diff --git a/src/main/java/org/jruby/ext/openssl/SecurityHelper.java b/src/main/java/org/jruby/ext/openssl/SecurityHelper.java index 009b2812..82021627 100644 --- a/src/main/java/org/jruby/ext/openssl/SecurityHelper.java +++ b/src/main/java/org/jruby/ext/openssl/SecurityHelper.java @@ -57,6 +57,7 @@ import java.security.cert.X509CRL; import java.security.interfaces.DSAParams; import java.security.interfaces.DSAPublicKey; +import java.security.interfaces.ECPublicKey; import java.security.interfaces.RSAPublicKey; import java.util.Locale; import java.util.Map; @@ -85,11 +86,13 @@ import org.bouncycastle.crypto.params.DSAPublicKeyParameters; import org.bouncycastle.crypto.params.RSAKeyParameters; import org.bouncycastle.jce.provider.X509CRLObject; +import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil; import org.bouncycastle.operator.ContentVerifierProvider; import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder; import org.bouncycastle.operator.OperatorException; import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder; +import org.bouncycastle.operator.bc.BcECContentVerifierProviderBuilder; import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder; import org.jruby.util.SafePropertyAccessor; @@ -610,6 +613,10 @@ static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolea AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters); verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey); } + else if ( "EC".equalsIgnoreCase( publicKey.getAlgorithm() )) { + AsymmetricKeyParameter ecKey = ECUtil.generatePublicKeyParameter(publicKey); + verifierProvider = new BcECContentVerifierProviderBuilder(digestAlgFinder).build(ecKey); + } else { BigInteger mod = ((RSAPublicKey) publicKey).getModulus(); BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent(); diff --git a/src/test/ruby/x509/ec-ca.crl b/src/test/ruby/x509/ec-ca.crl new file mode 100644 index 00000000..c349d383 --- /dev/null +++ b/src/test/ruby/x509/ec-ca.crl @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIHcMIGDAgEBMAoGCCqGSM49BAMCMBAxDjAMBgNVBAMTBWVjLWNhFw0yMzA1MDIx +NDIwNTFaGA8yMDczMDIyODE0MjA1MVowGzAZAggXW1l2cygQyxcNMjMwNTAyMTQy +MDUxWqAjMCEwHwYDVR0jBBgwFoAUttNRPFixOdwcEEs8Zc/AP+XGM8IwCgYIKoZI +zj0EAwIDSAAwRQIhAIY/kYfZbkAJUOQkXcJrGfeZLUYpt2mofamD2aHGhaE8AiAh +rW6t9BQ3xUCKHTODJHJHe+otaiwSCXoVI2jlJBcDWg== +-----END X509 CRL----- diff --git a/src/test/ruby/x509/ec-ca.crt b/src/test/ruby/x509/ec-ca.crt new file mode 100644 index 00000000..1c3ab3ba --- /dev/null +++ b/src/test/ruby/x509/ec-ca.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBWzCCAQCgAwIBAgIIF1tZdnMbfdcwCgYIKoZIzj0EAwIwEDEOMAwGA1UEAxMF +ZWMtY2EwIBcNMjMwNTAyMTQyMDUxWhgPMjA3MzA0MTkxNDIwNTFaMBAxDjAMBgNV +BAMTBWVjLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3xYZYfagw6booMq2 +L/4x2RKVgwWM4UbAbycJHuubBESVic8AApX1WcjOEKjQt+9GqVFAJxKzjlxGA+Hc +SVlpIaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O +BBYEFLbTUTxYsTncHBBLPGXPwD/lxjPCMAoGCCqGSM49BAMCA0kAMEYCIQD5QgDE +1AijBncz7ItMv+q2vED1/AqNNY/whm71/wGK+QIhANkGiD6DdrydjEgVuFTvW/Kg +S122sk5XXx5zlCmZVZQA +-----END CERTIFICATE----- diff --git a/src/test/ruby/x509/test_x509crl.rb b/src/test/ruby/x509/test_x509crl.rb index f794c7bb..0f70c9c5 100644 --- a/src/test/ruby/x509/test_x509crl.rb +++ b/src/test/ruby/x509/test_x509crl.rb @@ -170,6 +170,12 @@ def test_to_java assert_same crl.to_java, crl.to_java(java.security.cert.X509CRL) end + def test_verify_crl_signature + crl = OpenSSL::X509::CRL.new(File.read(File.expand_path('../ec-ca.crl', __FILE__))) + ca = OpenSSL::X509::Certificate.new(File.read(File.expand_path('../ec-ca.crt', __FILE__))) + assert crl.verify(ca.public_key) + end + private def get_subject_key_id(cert) @@ -211,4 +217,4 @@ def get_subject_key_id(cert) -----END RSA PRIVATE KEY----- _end_of_pem_ -end \ No newline at end of file +end