jruby-openssl 0.0.4 → 0.1

data/History.txt

@@ -0,0 +1,12 @@
+== 0.1
+
+- PLEASE NOTE: This release is not compatible with JRuby releases earlier than
+  1.0.3 or 1.1b2. If you must use JRuby 1.0.2 or earlier, please install the
+  0.6 release.
+- Release coincides with JRuby 1.0.3 and JRuby 1.1b2 releases
+- Simultaneous support for JRuby trunk and 1.0 branch
+- Start of support for OpenSSL::BN
+
+== 0.0.5 and prior
+
+- Initial versions with maintenance updates

data/License.txt

@@ -0,0 +1,30 @@
+JRuby-OpenSSL is distributed under the same license as JRuby (http://www.jruby.org/).
+
+Version: CPL 1.0/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Common Public
+License Version 1.0 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.eclipse.org/legal/cpl-v10.html
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+Copyright (C) 2007 Ola Bini <ola.bini@gmail.com>
+
+Alternatively, the contents of this file may be used under the terms of
+either of the GNU General Public License Version 2 or later (the "GPL"),
+or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the CPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the CPL, the GPL or the LGPL.
+
+JRuby-OpenSSL includes software by the Legion of the Bouncy Castle
+(http://bouncycastle.org/license.html).

data/README.txt

@@ -0,0 +1,18 @@
+JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library.
+
+JRuby offers *just enough* compatibility for most Ruby applications that use OpenSSL. 
+
+Libraries that appear to work fine:
+
+    Rails, Net::HTTPS
+
+Notable libraries that do *not* yet work include:
+
+    Net::SSH, Net::SFTP, etc.
+
+Please report bugs and incompatibilities (preferably with testcases) to either the JRuby 
+mailing list [1] or the JRuby bug tracker [2].
+
+[1]: http://xircles.codehaus.org/projects/jruby/lists
+
+[2]: http://jira.codehaus.org/browse/JRUBY

data/lib/jopenssl/version.rb

@@ -0,0 +1,5 @@
+module Jopenssl
+  module Version
+    VERSION = "0.1"
+  end
+end

data/lib/openssl/dummy.rb

@@ -0,0 +1,34 @@
+warn "Warning: OpenSSL ASN1/PKey/X509/Netscape/PKCS7 implementation unavailable"
+warn "You need to download or install BouncyCastle jars (bc-prov-*.jar, bc-mail-*.jar)"
+warn "to fix this."
+module OpenSSL
+  module ASN1
+    class ASN1Error < OpenSSLError; end
+    class ASN1Data; end
+    class Primitive; end
+    class Constructive; end
+  end
+  module PKey
+    class PKeyError < OpenSSLError; end
+    class PKey; def initialize(*args); end; end
+    class RSA < PKey; end
+    class DSA < PKey; end
+    class DH < PKey; end
+  end
+  module X509
+    class Name; end
+    class Certificate; end
+    class Extension; end
+    class CRL; end
+    class Revoked; end
+    class Store; end
+    class Request; end
+    class Attribute; end
+  end
+  module Netscape
+    class SPKI; end
+  end
+  module PKCS7
+    class PKCS7; end
+  end
+end

data/lib/openssl/dummyssl.rb

@@ -0,0 +1,13 @@
+warn "Warning: OpenSSL SSL implementation unavailable"
+warn "You must run on JDK 1.5 (Java 5) or higher to use SSL"
+module OpenSSL
+  module SSL
+    class SSLError < OpenSSLError; end
+    class SSLContext; end
+    class SSLSocket; end
+    VERIFY_NONE = 0
+    VERIFY_PEER = 1
+    VERIFY_FAIL_IF_NO_PEER_CERT = 2
+    VERIFY_CLIENT_ONCE = 4
+  end
+end

data/test/openssl/ssl_server.rb

@@ -0,0 +1,81 @@
+require "socket"
+require "thread"
+require "openssl"
+require File.join(File.dirname(__FILE__), "utils.rb")
+
+def get_pem(io=$stdin)
+  buf = ""
+  while line = io.gets
+    if /^-----BEGIN / =~ line
+      buf << line
+      break
+    end
+  end
+  while line = io.gets
+    buf << line
+    if /^-----END / =~ line
+      break
+    end
+  end
+  return buf
+end
+
+def make_key(pem)
+  begin
+    return OpenSSL::PKey::RSA.new(pem)
+  rescue
+    return OpenSSL::PKey::DSA.new(pem)
+  end
+end
+
+ca_cert  = OpenSSL::X509::Certificate.new(get_pem)
+ssl_cert = OpenSSL::X509::Certificate.new(get_pem)
+ssl_key  = make_key(get_pem)
+port = Integer(ARGV.shift)
+verify_mode = Integer(ARGV.shift)
+start_immediately = (/yes/ =~ ARGV.shift)
+
+store = OpenSSL::X509::Store.new
+store.add_cert(ca_cert)
+store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+ctx = OpenSSL::SSL::SSLContext.new
+ctx.cert_store = store
+#ctx.extra_chain_cert = [ ca_cert ]
+ctx.cert = ssl_cert
+ctx.key = ssl_key
+ctx.verify_mode = verify_mode
+
+Socket.do_not_reverse_lookup = true
+tcps = nil
+100.times{|i|
+  begin
+    tcps = TCPServer.new("0.0.0.0", port+i)
+    port = port + i
+    break
+  rescue Errno::EADDRINUSE
+    next 
+  end
+}
+ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
+ssls.start_immediately = start_immediately
+
+$stdout.sync = true
+$stdout.puts Process.pid
+$stdout.puts port
+
+loop do
+  ssl = ssls.accept rescue next
+  Thread.start{
+    q = Queue.new
+    th = Thread.start{ ssl.write(q.shift) while true }
+    while line = ssl.gets
+      if line =~ /^STARTTLS$/
+        ssl.accept
+        next
+      end
+      q.push(line)
+    end
+    th.kill if q.empty?
+    ssl.close
+  }
+end

data/test/openssl/test_asn1.rb

@@ -0,0 +1,199 @@
+begin
+  require "openssl"
+  require File.join(File.dirname(__FILE__), "utils.rb")
+rescue LoadError
+end
+require 'test/unit'
+
+class  OpenSSL::TestASN1 < Test::Unit::TestCase
+  def test_decode
+    subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
+    key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+    now = Time.at(Time.now.to_i) # suppress usec
+#    now = Time.utc(2006,04,03,22,15,13)
+    s = 0xdeadbeafdeadbeafdeadbeafdeadbeaf
+    exts = [
+      ["basicConstraints","CA:TRUE,pathlen:1",true],
+      ["keyUsage","keyCertSign, cRLSign",true],
+      ["subjectKeyIdentifier","hash",false],
+    ]
+    dgst = OpenSSL::Digest::SHA1.new
+    cert = OpenSSL::TestUtils.issue_cert(
+      subj, key, s, now, now+3600, exts, nil, nil, dgst)
+
+    asn1 = OpenSSL::ASN1.decode(cert)
+    assert_equal(OpenSSL::ASN1::Sequence, asn1.class)
+    assert_equal(3, asn1.value.size)
+    tbs_cert, sig_alg, sig_val = *asn1.value
+
+    assert_equal(OpenSSL::ASN1::Sequence, tbs_cert.class)
+    assert_equal(8, tbs_cert.value.size)
+
+    version = tbs_cert.value[0]
+    assert_equal(:CONTEXT_SPECIFIC, version.tag_class)
+    assert_equal(0, version.tag)
+
+    assert_equal(1, version.value.size)
+    assert_equal(OpenSSL::ASN1::Integer, version.value[0].class)
+    assert_equal(2, version.value[0].value)
+
+    serial = tbs_cert.value[1]
+    assert_equal(OpenSSL::ASN1::Integer, serial.class)
+    assert_equal(0xdeadbeafdeadbeafdeadbeafdeadbeaf, serial.value)
+
+    sig = tbs_cert.value[2]
+    assert_equal(OpenSSL::ASN1::Sequence, sig.class)
+    assert_equal(2, sig.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, sig.value[0].class)
+    assert_equal("1.2.840.113549.1.1.5", sig.value[0].oid)
+    assert_equal(OpenSSL::ASN1::Null, sig.value[1].class)
+
+    dn = tbs_cert.value[3] # issuer
+    assert_equal(subj.hash, OpenSSL::X509::Name.new(dn).hash)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.class)
+    assert_equal(3, dn.value.size)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[0].class)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[1].class)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[2].class)
+    assert_equal(1, dn.value[0].value.size)
+    assert_equal(1, dn.value[1].value.size)
+    assert_equal(1, dn.value[2].value.size)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[0].value[0].class)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[1].value[0].class)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[2].value[0].class)
+    assert_equal(2, dn.value[0].value[0].value.size)
+    assert_equal(2, dn.value[1].value[0].value.size)
+    assert_equal(2, dn.value[2].value[0].value.size)
+    oid, value = *dn.value[0].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("0.9.2342.19200300.100.1.25", oid.oid)
+    assert_equal(OpenSSL::ASN1::IA5String, value.class)
+    assert_equal("org", value.value)
+    oid, value = *dn.value[1].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("0.9.2342.19200300.100.1.25", oid.oid)
+    assert_equal(OpenSSL::ASN1::IA5String, value.class)
+    assert_equal("ruby-lang", value.value)
+    oid, value = *dn.value[2].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("2.5.4.3", oid.oid)
+    assert_equal(OpenSSL::ASN1::UTF8String, value.class)
+    assert_equal("TestCA", value.value)
+
+    validity = tbs_cert.value[4]
+    assert_equal(OpenSSL::ASN1::Sequence, validity.class)
+    assert_equal(2, validity.value.size)
+    assert_equal(OpenSSL::ASN1::UTCTime, validity.value[0].class)
+    assert_equal(now, validity.value[0].value)
+    assert_equal(OpenSSL::ASN1::UTCTime, validity.value[1].class)
+    assert_equal(now+3600, validity.value[1].value)
+
+    dn = tbs_cert.value[5] # subject
+    assert_equal(subj.hash, OpenSSL::X509::Name.new(dn).hash)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.class)
+    assert_equal(3, dn.value.size)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[0].class)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[1].class)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[2].class)
+    assert_equal(1, dn.value[0].value.size)
+    assert_equal(1, dn.value[1].value.size)
+    assert_equal(1, dn.value[2].value.size)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[0].value[0].class)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[1].value[0].class)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[2].value[0].class)
+    assert_equal(2, dn.value[0].value[0].value.size)
+    assert_equal(2, dn.value[1].value[0].value.size)
+    assert_equal(2, dn.value[2].value[0].value.size)
+    oid, value = *dn.value[0].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("0.9.2342.19200300.100.1.25", oid.oid)
+    assert_equal(OpenSSL::ASN1::IA5String, value.class)
+    assert_equal("org", value.value)
+    oid, value = *dn.value[1].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("0.9.2342.19200300.100.1.25", oid.oid)
+    assert_equal(OpenSSL::ASN1::IA5String, value.class)
+    assert_equal("ruby-lang", value.value)
+    oid, value = *dn.value[2].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("2.5.4.3", oid.oid)
+    assert_equal(OpenSSL::ASN1::UTF8String, value.class)
+    assert_equal("TestCA", value.value)
+
+    pkey = tbs_cert.value[6]
+    assert_equal(OpenSSL::ASN1::Sequence, pkey.class)
+    assert_equal(2, pkey.value.size)
+    assert_equal(OpenSSL::ASN1::Sequence, pkey.value[0].class)
+    assert_equal(2, pkey.value[0].value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, pkey.value[0].value[0].class)
+    assert_equal("1.2.840.113549.1.1.1", pkey.value[0].value[0].oid)
+    assert_equal(OpenSSL::ASN1::BitString, pkey.value[1].class)
+    assert_equal(0, pkey.value[1].unused_bits)
+    spkey = OpenSSL::ASN1.decode(pkey.value[1].value)
+    assert_equal(OpenSSL::ASN1::Sequence, spkey.class)
+    assert_equal(2, spkey.value.size)
+    assert_equal(OpenSSL::ASN1::Integer, spkey.value[0].class)
+    assert_equal(143085709396403084580358323862163416700436550432664688288860593156058579474547937626086626045206357324274536445865308750491138538454154232826011964045825759324933943290377903384882276841880081931690695505836279972214003660451338124170055999155993192881685495391496854691199517389593073052473319331505702779271, spkey.value[0].value)
+    assert_equal(OpenSSL::ASN1::Integer, spkey.value[1].class)
+    assert_equal(65537, spkey.value[1].value)
+
+    extensions = tbs_cert.value[7]
+    assert_equal(:CONTEXT_SPECIFIC, extensions.tag_class)
+    assert_equal(3, extensions.tag)
+    assert_equal(1, extensions.value.size)
+    assert_equal(OpenSSL::ASN1::Sequence, extensions.value[0].class)
+    assert_equal(3, extensions.value[0].value.size)
+
+    ext = extensions.value[0].value[0]  # basicConstraints
+    assert_equal(OpenSSL::ASN1::Sequence, ext.class)
+    assert_equal(3, ext.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, ext.value[0].class)
+    assert_equal("2.5.29.19",  ext.value[0].oid)
+    assert_equal(OpenSSL::ASN1::Boolean, ext.value[1].class)
+    assert_equal(true, ext.value[1].value)
+    assert_equal(OpenSSL::ASN1::OctetString, ext.value[2].class)
+    extv = OpenSSL::ASN1.decode(ext.value[2].value)
+    assert_equal(OpenSSL::ASN1::Sequence, extv.class)
+    assert_equal(2, extv.value.size)
+    assert_equal(OpenSSL::ASN1::Boolean, extv.value[0].class)
+    assert_equal(true, extv.value[0].value)
+    assert_equal(OpenSSL::ASN1::Integer, extv.value[1].class)
+    assert_equal(1, extv.value[1].value)
+
+    ext = extensions.value[0].value[1]  # keyUsage
+    assert_equal(OpenSSL::ASN1::Sequence, ext.class)
+    assert_equal(3, ext.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, ext.value[0].class)
+    assert_equal("2.5.29.15",  ext.value[0].oid)
+    assert_equal(OpenSSL::ASN1::Boolean, ext.value[1].class)
+    assert_equal(true, ext.value[1].value)
+    assert_equal(OpenSSL::ASN1::OctetString, ext.value[2].class)
+    extv = OpenSSL::ASN1.decode(ext.value[2].value)
+    assert_equal(OpenSSL::ASN1::BitString, extv.class)
+    str = "\000"; str[0] = 0b00000110
+    assert_equal(str, extv.value)
+
+    ext = extensions.value[0].value[2]  # subjetKeyIdentifier
+    assert_equal(OpenSSL::ASN1::Sequence, ext.class)
+    assert_equal(2, ext.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, ext.value[0].class)
+    assert_equal("2.5.29.14",  ext.value[0].oid)
+    assert_equal(OpenSSL::ASN1::OctetString, ext.value[1].class)
+    extv = OpenSSL::ASN1.decode(ext.value[1].value)
+    assert_equal(OpenSSL::ASN1::OctetString, extv.class)
+    sha1 = OpenSSL::Digest::SHA1.new
+    sha1.update(pkey.value[1].value)
+    assert_equal(sha1.digest, extv.value)
+
+    assert_equal(OpenSSL::ASN1::Sequence, sig_alg.class)
+    assert_equal(2, sig_alg.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, pkey.value[0].value[0].class)
+    assert_equal("1.2.840.113549.1.1.1", pkey.value[0].value[0].oid)
+    assert_equal(OpenSSL::ASN1::Null, pkey.value[0].value[1].class)
+
+    assert_equal(OpenSSL::ASN1::BitString, sig_val.class)
+
+    cululated_sig = key.sign(OpenSSL::Digest::SHA1.new, tbs_cert.to_der)
+    assert_equal(cululated_sig, sig_val.value)
+  end
+end if defined?(OpenSSL)

data/test/openssl/test_cipher.rb

@@ -0,0 +1,151 @@
+begin
+  require "openssl"
+rescue LoadError
+end
+require "test/unit"
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestCipher < Test::Unit::TestCase
+  def setup
+    @c1 = OpenSSL::Cipher::Cipher.new("DES-EDE3-CBC")
+    @c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC")
+    @key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+    @iv = "\0\0\0\0\0\0\0\0"
+    @hexkey = "0000000000000000000000000000000000000000000000"
+    @hexiv = "0000000000000000"
+    @data = "DATA"
+  end
+
+  def teardown
+    @c1 = @c2 = nil
+  end
+
+  def test_crypt
+    @c1.encrypt.pkcs5_keyivgen(@key, @iv)
+    @c2.encrypt.pkcs5_keyivgen(@key, @iv)
+    s1 = @c1.update(@data) + @c1.final
+    s2 = @c2.update(@data) + @c2.final
+    assert_equal(s1, s2, "encrypt")
+
+    @c1.decrypt.pkcs5_keyivgen(@key, @iv)
+    @c2.decrypt.pkcs5_keyivgen(@key, @iv)
+    assert_equal(@data, @c1.update(s1)+@c1.final, "decrypt")
+    assert_equal(@data, @c2.update(s2)+@c2.final, "decrypt")
+  end
+
+  def test_info
+    assert_equal("DES-EDE3-CBC", @c1.name, "name")
+    assert_equal("DES-EDE3-CBC", @c2.name, "name")
+    assert_kind_of(Fixnum, @c1.key_len, "key_len")
+    assert_kind_of(Fixnum, @c1.iv_len, "iv_len")
+  end
+
+  def test_dup
+    assert_equal(@c1.name, @c1.dup.name, "dup")
+    assert_equal(@c1.name, @c1.clone.name, "clone")
+    @c1.encrypt
+    @c1.key = @key
+    @c1.iv = @iv
+    tmpc = @c1.dup
+    s1 = @c1.update(@data) + @c1.final
+    s2 = tmpc.update(@data) + tmpc.final
+    assert_equal(s1, s2, "encrypt dup")
+  end
+
+  def test_reset
+    @c1.encrypt
+    @c1.key = @key
+    @c1.iv = @iv
+    s1 = @c1.update(@data) + @c1.final
+    @c1.reset
+    s2 = @c1.update(@data) + @c1.final
+    assert_equal(s1, s2, "encrypt reset")
+  end
+
+  def test_empty_data
+    @c1.encrypt
+    assert_raises(ArgumentError){ @c1.update("") }
+  end
+
+  def test_disable_padding(padding=0)
+    # assume a padding size of 8
+    # encrypt the data with padding
+    @c1.encrypt
+    @c1.key = @key
+    @c1.iv = @iv
+    encrypted_data = @c1.update(@data) + @c1.final
+    assert_equal(8, encrypted_data.size)
+    # decrypt with padding disabled
+    @c1.decrypt
+    @c1.padding = padding
+    decrypted_data = @c1.update(encrypted_data) + @c1.final
+    # check that the result contains the padding
+    assert_equal(8, decrypted_data.size)
+    assert_equal(@data, decrypted_data[0...@data.size])
+  end
+
+  if PLATFORM =~ /java/
+    # JRuby extension - using Java padding types
+    
+    def test_disable_padding_javastyle
+      test_disable_padding('NoPadding')
+    end
+  
+    def test_iso10126_padding
+      @c1.encrypt
+      @c1.key = @key
+      @c1.iv = @iv
+      @c1.padding = 'ISO10126Padding'
+      encrypted_data = @c1.update(@data) + @c1.final
+      # decrypt with padding disabled to see the padding
+      @c1.decrypt
+      @c1.padding = 0
+      decrypted_data = @c1.update(encrypted_data) + @c1.final
+      assert_equal(@data, decrypted_data[0...@data.size])
+      # last byte should be the amount of padding
+      assert_equal(4, decrypted_data[-1])
+    end
+
+    def test_iso10126_padding_boundry
+      @data = 'HELODATA' # 8 bytes, same as padding size
+      @c1.encrypt
+      @c1.key = @key
+      @c1.iv = @iv
+      @c1.padding = 'ISO10126Padding'
+      encrypted_data = @c1.update(@data) + @c1.final
+      # decrypt with padding disabled to see the padding
+      @c1.decrypt
+      @c1.padding = 0
+      decrypted_data = @c1.update(encrypted_data) + @c1.final
+      assert_equal(@data, decrypted_data[0...@data.size])
+      # padding should be one whole block
+      assert_equal(8, decrypted_data[-1])
+    end
+  end
+
+  if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00907000
+    def test_ciphers
+      OpenSSL::Cipher.ciphers.each{|name|
+        assert(OpenSSL::Cipher::Cipher.new(name).is_a?(OpenSSL::Cipher::Cipher))
+      }
+    end
+
+    def test_AES
+      pt = File.read(__FILE__)
+      %w(ECB CBC CFB OFB).each{|mode|
+        c1 = OpenSSL::Cipher::AES256.new(mode)
+        c1.encrypt
+        c1.pkcs5_keyivgen("passwd")
+        ct = c1.update(pt) + c1.final
+
+        c2 = OpenSSL::Cipher::AES256.new(mode)
+        c2.decrypt
+        c2.pkcs5_keyivgen("passwd")
+        assert_equal(pt, c2.update(ct) + c2.final)
+      }
+    end
+  end
+end
+
+end