Skip to content

OpenSSL 1.1.1 cert verification port #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 63 commits into from
Oct 25, 2021
Merged

OpenSSL 1.1.1 cert verification port #239

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
63 commits
Select commit Hold shift + click to select a range
e7f8f29
prepare for support of V_FLAG_TRUSTED_FIRST
kares Oct 5, 2021
49c2a2c
port over build_chain etc (from OpenSSL 1.1)
kares Oct 5, 2021
ab2f06f
Refactor: house-keeping
kares Oct 6, 2021
36e835f
missing num_untrusted field + more porting from 1.1
kares Oct 6, 2021
99f9611
Refactor: use a LinkedList instead
kares Oct 6, 2021
99b76d8
port check_trust + refactor and hide checkCertificateTime
kares Oct 6, 2021
550eb19
more upstream sync with C OpenSSL 1.1.1
kares Oct 12, 2021
b460840
[refactor] align X509_STORE_CTX_get_by_subject
kares Oct 12, 2021
19a6562
review (the public) X509_verify_cert
kares Oct 12, 2021
fe5568c
[refactor] re-use field for untrusted count
kares Oct 12, 2021
45185c8
[refactor] a no-op
kares Oct 12, 2021
7bd2579
prepare for ctx->parent + align check_revocation
kares Oct 12, 2021
64f2007
ported OpenSSL 1.1.1 verify_chain logic
kares Oct 12, 2021
c18704e
[refactor] extract dummy policy check
kares Oct 12, 2021
1988f7f
port lookup_cert_match w X509_STORE_CTX_get1_certs (DRAFT)
kares Oct 12, 2021
caf7d07
[refactor] and move around duplicate helpers
kares Oct 13, 2021
18eb94a
TEMP: verify chain switch w a -Dverify_legacy
kares Oct 13, 2021
b985c84
[refactor] simplify - get rid of extra checks
kares Oct 13, 2021
c63c9d2
restore old internal_verify and do not use new in legacy
kares Oct 13, 2021
41ce9d2
[refactor] drop all EMPTY fns
kares Oct 13, 2021
082aab7
[fix] fns that might be inherited from store
kares Oct 13, 2021
950d806
a toString helper for debugging
kares Oct 13, 2021
9d17bb7
implement some ex_flags on certificate
kares Oct 13, 2021
b7ef6ae
review cert_self_signed usage for new verification
kares Oct 13, 2021
e947019
[refactor] get rid of remaining (confusing) NULL FNs
kares Oct 14, 2021
b86c549
[refactor] reviewed message mappings
kares Oct 14, 2021
e6cd6d5
[fix] return + proper (OSSL 1.1.1) lookup_certs impl
kares Oct 14, 2021
6d3fe27
[refactor] confusing naming
kares Oct 16, 2021
8bbd897
DRAFT: 'minimal' legacy multi-path cert verification
kares Oct 16, 2021
be9858e
[fix] SIGHT the usual < > copy pasta mess!
kares Oct 17, 2021
8bb82ad
Revert: DRAFT: 'minimal' legacy multi-path cert verification
kares Oct 18, 2021
567b03b
revert legacy changes (+ out prints) fully
kares Oct 18, 2021
6227580
[refactor] review X509_STORE_CTX_purpose_inherit
kares Oct 19, 2021
8d7f1d3
[refactor] review and port-over trust checking
kares Oct 19, 2021
6854f84
aligh X509_STORE_CTX_init (set trust)
kares Oct 19, 2021
983ef94
[fix] revert 'smart' certificate addition to store
kares Oct 19, 2021
196b44c
switch on V_FLAG_TRUSTED_FIRST by default
kares Oct 19, 2021
6b2c777
revisit and do more 1.1.1 verify compat
kares Oct 19, 2021
58d1f60
[refactor] minor - align param getter naming
kares Oct 19, 2021
b1b8b0c
[test] a few variants on alt chain + trusted first
kares Oct 19, 2021
e228362
ported bits for check_crl (wip) unused for now
kares Oct 20, 2021
a125175
[refactor] impl and use EXFLAG_PROXY in ported code
kares Oct 20, 2021
cb65b34
[refactor] debug assertion failures
kares Oct 20, 2021
dd58f66
reviewed X509_check_issued ~ matches 1.1.1 version
kares Oct 20, 2021
6e67713
port get_issuer - we might need it later
kares Oct 20, 2021
2435a43
[refactor] minor - style used to resemble OpenSSL
kares Oct 20, 2021
0613e6e
use ported check_crl_time (in legacy as well)
kares Oct 20, 2021
220c82f
[todo] EXFLAG_SS isn't working for JOSSL atm
kares Oct 20, 2021
eddaa35
[refactor] align legacy check_crl with 1.1.1
kares Oct 20, 2021
c14ed43
[fix] do not assume object == in check_issued
kares Oct 20, 2021
bf735b4
[todo] auxiliary checks aren't the same as in OpenSSL
kares Oct 20, 2021
7f99d1f
[refactor] remove commented code
kares Oct 20, 2021
ced912a
[test] adjust store tests (based on OSSL updates)
kares Oct 20, 2021
42a4b6a
[test] use fixed time so tests pass in few months
kares Oct 20, 2021
b3428ab
[build] update to 1.8 (drop support for Java 7)
kares Oct 20, 2021
494c299
[release] prepare a 0.11 release candidate
kares Oct 20, 2021
898f3c9
support a jruby.openssl.x509.store.verify flag
kares Oct 25, 2021
43ec397
[refactor] hide internal deprecated method
kares Oct 25, 2021
6d60122
Revert "[build] update to 1.8 (drop support for Java 7)"
kares Oct 25, 2021
885e04f
Revert "[release] prepare a 0.11 release candidate"
kares Oct 25, 2021
d9cd977
S: support a jruby.openssl.x509.store.verify flag
kares Oct 25, 2021
d80e8ec
[refactor] rename StoreContext fields
kares Oct 25, 2021
e7799fc
[test] missing certificate files for added tests
kares Oct 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/main/java/org/jruby/ext/openssl/OCSPBasicResponse.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -530,6 +530,9 @@ private boolean checkDelegated(X509Cert signerCA) {
catch (CertificateParsingException e) {
throw newOCSPError(getRuntime(), e);
}
catch (IOException e) {
throw newOCSPError(getRuntime(), e);
}
}

private boolean matchIssuerId(X509Cert signerCA, CertificateID certId, List<SingleResp> singleResponses) throws IOException {
Expand Down
8 changes: 4 additions & 4 deletions src/main/java/org/jruby/ext/openssl/SSLContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -945,7 +945,7 @@ StoreContext createStoreContext(final String purpose) {
// for verify_cb
storeContext.setExtraData(1, store.getExtraData(1));
if ( purpose != null ) storeContext.setDefault(purpose);
storeContext.verifyParameter.inherit(store.verifyParameter);
storeContext.getParam().inherit(store.getParam());
return storeContext;
}

Expand Down Expand Up @@ -1109,14 +1109,14 @@ private void verifyChain(final StoreContext storeContext) throws CertificateExce
ok = storeContext.verifyCertificate();
}
catch (Exception e) {
internalContext.setLastVerifyResult(storeContext.error);
if ( storeContext.error == X509Utils.V_OK ) {
internalContext.setLastVerifyResult(storeContext.getError());
if ( storeContext.getError() == X509Utils.V_OK ) {
internalContext.setLastVerifyResult(X509Utils.V_ERR_CERT_REJECTED);
}
throw new CertificateException("certificate verify failed", e);
}

internalContext.setLastVerifyResult(storeContext.error);
internalContext.setLastVerifyResult(storeContext.getError());
if ( ok == 0 ) {
throw new CertificateException("certificate verify failed");
}
Expand Down
6 changes: 0 additions & 6 deletions src/main/java/org/jruby/ext/openssl/x509store/Function1.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,5 @@
* @author <a href="mailto:[email protected]">Ola Bini</a>
*/
interface Function1<T> {
static class Empty implements Function1 {
public int call(Object arg0) {
return -1;
}
}
public static final Function1.Empty EMPTY = new Empty();
int call(T arg0) throws Exception;
}// Function1
6 changes: 0 additions & 6 deletions src/main/java/org/jruby/ext/openssl/x509store/Function2.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,5 @@
* @author <a href="mailto:[email protected]">Ola Bini</a>
*/
interface Function2<T, U> {
static class Empty implements Function2 {
public int call(Object arg0, Object arg1) {
return -1;
}
}
public static final Function2.Empty EMPTY = new Empty();
int call(T arg0, U arg1) throws Exception;
}// Function2
6 changes: 0 additions & 6 deletions src/main/java/org/jruby/ext/openssl/x509store/Function3.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,5 @@
* @author <a href="mailto:[email protected]">Ola Bini</a>
*/
interface Function3<T, U, V> {
static class Empty implements Function3 {
public int call(Object arg0,Object arg1,Object arg2) {
return -1;
}
}
public static final Function3.Empty EMPTY = new Empty();
int call(T arg0, U arg1, V arg2) throws Exception;
}// Function3
6 changes: 0 additions & 6 deletions src/main/java/org/jruby/ext/openssl/x509store/Function4.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,5 @@
* @author <a href="mailto:[email protected]">Ola Bini</a>
*/
interface Function4<T, U, V, X> {
static class Empty implements Function4 {
public int call(Object arg0,Object arg1,Object arg2,Object arg3) {
return -1;
}
}
public static final Function4.Empty EMPTY = new Empty();
int call(T arg0, U arg1, V arg2, X arg3) throws Exception;
}// Function4
6 changes: 0 additions & 6 deletions src/main/java/org/jruby/ext/openssl/x509store/Function5.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,5 @@
* @author <a href="mailto:[email protected]">Ola Bini</a>
*/
interface Function5<T, U, V, X, Y> {
static class Empty implements Function5 {
public int call(Object arg0,Object arg1,Object arg2,Object arg3,Object arg4) {
return -1;
}
}
public static final Function5.Empty EMPTY = new Empty();
int call(T arg0, U arg1, V arg2, X arg3, Y arg4) throws Exception;
}// Function5
18 changes: 9 additions & 9 deletions src/main/java/org/jruby/ext/openssl/x509store/Lookup.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ public Lookup(Ruby runtime, LookupMethod method) {
this.runtime = runtime;

final LookupMethod.NewItemFunction newItem = method.newItem;
if ( newItem != null && newItem != Function1.EMPTY ) {
if ( newItem != null ) {
final int result;
try {
result = newItem.call(this);
Expand Down Expand Up @@ -128,7 +128,7 @@ public static LookupMethod fileLookup() {
public int control(final int cmd, final String argc, final long argl, final String[] ret) throws Exception {
if ( method == null ) return -1;

if ( method.control != null && method.control != Function5.EMPTY ) {
if ( method.control != null ) {
return method.control.call(this, Integer.valueOf(cmd), argc, Long.valueOf(argl), ret);
}
return 1;
Expand Down Expand Up @@ -364,7 +364,7 @@ private String envEntry(final String key) {
* c: X509_LOOKUP_free
*/
public void free() throws Exception {
if ( method != null && method.free != null && method.free != Function1.EMPTY ) {
if ( method != null && method.free != null ) {
method.free.call(this);
}
}
Expand All @@ -374,7 +374,7 @@ public void free() throws Exception {
*/
public int init() throws Exception {
if ( method == null ) return 0;
if ( method.init != null && method.init != Function1.EMPTY ) {
if ( method.init != null ) {
return method.init.call(this);
}
return 1;
Expand All @@ -384,7 +384,7 @@ public int init() throws Exception {
* c: X509_LOOKUP_by_subject
*/
public int bySubject(final int type, final Name name, final X509Object[] ret) throws Exception {
if ( method == null || method.getBySubject == null || method.getBySubject == Function4.EMPTY ) {
if ( method == null || method.getBySubject == null ) {
return X509_LU_FAIL;
}
if ( skip ) return 0;
Expand All @@ -395,7 +395,7 @@ public int bySubject(final int type, final Name name, final X509Object[] ret) th
* c: X509_LOOKUP_by_issuer_serial
*/
public int byIssuerSerialNumber(final int type, final Name name, final BigInteger serial, final X509Object[] ret) throws Exception {
if ( method == null || method.getByIssuerSerialNumber == null || method.getByIssuerSerialNumber == Function5.EMPTY ) {
if ( method == null || method.getByIssuerSerialNumber == null ) {
return X509_LU_FAIL;
}
return method.getByIssuerSerialNumber.call(this, Integer.valueOf(type), name, serial, ret);
Expand All @@ -405,7 +405,7 @@ public int byIssuerSerialNumber(final int type, final Name name, final BigIntege
* c: X509_LOOKUP_by_fingerprint
*/
public int byFingerprint(final int type, final String bytes, final X509Object[] ret) throws Exception {
if ( method == null || method.getByFingerprint == null || method.getByFingerprint == Function4.EMPTY ) {
if ( method == null || method.getByFingerprint == null ) {
return X509_LU_FAIL;
}
return method.getByFingerprint.call(this, Integer.valueOf(type), bytes, ret);
Expand All @@ -415,7 +415,7 @@ public int byFingerprint(final int type, final String bytes, final X509Object[]
* c: X509_LOOKUP_by_alias
*/
public int byAlias(final int type, final String alias, final X509Object[] ret) throws Exception {
if ( method == null || method.getByAlias == null || method.getByAlias == Function4.EMPTY ) {
if ( method == null || method.getByAlias == null ) {
return X509_LU_FAIL;
}
return method.getByAlias.call(this, Integer.valueOf(type), alias, ret);
Expand All @@ -427,7 +427,7 @@ public int byAlias(final int type, final String alias, final X509Object[] ret) t
public int shutdown() throws Exception {
if ( method == null ) return 0;

if ( method.shutdown != null && method.shutdown != Function1.EMPTY ) {
if ( method.shutdown != null ) {
return method.shutdown.call(this);
}
return 1;
Expand Down
Loading