jruby-openssl 0.9.7-java → 0.9.8-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a10a9709e79d90c74281b533432e33c6c26a2f79
-  data.tar.gz: a3cdde4bde8c2080b352f7359d9a6923e236ccb9
+  metadata.gz: 49741f0e23b3ad70304a6bdb63c2d23dde49f33a
+  data.tar.gz: 2036499982fa3531223893a4f9bf00ac01e6b2ec
 SHA512:
-  metadata.gz: fd1dfecc8fc4ad3a15ee3f8961657d062885eb3ec059a4ce9de1fbb5a926ba74d53718bd84c463916c51262308dfedbba1d12ce61d9fd39bcb03e4433f949e32
-  data.tar.gz: 2a20e1da276557801ee72d5b92355b0f28ec9c4f1bd49d8e0ab2b5da8596ac251ccff0f750e002ac75f56fb497d33947afe0ee1acee1424db873cc5db8a38fa4
+  metadata.gz: 6b8479f66c2858c0355dccaac0186c0ce881a51e5742de90d31659883b15e091d58caed87ddb937a1e3de6be8dfd53768eb39032c943fa1bc57fcf92c1089b78
+  data.tar.gz: e65b8995e632f4965f133f9f0f95bb73996116154cfda8342ac3e07d6073306e01494a1c93b404b61201595bbe1cd951b43ae844a06f3c03ed7fe4bfa7630792

data/History.md

@@ -1,7 +1,52 @@
-== 0.9.7 (pending)
-
-
-== 0.9.6
+## 0.9.8
+
+* refactor `PKCS5.pbkdf2_hmac_sha1` to use BC APIs
+  thus less dependent on provider internals (jruby/jruby#3025)
+* HMAC - use our SimpleKey impl so that there's less[] copy
+  ... also allows for an empty key to work like MRI (jruby/jruby#2854)
+* fixing oaep encryption to use correct algorithm (#54)
+* [experimental] support NOT loading any (BC) jars on our own ... (#10)
+* disable DHE (by default) on Java <= 7 ... on Java 8 we (still) force 1024/2048
+  (see jruby/jruby#2872 and #45)
+* handle parsing of "incomplete" X.509 certificates like MRI does (#42)
+* implement a CRL/certificate caching (for now off by default) in Lookup
+  ... set *-J-Djruby.openssl.x509.lookup.cache=true* to enable
+* improve Store helper concurrency (with less synchronization)
+* reviewed OpenSSL's .rb parts to match those present in MRI 1.9.3 / 2.2.2
+* initial support for `OpenSSL::SSL::Session` (id, time, timeout work)
+* session_cache_mode as present in OpenSSL makes no sense with Java APIs
+* use the set SSLContext#session_cache_size on the underlying javax.net API
+* tidy up SSLSocket's internals + add stack-trace debugging on accept/connect
+* add SSLSocket ssl_version property like MRI has (#38)
+* avoid unnecessary `_initialize` naming - it's confusing to see in JVM tools
+* use SecurityHelper to get a X.509 certificate factory
+  we'll know prefer BC's X.509 factory over the built-in (Sun provider) one
+
+## 0.9.7
+
+* put in some more ossl to jsse mappings for SSL/TLS
+  (SSL_DHE_xxx, TLS_ECDH_xxx, TLS_ECDHE_xxx)
+* exclude SSLv2 in reported METHODS (all fine to close jruby/jruby#1874)
+* support passing ssl_version as an argument to initialize SSLContext.new ...
+* now that we've matched w MRI's SSLContext::METHODS don't report custom ones
+* more ssl_version= compatibility fixes that match MRI (jruby/jruby#1736)
+* support setting ssl_version = "TLSv1_1" (or "TLSv1_2") just like MRI
+* [regression] make sure version is set when reading encoded certificate
+  + signature algorithm should be read as well when decoding certificate (#39)
+* better accept handshake errors instead of "General SSLEngine problem (#37)
+* trying to decode DER application specific objects (based on patch from #36)
+* we've not been compatible with MRI's DES (EDE) - partly due DES(3) ECB
+  fixing jruby/jruby#2617 as well as jruby/jruby#931
+* exclude reporting algorithms with CFB-1 cipher mode as supported (due #35)
+* do not change CFB1 to CFB ... it's something different (although broken on BC)
+* attempt to deal with update/final buffering incompatibility with MRI
+* fix HMAC digest incorrect when data contains invalid characters (#33)
+* add Gemfile and specify ruby-maven as dependency
+* use SafePropertyAccessor to access properties instead of directly (#28)
+* make sure SSLSocket's cipher and hostname are nil by default (avoids NPE)
+* update to (packed) BC version 1.50 + start declaring 1.51 as semi-supported
+
+## 0.9.6
 
 * ClassCastException still happen deep within BC - turn them into SignatureExeption
 * make sure empty object can be serialize via to_pem
@@ -53,7 +98,7 @@
 * avoid using JRuby IO APIs (will likely not work in 9k)
 * make 'jopenssl/load' also work on jruby-1.6.8 mode 1.9
 
-== 0.9.5
+## 0.9.5
 
 MASSIVE internal "rewrite" to avoid depending on a registered (BC) security
 provider. This releases restores compatibility with BC version 1.47 while being
@@ -70,11 +115,11 @@ compatible with newer bouncy-castle jars as well (1.48, 1.49 and 1.50).
 * fix bug https://github.com/jruby/jruby/issues/1156
 * openssl: add handling for base 0 to new and to_s
 
-== 0.9.4
+## 0.9.4
 
 * Fix compatibility wiht Bouncy Castle 1.49.
 
-== 0.9.3
+## 0.9.3
 
 * Allow options passed to nonblock methods (not impl'ed yet)
 * Make ClassIndex into an enum, to prevent issues like jruby/jruby#1004
@@ -83,7 +128,7 @@ compatible with newer bouncy-castle jars as well (1.48, 1.49 and 1.50).
 == ...
 
 
-== 0.7.7
+## 0.7.7
 
 This release includes bug fixes.
 
@@ -93,14 +138,14 @@ This release includes bug fixes.
 * JRUBY-6515: sending UTF-8 data over SSL can hang with openssl
 * Update tests to sync with CRuby ruby_1_9_3
 
-== 0.7.6
+## 0.7.6
 
 This release includes initial implementation of PKCS12 by Owen Ou.
 
 * JRUBY-5066: Implement OpenSSL::PKCS12 (only for simple case)
 * JRUBY-6385: Assertion failure with -J-ea
 
-== 0.7.5
+## 0.7.5
 
 This release improved 1.9 mode support with help of
 Duncan Mak <duncan@earthaid.net>.  Now jruby-ossl gem includes both 1.8 and 1.9
@@ -114,14 +159,14 @@ libraries and part of features should work fine on 1.9 mode, too.
 * JRUBY-5362: Improved 1.9 support
 * JRUBY-4992: Warn if loaded by non JRuby interpreter
 
-== 0.7.4
+## 0.7.4
 
 * JRUBY-5519: Avoid String encoding dependency in DER loading. PEM loading
   failed on JRuby 1.6.x. Fixed.
 * JRUBY-5510: Add debug information to released jar
 * JRUBY-5478: Update bouncycastle jars to the latest version. (1.46)
 
-== 0.7.3
+## 0.7.3
 
 * JRUBY-5200: Net::IMAP + SSL(imaps) login could hang. Fixed.
 * JRUBY-5253: Allow to load the certificate file which includes private
@@ -131,7 +176,7 @@ libraries and part of features should work fine on 1.9 mode, too.
 * JRUBY-5316: Improvements for J9's IBMJCE support. Now all testcases
   pass on J9 JDK 6.
 
-== 0.7.2
+## 0.7.2
 
 * JRUBY-5126: Ignore Cipher#reset and Cipher#iv= when it's a stream
   cipher (Net::SSH compatibility)
@@ -147,7 +192,7 @@ libraries and part of features should work fine on 1.9 mode, too.
 * JRUBY-5018: SSLSocket holds selectors, keys, preventing quick
   cleanup of resources when dereferenced
 
-== 0.7.1
+## 0.7.1
 
 NOTE: Now BouncyCastle jars has moved out to its own gem "bouncy-castle-java"
 http://rubygems.org/gems/bouncy-castle-java. You don't need to care about it
@@ -161,7 +206,7 @@ because "jruby-openssl" gem depends on it from now on.
   (JRuby-OpenSSL fake)" -> "jruby-ossl 0.7.1"
 * JRUBY-4975: Moving BouncyCastle jars out to its own gem.
 
-== 0.7
+## 0.7
 
 * Follow MRI 1.8.7 openssl API changes
 * Fixes so that jruby-openssl can run on appengine
@@ -217,7 +262,7 @@ because "jruby-openssl" gem depends on it from now on.
  - JRUBY-4574: jruby-openssl deprecation warning cleanup
  - JRUBY-4591: jruby-1.4 support
 
-== 0.6
+## 0.6
 
 * This is a recommended upgrade to jruby-openssl. A security problem
   involving peer certificate verification was found where failed
@@ -244,7 +289,7 @@ because "jruby-openssl" gem depends on it from now on.
 * Public keys are lazily instantiated when the
   X509::Certificate#public_key method is called (Dave Garcia)
 
-== 0.5.2
+## 0.5.2
 
 Multiple bugs fixed:
 
@@ -254,13 +299,13 @@ Multiple bugs fixed:
 * JRUBY-3767	OpenSSL ssl implementation doesn't support client auth
 * JRUBY-3673	jRuby-OpenSSL does not properly load certificate authority file
 
-== 0.5.1
+## 0.5.1
 
 * Multiple fixes by Brice Figureau to get net/ssh working. Requires JRuby 1.3.1
   to be 100%
 * Fix by Frederic Jean for a character-decoding issue for some certificates
 
-== 0.5
+## 0.5
 
 * Fixed JRUBY-3614: Unsupported HMAC algorithm (HMACSHA-256)
 * Fixed JRUBY-3570: ActiveMerchant's AuthorizeNet Gateway throws OpenSSL Cert
@@ -271,7 +316,7 @@ Multiple bugs fixed:
   digest
 * Misc code cleanup
 
-== 0.2
+## 0.2
 
 * Enable remaining tests; fix a nil string issue in SSLSocket.sysread
   (JRUBY-1888)
@@ -281,11 +326,11 @@ Multiple bugs fixed:
 * Fix cipher initialization (JRUBY-1100)
 * Now, only compatible with JRuby 1.1
 
-== 0.1.1
+## 0.1.1
 
 * Fixed blocker issue preventing HTTPS/SSL from working (JRUBY-1222)
 
-== 0.1
+## 0.1
 
 * PLEASE NOTE: This release is not compatible with JRuby releases earlier than
   1.0.3 or 1.1b2. If you must use JRuby 1.0.2 or earlier, please install the
@@ -294,6 +339,6 @@ Multiple bugs fixed:
 * Simultaneous support for JRuby trunk and 1.0 branch
 * Start of support for OpenSSL::BN
 
-== 0.0.5 and prior
+## 0.0.5 and prior
 
 * Initial versions with maintenance updates

data/Rakefile

@@ -17,4 +17,15 @@ namespace :jar do
   task :all => :maven do
     maven.package '-Dmaven.test.skip'
   end
-end
+end
+
+file('lib/jopenssl.jar') { Rake::Task['jar'].invoke }
+
+require 'rake/testtask'
+Rake::TestTask.new do |task|
+  task.libs << 'lib'
+  task.test_files = FileList['src/test/ruby/**/test*.rb']
+  task.verbose = true
+  task.loader = :direct
+end
+task :test => 'lib/jopenssl.jar'

data/lib/jopenssl/load.rb

@@ -3,30 +3,35 @@ warn 'Loading jruby-openssl in a non-JRuby interpreter' unless defined? JRUBY_VE
 require 'java'
 require 'jopenssl/version'
 
-version = Jopenssl::Version::BOUNCY_CASTLE_VERSION
-bc_jars = nil
-begin
-  # if we have jar-dependencies we let it track the jars
-  require_jar( 'org.bouncycastle', 'bcpkix-jdk15on', version )
-  require_jar( 'org.bouncycastle', 'bcprov-jdk15on', version )
-  bc_jars = true
-rescue LoadError
-end if defined?(Jars) && ( ! Jars.skip? ) rescue nil
-unless bc_jars
-  load "org/bouncycastle/bcpkix-jdk15on/#{version}/bcpkix-jdk15on-#{version}.jar"
-  load "org/bouncycastle/bcprov-jdk15on/#{version}/bcprov-jdk15on-#{version}.jar"
+# NOTE: assuming user does pull in BC .jars from somewhere else on the CP
+unless ENV_JAVA['jruby.openssl.load.jars'].eql?('false')
+  version = Jopenssl::Version::BOUNCY_CASTLE_VERSION
+  bc_jars = nil
+  begin
+    # if we have jar-dependencies we let it track the jars
+    require_jar( 'org.bouncycastle', 'bcpkix-jdk15on', version )
+    require_jar( 'org.bouncycastle', 'bcprov-jdk15on', version )
+    bc_jars = true
+  rescue LoadError
+  end if defined?(Jars) && ( ! Jars.skip? ) rescue nil
+  unless bc_jars
+    load "org/bouncycastle/bcpkix-jdk15on/#{version}/bcpkix-jdk15on-#{version}.jar"
+    load "org/bouncycastle/bcprov-jdk15on/#{version}/bcprov-jdk15on-#{version}.jar"
+  end
 end
 
 require 'jruby'
 require 'jopenssl.jar'
 org.jruby.ext.openssl.OpenSSL.load(JRuby.runtime)
 
-if RUBY_VERSION >= '2.1.0'
-  load('jopenssl21/openssl.rb')
-elsif RUBY_VERSION >= '1.9.0'
-  load('jopenssl19/openssl.rb')
+if RUBY_VERSION > '2.2'
+  load 'jopenssl22/openssl.rb'
+elsif RUBY_VERSION > '2.1'
+  load 'jopenssl21/openssl.rb'
+elsif RUBY_VERSION > '1.9'
+  load 'jopenssl19/openssl.rb'
 else
-  load('jopenssl18/openssl.rb')
+  load 'jopenssl18/openssl.rb'
 end
 
 require 'openssl/pkcs12'

data/lib/jopenssl/version.rb

@@ -1,6 +1,6 @@
 module Jopenssl
   module Version
-    VERSION = '0.9.7'
+    VERSION = '0.9.8'
     BOUNCY_CASTLE_VERSION = '1.50'
   end
 end

data/lib/jopenssl18/openssl/ssl-internal.rb

@@ -15,48 +15,10 @@
 =end
 
 require "openssl/buffering"
-require "fcntl"
+require 'fcntl' # used by OpenSSL::SSL::Nonblock (if loaded)
 
 module OpenSSL
   module SSL
-    module SocketForwarder
-      def addr
-        to_io.addr
-      end
-
-      def peeraddr
-        to_io.peeraddr
-      end
-
-      def setsockopt(level, optname, optval)
-        to_io.setsockopt(level, optname, optval)
-      end
-
-      def getsockopt(level, optname)
-        to_io.getsockopt(level, optname)
-      end
-
-      def fcntl(*args)
-        to_io.fcntl(*args)
-      end
-
-      def closed?
-        to_io.closed?
-      end
-
-      def do_not_reverse_lookup=(flag)
-        to_io.do_not_reverse_lookup = flag
-      end
-    end
-
-    module Nonblock
-      def initialize(*args)
-        flag = File::NONBLOCK
-        flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
-        @io.fcntl(Fcntl::F_SETFL, flag)
-        super
-      end
-    end
 
     def verify_certificate_identity(cert, hostname)
       should_verify_common_name = true
@@ -101,11 +63,6 @@ module OpenSSL
         return true
       end
 
-      def session
-        SSL::Session.new(self)
-      rescue SSL::Session::SessionError
-        nil
-      end
     end
 
     class SSLServer

data/lib/jopenssl19/openssl/config.rb

@@ -13,20 +13,41 @@
 require 'stringio'
 
 module OpenSSL
+  ##
+  # = OpenSSL::Config
+  #
+  # Configuration for the openssl library.
+  #
+  # Many system's installation of openssl library will depend on your system
+  # configuration. See the value of OpenSSL::Config::DEFAULT_CONFIG_FILE for
+  # the location of the file for your host.
+  #
+  # See also http://www.openssl.org/docs/apps/config.html
   class Config
     include Enumerable
 
     class << self
-      def parse(str)
+
+      ##
+      # Parses a given +string+ as a blob that contains configuration for openssl.
+      #
+      # If the source of the IO is a file, then consider using #parse_config.
+      def parse(string)
         c = new()
-        parse_config(StringIO.new(str)).each do |section, hash|
+        parse_config(StringIO.new(string)).each do |section, hash|
           c[section] = hash
         end
         c
       end
 
+      ##
+      # load is an alias to ::new
       alias load new
 
+      ##
+      # Parses the configuration data read from +io+, see also #parse.
+      #
+      # Raises a ConfigError on invalid configuration data.
       def parse_config(io)
         begin
           parse_config_lines(io)
@@ -209,6 +230,18 @@ module OpenSSL
       end
     end
 
+    ##
+    # Creates an instance of OpenSSL's configuration class.
+    #
+    # This can be used in contexts like OpenSSL::X509::ExtensionFactory.config=
+    #
+    # If the optional +filename+ parameter is provided, then it is read in and
+    # parsed via #parse_config.
+    #
+    # This can raise IO exceptions based on the access, or availability of the
+    # file. A ConfigError exception may be raised depending on the validity of
+    # the data being configured.
+    #
     def initialize(filename = nil)
       @data = {}
       if filename
@@ -220,6 +253,23 @@ module OpenSSL
       end
     end
 
+    ##
+    # Gets the value of +key+ from the given +section+
+    #
+    # Given the following configurating file being loaded:
+    #
+    #   config = OpenSSL::Config.load('foo.cnf')
+    #     #=> #<OpenSSL::Config sections=["default"]>
+    #   puts config.to_s
+    #     #=> [ default ]
+    #     #   foo=bar
+    #
+    # You can get a specific value from the config if you know the +section+
+    # and +key+ like so:
+    #
+    #   config.get_value('default','foo')
+    #     #=> "bar"
+    #
     def get_value(section, key)
       if section.nil?
         raise TypeError.new('nil not allowed')
@@ -228,7 +278,12 @@ module OpenSSL
       get_key_string(section, key)
     end
 
-    def value(arg1, arg2 = nil)
+    ##
+    #
+    # *Deprecated*
+    #
+    # Use #get_value instead
+    def value(arg1, arg2 = nil) # :nodoc:
       warn('Config#value is deprecated; use Config#get_value')
       if arg2.nil?
         section, key = 'default', arg1
@@ -240,20 +295,84 @@ module OpenSSL
       get_key_string(section, key)
     end
 
+    ##
+    # Set the target +key+ with a given +value+ under a specific +section+.
+    #
+    # Given the following configurating file being loaded:
+    #
+    #   config = OpenSSL::Config.load('foo.cnf')
+    #     #=> #<OpenSSL::Config sections=["default"]>
+    #   puts config.to_s
+    #     #=> [ default ]
+    #     #   foo=bar
+    #
+    # You can set the value of +foo+ under the +default+ section to a new
+    # value:
+    #
+    #   config.add_value('default', 'foo', 'buzz')
+    #     #=> "buzz"
+    #   puts config.to_s
+    #     #=> [ default ]
+    #     #   foo=buzz
+    #
     def add_value(section, key, value)
       check_modify
       (@data[section] ||= {})[key] = value
     end
 
+    ##
+    # Get a specific +section+ from the current configuration
+    #
+    # Given the following configurating file being loaded:
+    #
+    #   config = OpenSSL::Config.load('foo.cnf')
+    #     #=> #<OpenSSL::Config sections=["default"]>
+    #   puts config.to_s
+    #     #=> [ default ]
+    #     #   foo=bar
+    #
+    # You can get a hash of the specific section like so:
+    #
+    #   config['default']
+    #     #=> {"foo"=>"bar"}
+    #
     def [](section)
       @data[section] || {}
     end
 
-    def section(name)
+    ##
+    # Deprecated
+    #
+    # Use #[] instead
+    def section(name) # :nodoc:
       warn('Config#section is deprecated; use Config#[]')
       @data[name] || {}
     end
 
+    ##
+    # Sets a specific +section+ name with a Hash +pairs+
+    #
+    # Given the following configuration being created:
+    #
+    #   config = OpenSSL::Config.new
+    #     #=> #<OpenSSL::Config sections=[]>
+    #   config['default'] = {"foo"=>"bar","baz"=>"buz"}
+    #     #=> {"foo"=>"bar", "baz"=>"buz"}
+    #   puts config.to_s
+    #     #=> [ default ]
+    #     #   foo=bar
+    #     #   baz=buz
+    #
+    # It's important to note that this will essentially merge any of the keys
+    # in +pairs+ with the existing +section+. For example:
+    #
+    #   config['default']
+    #     #=> {"foo"=>"bar", "baz"=>"buz"}
+    #   config['default'] = {"foo" => "changed"}
+    #     #=> {"foo"=>"changed"}
+    #   config['default']
+    #     #=> {"foo"=>"changed", "baz"=>"buz"}
+    #
     def []=(section, pairs)
       check_modify
       @data[section] ||= {}
@@ -262,10 +381,38 @@ module OpenSSL
       end
     end
 
+    ##
+    # Get the names of all sections in the current configuration
     def sections
       @data.keys
     end
 
+    ##
+    # Get the parsable form of the current configuration
+    #
+    # Given the following configuration being created:
+    #
+    #   config = OpenSSL::Config.new
+    #     #=> #<OpenSSL::Config sections=[]>
+    #   config['default'] = {"foo"=>"bar","baz"=>"buz"}
+    #     #=> {"foo"=>"bar", "baz"=>"buz"}
+    #   puts config.to_s
+    #     #=> [ default ]
+    #     #   foo=bar
+    #     #   baz=buz
+    #
+    # You can parse get the serialized configuration using #to_s and then parse
+    # it later:
+    #
+    #   serialized_config = config.to_s
+    #   # much later...
+    #   new_config = OpenSSL::Config.parse(serialized_config)
+    #     #=> #<OpenSSL::Config sections=["default"]>
+    #   puts new_config
+    #     #=> [ default ]
+    #         foo=bar
+    #         baz=buz
+    #
     def to_s
       ary = []
       @data.keys.sort.each do |section|
@@ -278,6 +425,15 @@ module OpenSSL
       ary.join
     end
 
+    ##
+    # For a block.
+    #
+    # Receive the section and its pairs for the current configuration.
+    #
+    #   config.each do |section, key, value|
+    #     # ...
+    #   end
+    #
     def each
       @data.each do |section, hash|
         hash.each do |key, value|
@@ -286,13 +442,16 @@ module OpenSSL
       end
     end
 
+    ##
+    # String representation of this configuration object, including the class
+    # name and its sections.
     def inspect
       "#<#{self.class.name} sections=#{sections.inspect}>"
     end
 
   protected
 
-    def data
+    def data # :nodoc:
       @data
     end