jruby-openssl 0.6 → 0.7

data/History.txt

@@ -1,3 +1,48 @@
+== 0.7
+
+- Follow MRI 1.8.7 openssl API changes
+- Fixes so that jruby-openssl can run on appengine
+- Many bug and compatibility fixes, see below.
+- This is the last release that will be compatible with JRuby 1.4.x.
+- Compatibility issues
+-- JRUBY-4342: Follow ruby-openssl of CRuby 1.8.7.
+-- JRUBY-4346: Sync tests with tests for ruby-openssl of CRuby 1.8.7.
+-- JRUBY-4444: OpenSSL crash running RubyGems tests
+-- JRUBY-4075: Net::SSH gives OpenSSL::Cipher::CipherError "No message available"
+-- JRUBY-4076: Net::SSH padding error using 3des-cbc on Solaris
+-- JRUBY-4541: jruby-openssl doesn't load on App Engine.
+-- JRUBY-4077: Net::SSH "all authorization methods failed" Solaris -> Solaris
+-- JRUBY-4535: Issues with the BouncyCastle provider
+-- JRUBY-4510: JRuby-OpenSSL crashes when JCE fails a initialise bcprov
+-- JRUBY-4343: Update BouncyCastle jar to upstream version; jdk14-139 -> jdk15-144
+- Cipher issues
+-- JRUBY-4012: Initialization vector length handled differently than in MRI (longer IV sequence are trimmed to fit the required)
+-- JRUBY-4473: Implemented DSA key generation
+-- JRUBY-4472: Cipher does not support RC4 and CAST
+-- JRUBY-4577: InvalidParameterException 'Wrong keysize: must be equal to 112 or 168' for DES3 + SunJCE
+- SSL and X.509(PKIX) issues
+-- JRUBY-4384: TCP socket connection causes busy loop of SSL server
+-- JRUBY-4370: Implement SSLContext#ciphers
+-- JRUBY-4688: SSLContext#ciphers does not accept 'DEFAULT'
+-- JRUBY-4357: SSLContext#{setup,ssl_version=} are not implemented
+-- JRUBY-4397: SSLContext#extra_chain_cert and SSLContext#client_ca
+-- JRUBY-4684: SSLContext#verify_depth is ignored
+-- JRUBY-4398: SSLContext#options does not affect to SSL sessions
+-- JRUBY-4360: Implement SSLSocket#verify_result and dependents
+-- JRUBY-3829: SSLSocket#read should clear given buffer before concatenating (ByteBuffer.java:328:in `allocate': java.lang.IllegalArgumentException when returning SOAP queries over a certain size)
+-- JRUBY-4686: SSLSocket can drop last chunk of data just before inbound channel close
+-- JRUBY-4369: X509Store#verify_callback is not called
+-- JRUBY-4409: OpenSSL::X509::Store#add_file corrupts when it includes certificates which have the same subject (problem with ruby-openid-apps-discovery (github jruby-openssl issue #2))
+-- JRUBY-4333: PKCS#8 formatted privkey read
+-- JRUBY-4454: Loading Key file as a Certificate causes NPE
+-- JRUBY-4455: calling X509::Certificate#sign for the Certificate initialized from PEM causes IllegalStateException
+- PKCS#7 issues
+-- JRUBY-4379: PKCS7#sign failed for DES3 cipher algorithm
+-- JRUBY-4428: Allow to use DES-EDE3-CBC in PKCS#7 w/o the Policy Files (rake test doesn't finish on JDK5 w/o policy files update)
+-  Misc
+-- JRUBY-4574: jruby-openssl deprecation warning cleanup
+-- JRUBY-4591: jruby-1.4 support
+
 == 0.6
 
 - This is a recommended upgrade to jruby-openssl. A security problem

data/Manifest.txt

@@ -4,8 +4,8 @@ Manifest.txt
 README.txt
 License.txt
 lib/jopenssl.jar
-lib/bcmail-jdk14-139.jar
-lib/bcprov-jdk14-139.jar
+lib/bcmail-jdk15-144.jar
+lib/bcprov-jdk15-144.jar
 lib/jopenssl
 lib/jopenssl.jar
 lib/openssl
@@ -17,36 +17,35 @@ lib/openssl/cipher.rb
 lib/openssl/digest.rb
 lib/openssl/dummy.rb
 lib/openssl/dummyssl.rb
+lib/openssl/pkcs7.rb
 lib/openssl/ssl.rb
 lib/openssl/x509.rb
 test/cert_with_ec_pk.cer
 test/fixture
+test/java
 test/openssl
-test/pkcs7_mime_enveloped.message
-test/pkcs7_mime_signed.message
-test/pkcs7_multipart_signed.message
 test/ref
+test/test_all.rb
+test/test_certificate.rb
 test/test_cipher.rb
 test/test_integration.rb
 test/test_java.rb
-test/test_java_attribute.rb
-test/test_java_bio.rb
-test/test_java_mime.rb
-test/test_java_pkcs7.rb
-test/test_java_smime.rb
 test/test_openssl.rb
-test/test_openssl_x509.rb
 test/test_parse_certificate.rb
+test/test_pkcs7.rb
 test/test_pkey.rb
 test/test_x509store.rb
 test/ut_eof.rb
+test/fixture/ca-bundle.crt
 test/fixture/ca_path
 test/fixture/cacert.pem
 test/fixture/cert_localhost.pem
 test/fixture/common.pem
+test/fixture/keypair.pem
 test/fixture/localhost_keypair.pem
 test/fixture/max.pem
 test/fixture/purpose
+test/fixture/selfcert.pem
 test/fixture/verisign.pem
 test/fixture/verisign_c3.pem
 test/fixture/ca_path/72fa7371.0
@@ -77,10 +76,19 @@ test/fixture/purpose/sslclient/sslclient.pem
 test/fixture/purpose/sslserver/csr.pem
 test/fixture/purpose/sslserver/keypair.pem
 test/fixture/purpose/sslserver/sslserver.pem
+test/java/pkcs7_mime_enveloped.message
+test/java/pkcs7_mime_signed.message
+test/java/pkcs7_multipart_signed.message
+test/java/test_java_attribute.rb
+test/java/test_java_bio.rb
+test/java/test_java_mime.rb
+test/java/test_java_pkcs7.rb
+test/java/test_java_smime.rb
 test/openssl/ssl_server.rb
 test/openssl/test_asn1.rb
 test/openssl/test_cipher.rb
 test/openssl/test_digest.rb
+test/openssl/test_ec.rb
 test/openssl/test_hmac.rb
 test/openssl/test_ns_spki.rb
 test/openssl/test_pair.rb

data/README.txt

@@ -6,19 +6,8 @@
 
 JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library.
 
-JRuby offers *just enough* compatibility for most Ruby applications that use OpenSSL. 
-
-Libraries that appear to work fine:
-
-    Rails, Net::HTTPS
-
-Notable libraries that do *not* yet work include:
-
-    Net::SSH, Net::SFTP, etc.
-
 Please report bugs and incompatibilities (preferably with testcases) to either the JRuby 
 mailing list [1] or the JRuby bug tracker [2].
 
 [1]: http://xircles.codehaus.org/projects/jruby/lists
-
-[2]: http://jira.codehaus.org/browse/JRUBY
+[2]: http://jira.codehaus.org/browse/JRUBY

data/Rakefile

@@ -18,7 +18,7 @@ def java_classpath_arg # myriad of ways to discover JRuby classpath
       FileList["#{ENV['JRUBY_HOME']}/lib/*.jar"].join(File::PATH_SEPARATOR)
   end
   bc_jars = BC_JARS.join(File::PATH_SEPARATOR)
-  jruby_cpath ? "-cp #{jruby_cpath}#{File::PATH_SEPARATOR}#{bc_jars}" : "-cp #{bc_jars}"
+  jruby_cpath ? "-cp \"#{jruby_cpath.gsub('\\', '/')}#{File::PATH_SEPARATOR}#{bc_jars}\"" : "-cp \"#{bc_jars}\""
 end
 
 desc "Compile the native Java code."
@@ -53,7 +53,8 @@ File.open("Manifest.txt", "w") {|f| MANIFEST.each {|n| f.puts n } }
 require File.dirname(__FILE__) + "/lib/jopenssl/version"
 begin
   require 'hoe'
-  Hoe.spec("jruby-openssl") do |p|
+  Hoe.plugin :gemcutter
+  hoe = Hoe.spec("jruby-openssl") do |p|
     p.version = Jopenssl::Version::VERSION
     p.rubyforge_name = "jruby-extras"
     p.url = "http://jruby-extras.rubyforge.org/jruby-openssl"
@@ -61,9 +62,15 @@ begin
     p.email = "ola.bini@gmail.com"
     p.summary = "OpenSSL add-on for JRuby"
     p.changes = p.paragraphs_of('History.txt', 0..1).join("\n\n")
-    p.description = p.paragraphs_of('README.txt', 0...1).join("\n\n")
-    p.test_globs = ENV["TEST"] || ["test/test_*.rb"]
-  end.spec.dependencies.delete_if { |dep| dep.name == "hoe" }
+    p.description = p.paragraphs_of('README.txt', 3...4).join("\n\n")
+    p.test_globs = ENV["TEST"] || ["test/test_all.rb"]
+  end
+  hoe.spec.dependencies.delete_if { |dep| dep.name == "hoe" }
+
+  task :gemspec do
+    File.open("#{hoe.name}.gemspec", "w") {|f| f << hoe.spec.to_ruby }
+  end
+  task :package => :gemspec
 rescue LoadError
   puts "You really need Hoe installed to be able to package this gem"
 rescue => e

data/lib/jopenssl/version.rb

@@ -1,5 +1,5 @@
 module Jopenssl
   module Version
-    VERSION = "0.6"
+    VERSION = "0.7"
   end
 end

data/lib/openssl/bn.rb

@@ -1,5 +1,5 @@
 =begin
-= $RCSfile: bn.rb,v $ -- Ruby-space definitions that completes C-space funcs for BN
+= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for BN
 
 = Info
   'OpenSSL for Ruby 2' project
@@ -11,10 +11,12 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id: bn.rb,v 1.1 2003/07/23 16:11:30 gotoyuzo Exp $
+  $Id: bn.rb 11708 2007-02-12 23:01:19Z shyouhei $
 =end
 
-require 'openssl'
+##
+# Should we care what if somebody require this file directly?
+#require 'openssl'
 
 module OpenSSL
   class BN

data/lib/openssl/buffering.rb

@@ -1,5 +1,5 @@
 =begin
-= $RCSfile: buffering.rb,v $ -- Buffering mix-in module.
+= $RCSfile$ -- Buffering mix-in module.
 
 = Info
   'OpenSSL for Ruby 2' project
@@ -11,7 +11,7 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id: buffering.rb,v 1.5.2.4 2005/09/04 22:03:24 gotoyuzo Exp $
+  $Id: buffering.rb 13706 2007-10-15 08:29:08Z usa $
 =end
 
 module Buffering

data/lib/openssl/cipher.rb

@@ -1,5 +1,5 @@
 =begin
-= $RCSfile: cipher.rb,v $ -- Ruby-space predefined Cipher subclasses
+= $RCSfile$ -- Ruby-space predefined Cipher subclasses
 
 = Info
   'OpenSSL for Ruby 2' project
@@ -11,27 +11,15 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id: cipher.rb,v 1.1.2.2 2006/06/20 11:18:15 gotoyuzo Exp $
+  $Id: cipher.rb 12496 2007-06-08 15:02:04Z technorama $
 =end
 
-require 'openssl'
+##
+# Should we care what if somebody require this file directly?
+#require 'openssl'
 
 module OpenSSL
-  module Cipher
-    class Cipher
-      def random_key
-        str = OpenSSL::Random.random_bytes(self.key_len)
-        self.key = str
-        return str
-      end
-
-      def random_iv
-        str = OpenSSL::Random.random_bytes(self.iv_len)
-        self.iv = str
-        return str
-      end
-    end
-    
+  class Cipher
     %w(AES CAST5 BF DES IDEA RC2 RC4 RC5).each{|name|
       klass = Class.new(Cipher){
         define_method(:initialize){|*args|
@@ -52,5 +40,26 @@ module OpenSSL
       }
       const_set("AES#{keylen}", klass)
     }
+
+    # Generate, set, and return a random key.
+    # You must call cipher.encrypt or cipher.decrypt before calling this method.
+    def random_key
+      str = OpenSSL::Random.random_bytes(self.key_len)
+      self.key = str
+      return str
+    end
+
+    # Generate, set, and return a random iv.
+    # You must call cipher.encrypt or cipher.decrypt before calling this method.
+    def random_iv
+      str = OpenSSL::Random.random_bytes(self.iv_len)
+      self.iv = str
+      return str
+    end
+
+    # This class is only provided for backwards compatibility.  Use OpenSSL::Digest in the future.
+    class Cipher < Cipher
+      # add warning
+    end
   end # Cipher
 end # OpenSSL

data/lib/openssl/digest.rb

@@ -1,5 +1,5 @@
 =begin
-= $RCSfile: digest.rb,v $ -- Ruby-space predefined Digest subclasses
+= $RCSfile$ -- Ruby-space predefined Digest subclasses
 
 = Info
   'OpenSSL for Ruby 2' project
@@ -11,18 +11,25 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id: digest.rb,v 1.1.2.2 2006/06/20 11:18:15 gotoyuzo Exp $
+  $Id: digest.rb 15600 2008-02-25 08:48:57Z technorama $
 =end
 
-require 'openssl'
+##
+# Should we care what if somebody require this file directly?
+#require 'openssl'
 
 module OpenSSL
-  module Digest
+  class Digest
 
     alg = %w(DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1)
     if OPENSSL_VERSION_NUMBER > 0x00908000
       alg += %w(SHA224 SHA256 SHA384 SHA512)
     end
+
+    def self.digest(name, data)
+        super(data, name)
+    end
+
     alg.each{|name|
       klass = Class.new(Digest){
         define_method(:initialize){|*data|
@@ -41,6 +48,14 @@ module OpenSSL
       const_set(name, klass)
     }
 
+    # This class is only provided for backwards compatibility.  Use OpenSSL::Digest in the future.
+    class Digest < Digest
+      def initialize(*args)
+        # add warning
+        super(*args)
+      end
+    end
+
   end # Digest
 end # OpenSSL
 

data/lib/openssl/dummy.rb

@@ -8,27 +8,27 @@ module OpenSSL
     class Primitive; end
     class Constructive; end
   end
-  module PKey
-    class PKeyError < OpenSSLError; end
-    class PKey; def initialize(*args); end; end
-    class RSA < PKey; end
-    class DSA < PKey; end
-    class DH < PKey; end
-  end
   module X509
     class Name; end
     class Certificate; end
     class Extension; end
     class CRL; end
     class Revoked; end
-    class Store; end
+    class Store
+      def set_default_paths; end
+    end
     class Request; end
     class Attribute; end
   end
   module Netscape
     class SPKI; end
   end
-  module PKCS7
-    class PKCS7; end
+  class PKCS7
+    # this definition causes TypeError "superclass mismatch for class PKCS7"
+    # MRI also crashes following definition;
+    #   class Foo; class Foo < Foo; end; end
+    #   class Foo; class Foo < Foo; end; end
+    #
+    # class PKCS7 < PKCS7; end
   end
-end
+end

data/lib/openssl/dummyssl.rb

@@ -9,5 +9,6 @@ module OpenSSL
     VERIFY_PEER = 1
     VERIFY_FAIL_IF_NO_PEER_CERT = 2
     VERIFY_CLIENT_ONCE = 4
+    OP_ALL = 0x00000FFF
   end
-end
+end

data/lib/openssl/pkcs7.rb

@@ -0,0 +1,25 @@
+=begin
+= $RCSfile$ -- PKCS7
+
+= Licence
+  This program is licenced under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+
+= Version
+  $Id: digest.rb 12148 2007-04-05 05:59:22Z technorama $
+=end
+
+module OpenSSL
+  class PKCS7
+    # This class is only provided for backwards compatibility.  Use OpenSSL::PKCS7 in the future.
+    class PKCS7 < PKCS7
+      def initialize(*args)
+        super(*args)
+
+        warn("Warning: OpenSSL::PKCS7::PKCS7 is deprecated after Ruby 1.9; use OpenSSL::PKCS7 instead")
+      end
+    end
+
+  end # PKCS7
+end # OpenSSL
+

data/lib/openssl/ssl.rb

@@ -1,5 +1,5 @@
 =begin
-= $RCSfile: ssl.rb,v $ -- Ruby-space definitions that completes C-space funcs for SSL
+= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL
 
 = Info
   'OpenSSL for Ruby 2' project
@@ -11,7 +11,7 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id: ssl.rb,v 1.5.2.6 2006/05/23 18:14:05 gotoyuzo Exp $
+  $Id: ssl.rb 16193 2008-04-25 06:51:21Z knu $
 =end
 
 require "openssl"
@@ -20,6 +20,33 @@ require "fcntl"
 
 module OpenSSL
   module SSL
+    class SSLContext
+      DEFAULT_PARAMS = {
+        :ssl_version => "SSLv23",
+        :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+        :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
+        :options => OpenSSL::SSL::OP_ALL,
+      }
+
+      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
+      DEFAULT_CERT_STORE.set_default_paths
+      if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
+        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      end
+
+      def set_params(params={})
+        params = DEFAULT_PARAMS.merge(params)
+        self.ssl_version = params.delete(:ssl_version)
+        params.each{|name, value| self.__send__("#{name}=", value) }
+        if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
+          unless self.ca_file or self.ca_path or self.cert_store
+            self.cert_store = DEFAULT_CERT_STORE
+          end
+        end
+        return params
+      end
+    end
+
     module SocketForwarder
       def addr
         to_io.addr
@@ -53,42 +80,55 @@ module OpenSSL
     module Nonblock
       def initialize(*args)
         flag = File::NONBLOCK
-        flag |= @io.fcntl(Fcntl::F_GETFL, nil) if defined?(Fcntl::F_GETFL)
+        flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
         @io.fcntl(Fcntl::F_SETFL, flag)
         super
       end
     end
 
+    def verify_certificate_identity(cert, hostname)
+      should_verify_common_name = true
+      cert.extensions.each{|ext|
+        next if ext.oid != "subjectAltName"
+        ext.value.split(/,\s+/).each{|general_name|
+          if /\ADNS:(.*)/ =~ general_name
+            should_verify_common_name = false
+            reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
+            return true if /\A#{reg}\z/i =~ hostname
+          elsif /\AIP Address:(.*)/ =~ general_name
+            should_verify_common_name = false
+            return true if $1 == hostname
+          end
+        }
+      }
+      if should_verify_common_name
+        cert.subject.to_a.each{|oid, value|
+          if oid == "CN"
+            reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
+            return true if /\A#{reg}\z/i =~ hostname
+          end
+        }
+      end
+      return false
+    end
+    module_function :verify_certificate_identity
+
     class SSLSocket
       include Buffering
       include SocketForwarder
       include Nonblock
 
       def post_connection_check(hostname)
-        check_common_name = true
-        cert = peer_cert
-        cert.extensions.each{|ext|
-          next if ext.oid != "subjectAltName"
-          ext.value.split(/,\s+/).each{|general_name|
-            if /\ADNS:(.*)/ =~ general_name
-              check_common_name = false
-              reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
-              return true if /\A#{reg}\z/i =~ hostname
-            elsif /\AIP Address:(.*)/ =~ general_name
-              check_common_name = false
-              return true if $1 == hostname
-            end
-          }
-        }
-        if check_common_name
-          cert.subject.to_a.each{|oid, value|
-            if oid == "CN"
-              reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
-              return true if /\A#{reg}\z/i =~ hostname
-            end
-          }
+        unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
+          raise SSLError, "hostname was not match with the server certificate"
         end
-        raise SSLError, "hostname not match"
+        return true
+      end
+
+      def session
+        SSL::Session.new(self)
+      rescue SSL::Session::SessionError
+        nil
       end
     end
 
@@ -114,6 +154,10 @@ module OpenSSL
         @svr.listen(backlog)
       end
 
+      def shutdown(how=Socket::SHUT_RDWR)
+        @svr.shutdown(how)
+      end
+
       def accept
         sock = @svr.accept
         begin

data/lib/openssl/x509.rb

@@ -1,5 +1,5 @@
 =begin
-= $RCSfile: x509.rb,v $ -- Ruby-space definitions that completes C-space funcs for X509 and subclasses
+= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for X509 and subclasses
 
 = Info
   'OpenSSL for Ruby 2' project
@@ -11,7 +11,7 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id: x509.rb,v 1.4.2.2 2004/12/19 08:28:33 gotoyuzo Exp $
+  $Id: x509.rb 11708 2007-02-12 23:01:19Z shyouhei $
 =end
 
 require "openssl"

data/lib/openssl.rb

@@ -1,5 +1,5 @@
 =begin
-= $RCSfile: openssl.rb,v $ -- Loader for all OpenSSL C-space and Ruby-space definitions
+= $RCSfile$ -- Loader for all OpenSSL C-space and Ruby-space definitions
 
 = Info
   'OpenSSL for Ruby 2' project
@@ -11,14 +11,59 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id: openssl.rb,v 1.1 2003/07/23 16:11:29 gotoyuzo Exp $
+  $Id: openssl.rb 12496 2007-06-08 15:02:04Z technorama $
 =end
 
+# TODO: remove this chunk after 1.4 support is dropped
+require 'digest'
+unless defined?(::Digest::Class)
+  # restricted support for jruby <= 1.4 (1.8.6 Digest compat)
+  module Digest
+    class Class
+      def self.hexdigest(name, data)
+        digest(name, data).unpack('H*')[0]
+      end
+
+      def self.digest(data, name)
+        digester = const_get(name).new
+        digester.update(data)
+        digester.finish
+      end
+
+      def hexdigest
+        digest.unpack('H*')[0]
+      end
+
+      def digest
+        dup.finish
+      end
+
+      def ==(oth)
+        digest == oth.digest
+      end
+
+      def to_s
+        hexdigest
+      end
+
+      def size
+        digest_length
+      end
+
+      def length
+        digest_length
+      end
+    end
+  end
+end
+# end of compat chunk.
+
 require 'jopenssl'
 
 require 'openssl/bn'
 require 'openssl/cipher'
 require 'openssl/digest'
+require 'openssl/pkcs7'
 require 'openssl/ssl'
 require 'openssl/x509'