOTE: bellow logic makes little sense as we read exts differently
+            #value = $1 # follows GENERAL_NAME_print() in x509v3/v3_alt.c
+            #if value.size == 4
+            #  return true if value.unpack('C*').join('.') == hostname
+            #elsif value.size == 16
+            #  return true if value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
+            #end
+          end
+        }
+      }
+      if should_verify_common_name
+        cert.subject.to_a.each { |oid, value|
+          if oid == "CN"
+            return true if verify_hostname(hostname, value)
+          end
+        }
+      end
+      return false
+    end
+    module_function :verify_certificate_identity
+
+    def verify_hostname(hostname, san) # :nodoc:
+      # RFC 5280, IA5String is limited to the set of ASCII characters
+      return false unless san.ascii_only?
+      return false unless hostname.ascii_only?
+
+      # See RFC 6125, section 6.4.1
+      # Matching is case-insensitive.
+      san_parts = san.downcase.split(".")
+
+      # TODO: this behavior should probably be more strict
+      return san == hostname if san_parts.size < 2
+
+      # Matching is case-insensitive.
+      host_parts = hostname.downcase.split(".")
+
+      # RFC 6125, section 6.4.3, subitem 2.
+      # If the wildcard character is the only character of the left-most
+      # label in the presented identifier, the client SHOULD NOT compare
+      # against anything but the left-most label of the reference
+      # identifier (e.g., *.example.com would match foo.example.com but
+      # not bar.foo.example.com or example.com).
+      return false unless san_parts.size == host_parts.size
+
+      # RFC 6125, section 6.4.3, subitem 1.
+      # The client SHOULD NOT attempt to match a presented identifier in
+      # which the wildcard character comprises a label other than the
+      # left-most label (e.g., do not match bar.*.example.net).
+      return false unless verify_wildcard(host_parts.shift, san_parts.shift)
+
+      san_parts.join(".") == host_parts.join(".")
+    end
+    module_function :verify_hostname
+
+    def verify_wildcard(domain_component, san_component) # :nodoc:
+      parts = san_component.split("*", -1)
+
+      return false if parts.size > 2
+      return san_component == domain_component if parts.size == 1
+
+      # RFC 6125, section 6.4.3, subitem 3.
+      # The client SHOULD NOT attempt to match a presented identifier
+      # where the wildcard character is embedded within an A-label or
+      # U-label of an internationalized domain name.
+      return false if domain_component.start_with?("xn--") && san_component != "*"
+
+      parts[0].length + parts[1].length < domain_component.length &&
+      domain_component.start_with?(parts[0]) &&
+      domain_component.end_with?(parts[1])
+    end
+    module_function :verify_wildcard
+
+    class SSLSocket
+      include Buffering
+      include SocketForwarder
+      include Nonblock
+
+      ##
+      # Perform hostname verification after an SSL connection is established
+      #
+      # This method MUST be called after calling #connect to ensure that the
+      # hostname of a remote peer has been verified.
+      def post_connection_check(hostname)
+        unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
+          raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
+        end
+        return true
+      end
+
+    end
+
+    ##
+    # SSLServer represents a TCP/IP server socket with Secure Sockets Layer.
+    class SSLServer
+      include SocketForwarder
+      # When true then #accept works exactly the same as TCPServer#accept
+      attr_accessor :start_immediately
+
+      # Creates a new instance of SSLServer.
+      # * +srv+ is an instance of TCPServer.
+      # * +ctx+ is an instance of OpenSSL::SSL::SSLContext.
+      def initialize(svr, ctx)
+        @svr = svr
+        @ctx = ctx
+        unless ctx.session_id_context
+          # see #6137 - session id may not exceed 32 bytes
+          prng = ::Random.new($0.hash)
+          session_id = prng.bytes(16).unpack('H*')[0]
+          @ctx.session_id_context = session_id
+        end
+        @start_immediately = true
+      end
+
+      # Returns the TCPServer passed to the SSLServer when initialized.
+      def to_io
+        @svr
+      end
+
+      # See TCPServer#listen for details.
+      def listen(backlog=5)
+        @svr.listen(backlog)
+      end
+
+      # See BasicSocket#shutdown for details.
+      def shutdown(how=Socket::SHUT_RDWR)
+        @svr.shutdown(how)
+      end
+
+      # Works similar to TCPServer#accept.
+      def accept
+        # Socket#accept returns [socket, addrinfo].
+        # TCPServer#accept returns a socket.
+        # The following comma strips addrinfo.
+        sock, = @svr.accept
+        begin
+          ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
+          ssl.sync_close = true
+          ssl.accept if @start_immediately
+          ssl
+        rescue SSLError => ex
+          sock.close
+          raise ex
+        end
+      end
+
+      # See IO#close for details.
+      def close
+        @svr.close
+      end
+    end
+  end
+end