moved the verification of CRL to non JCE implementation

mkristian · mkristian · commit 5bd16b9c399f · 2014-12-16T17:48:24.000+01:00
this was mainly consolidating the verification to one place and using the non-JCE implementation doing - no need for trying all registered secutiry providers ! fixes #19 Sponsored by Lookout Inc.
diff --git a/src/main/java/org/jruby/ext/openssl/SecurityHelper.java b/src/main/java/org/jruby/ext/openssl/SecurityHelper.java
@@ -25,10 +25,12 @@
 
 import static org.jruby.ext.openssl.OpenSSL.debugStackTrace;
 
+import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.math.BigInteger;
 import java.security.InvalidKeyException;
 import java.security.KeyFactory;
 import java.security.KeyFactorySpi;
@@ -52,8 +54,9 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.CertificateFactorySpi;
 import java.security.cert.X509CRL;
-import java.util.LinkedList;
-import java.util.List;
+import java.security.interfaces.DSAParams;
+import java.security.interfaces.DSAPublicKey;
+import java.security.interfaces.RSAPublicKey;
 import java.util.Locale;
 import java.util.Map;
 import java.util.StringTokenizer;
@@ -72,7 +75,19 @@
 
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.asn1.x509.CertificateList;
+import org.bouncycastle.cert.CertException;
+import org.bouncycastle.cert.X509CRLHolder;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.params.DSAParameters;
+import org.bouncycastle.crypto.params.DSAPublicKeyParameters;
+import org.bouncycastle.crypto.params.RSAKeyParameters;
 import org.bouncycastle.jce.provider.X509CRLObject;
+import org.bouncycastle.operator.ContentVerifierProvider;
+import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.OperatorException;
+import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder;
+import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder;
 
 /**
  * Java Security (and JCE) helpers.
@@ -562,29 +577,35 @@ static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolea
             }
             return true;
         }
-
-        // since we are using JCE here and BC might not be registered as Provider
-        // we need to find a provider which supports such CRL verification
-        // if we find a provider we will ignore the collected errors
-        // otherwise the errors get displayed
-        // TODO use BC directly for verifing CRL (probably needs quite some refactoring)
-        List<Exception> errors = new LinkedList<Exception>();
-        for(Provider p: Security.getProviders()) {
+        else {
             try {
-                crl.verify(publicKey, p.getName());
-                return true;
+                final DigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder();
+                final ContentVerifierProvider verifierProvider;
+                if ( "DSA".equalsIgnoreCase( publicKey.getAlgorithm() )) {
+                    BigInteger y = ((DSAPublicKey) publicKey).getY();
+                    DSAParams params = ((DSAPublicKey) publicKey).getParams();
+                    DSAParameters parameters = new DSAParameters(params.getP(), params.getQ(), params.getG());
+                    AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters);
+                    verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey);
+                }
+                else {
+                    BigInteger mod = ((RSAPublicKey) publicKey).getModulus();
+                    BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent();
+                    AsymmetricKeyParameter rsaKey = new RSAKeyParameters(false, mod, exp);
+                    verifierProvider = new BcRSAContentVerifierProviderBuilder(digestAlgFinder).build(rsaKey);
+                }
+                return new X509CRLHolder(crl.getEncoded()).isSignatureValid( verifierProvider );
+            }
+            catch (OperatorException e) {
+                throw new SignatureException(e);
             }
-            catch(SignatureException e) {
-                return false;
+            catch (CertException e) {
+                throw new SignatureException(e);
             }
-            catch(Exception e) {
-                errors.add(e);
+            catch (IOException e) {
+                throw new SignatureException(e);
             }
         }
-        for(Exception e: errors) {
-            debugStackTrace(e);
-		}
-        return false;
     }
 
     private static Object getCertificateList(final Object crl) { // X509CRLObject
@@ -699,4 +720,4 @@ private static void setField(Object obj, Class<?> fieldOwner, String fieldName,
         }
     }
 
-}
+}
diff --git a/src/main/java/org/jruby/ext/openssl/X509CRL.java b/src/main/java/org/jruby/ext/openssl/X509CRL.java
@@ -34,16 +34,12 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
-
 import java.security.GeneralSecurityException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.CRLException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509CRLEntry;
-import java.security.interfaces.DSAParams;
-import java.security.interfaces.DSAPublicKey;
-import java.security.interfaces.RSAPublicKey;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Comparator;
@@ -59,22 +55,10 @@
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.Extensions;
-import org.bouncycastle.cert.CertException;
 import org.bouncycastle.cert.X509CRLHolder;
 import org.bouncycastle.cert.X509v2CRLBuilder;
-import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
-import org.bouncycastle.crypto.params.DSAParameters;
-import org.bouncycastle.crypto.params.DSAPublicKeyParameters;
-import org.bouncycastle.crypto.params.RSAKeyParameters;
 import org.bouncycastle.operator.ContentSigner;
-import org.bouncycastle.operator.ContentVerifierProvider;
-import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
-import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder;
-import org.bouncycastle.operator.OperatorException;
-import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder;
-import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-
 import org.joda.time.DateTime;
 import org.jruby.Ruby;
 import org.jruby.RubyArray;
@@ -700,42 +684,10 @@ public IRubyObject verify(final ThreadContext context, final IRubyObject key) {
         if ( changed ) return context.runtime.getFalse();
         final PublicKey publicKey = ((PKey) key).getPublicKey();
         try {
-            // NOTE: with BC 1.49 this seems to need BC provider installed ;(
-            // java.security.NoSuchProviderException: no such provider: BC
-            //    at sun.security.jca.GetInstance.getService(GetInstance.java:83)
-            //    at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
-            //    at java.security.Signature.getInstance(Signature.java:355)
-            //    at org.bouncycastle.jcajce.provider.asymmetric.x509.X509CRLObject.verify(Unknown Source)
-            //    at org.bouncycastle.jcajce.provider.asymmetric.x509.X509CRLObject.verify(Unknown Source)
-            //    at org.jruby.ext.openssl.SecurityHelper.verify(SecurityHelper.java:564)
-            //    at org.jruby.ext.openssl.X509CRL.verify(X509CRL.java:717)
-            //boolean valid = SecurityHelper.verify(getCRL(), publicKey, true);
-
-            final DigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder();
-            final ContentVerifierProvider verifierProvider;
-            if ( isDSA( (PKey) key ) ) {
-                BigInteger y = ((DSAPublicKey) publicKey).getY();
-                DSAParams params = ((DSAPublicKey) publicKey).getParams();
-                DSAParameters parameters = new DSAParameters(params.getP(), params.getQ(), params.getG());
-                AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters);
-                verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey);
-            }
-            else {
-                BigInteger mod = ((RSAPublicKey) publicKey).getModulus();
-                BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent();
-                AsymmetricKeyParameter rsaKey = new RSAKeyParameters(false, mod, exp);
-                verifierProvider = new BcRSAContentVerifierProviderBuilder(digestAlgFinder).build(rsaKey);
-            }
-            //final X509CRLHolder crl = getCRLHolder();
-            //final AlgorithmIdentifier algId = crl.toASN1Structure().getSignatureAlgorithm();
-            boolean valid = getCRLHolder(false).isSignatureValid( verifierProvider );
+            boolean valid = SecurityHelper.verify(getCRL(), publicKey, true);
             return context.runtime.newBoolean(valid);
         }
-        catch (OperatorException e) {
-            debug("CRL#verify() failed:", e);
-            return context.runtime.getFalse();
-        }
-        catch (CertException e) {
+        catch (GeneralSecurityException e) {
             debug("CRL#verify() failed:", e);
             return context.runtime.getFalse();
         }
