if JCE is used to verify a CRL then we need to find suitable SecurityProvider

mkristian · mkristian · commit 9ae920b81472 · 2014-12-16T16:16:39.000+01:00
since we do not know which security providers are registered we need to find one which can verify a CRL against its public key. just try all registered until it either succeeds or fails with a SignatureException. fixes #20 Sponsored by Lookout Inc.
diff --git a/src/main/java/org/jruby/ext/openssl/SecurityHelper.java b/src/main/java/org/jruby/ext/openssl/SecurityHelper.java
@@ -23,12 +23,12 @@
  */
 package org.jruby.ext.openssl;
 
+import static org.jruby.ext.openssl.OpenSSL.debugStackTrace;
+
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
-import java.util.Locale;
-
 import java.security.InvalidKeyException;
 import java.security.KeyFactory;
 import java.security.KeyFactorySpi;
@@ -39,7 +39,6 @@
 import java.security.MessageDigest;
 import java.security.MessageDigestSpi;
 import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
 import java.security.Provider;
 import java.security.PublicKey;
 import java.security.SecureRandom;
@@ -53,6 +52,9 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.CertificateFactorySpi;
 import java.security.cert.X509CRL;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.StringTokenizer;
 import java.util.concurrent.ConcurrentHashMap;
@@ -72,8 +74,6 @@
 import org.bouncycastle.asn1.x509.CertificateList;
 import org.bouncycastle.jce.provider.X509CRLObject;
 
-import static org.jruby.ext.openssl.OpenSSL.debugStackTrace;
-
 /**
  * Java Security (and JCE) helpers.
  *
@@ -563,26 +563,28 @@ static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolea
             return true;
         }
 
-        try {
-            crl.verify(publicKey);
-            return true;
-        }
-        catch (NoSuchAlgorithmException ex) {
-            if ( silent ) return false; throw ex;
-        }
-        catch (CRLException ex) {
-            if ( silent ) return false; throw ex;
-        }
-        catch (InvalidKeyException ex) {
-            if ( silent ) return false; throw ex;
-        }
-        catch (SignatureException ex) {
-            if ( silent ) return false; throw ex;
+        // since we are using JCE here and BC might not be registered as Provider
+        // we need to find a provider which supports such CRL verification
+        // if we find a provider we will ignore the collected errors
+        // otherwise the errors get displayed
+        // TODO use BC directly for verifing CRL (probably needs quite some refactoring)
+        List<Exception> errors = new LinkedList<Exception>();
+        for(Provider p: Security.getProviders()) {
+            try {
+                crl.verify(publicKey, p.getName());
+                return true;
+            }
+            catch(SignatureException e) {
+                return false;
+            }
+            catch(Exception e) {
+                errors.add(e);
+            }
         }
-        catch (NoSuchProviderException e) {
+        for(Exception e: errors) {
             debugStackTrace(e);
-            throw new RuntimeException(e); // unexpected - might hide a bug
-        }
+		}
+        return false;
     }
 
     private static Object getCertificateList(final Object crl) { // X509CRLObject
