jruby-openssl icon indicating copy to clipboard operation
jruby-openssl copied to clipboard
verified publisher icon jruby

Inconsistent handling of internal state in CRL

Open pcarlisle opened this issue 7 years ago • 0 comments

I have the following code

      crl = OpenSSL::X509::CRL.new
      crl.version = 1
      crl.issuer = ca_cert.subject

      ef = extension_factory_for(ca_cert)
      crl.add_extension(
        ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
      crl.add_extension(
        OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))

      not_before = just_now
      crl.last_update = not_before
      crl.next_update = not_before + FIVE_YEARS
      crl.sign(ca_key, DEFAULT_SIGNING_DIGEST)
      binding.pry

At this breakpoint I get

[11] pry(PuppetSpec::SSL)> crl
=> #<OpenSSL::X509::CRL:0xfb0a08c>
[12] pry(PuppetSpec::SSL)> crl.to_pem
=> "-----BEGIN X509 CRL-----\nMAA=\n-----END X509 CRL-----\n"
[13] pry(PuppetSpec::SSL)> OpenSSL::X509::CRL.new(crl.to_pem)
OpenSSL::X509::CRLError: java.lang.IllegalArgumentException: sequence wrong size for CertificateList
from org/jruby/ext/openssl/X509CRL.java:221:in `initialize'
[14] pry(PuppetSpec::SSL)> OpenSSL::X509::CRL.new(crl.to_der).to_pem
=> "-----BEGIN X509 CRL-----\nMIIBkDB6AgEBMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNVBAMMDHJvb3QtY2Et8KCc\njhcNMTgwNTA0MjIxNDU5WhcNMjMwNTAzMjIxNDU5WqAvMC0wHwYDVR0jBBgwFoAU\nE4P3BleD1/3tVw5gc5IF9o/5H9kwCgYDVR0UBAMCAQAwDQYJKoZIhvcNAQELBQAD\nggEBAFgkbu65QLWwxHSyPw24StD9EFhHkbYX2pXq+FnS9RNSFpV9RJg1R4rOdfHe\n7xhIWO8milyKsAgTE2s1I2o+RXzH4Gaq2FFWc48f5ZXRUWqhNb8Dd8yuTbiTkqOl\n3ZuMfJUUzk0DBPKjn665AGYKRcQ5Jeaw3s8VSST/p3wzLNnCM1Dn39zvPKXJ1oQF\nAI8vkXgTg9tBOoSe1ENe6AJJnzn3hU8E3SXc457Azifz4w+ShRsxzvb1pjRXSVQ+\ny3WKN2X1z646sYx5bXMDTXhXUTo1aL9t12BpGbfHJom586AtOSV5lchnkgyb8eVl\nHOUhMoTwG0RaEfhIyQ1UN1VJk2U=\n-----END X509 CRL-----\n"
[15] pry(PuppetSpec::SSL)> OpenSSL::X509::CRL.new(OpenSSL::X509::CRL.new(crl.to_der).to_pem)
=> #<OpenSSL::X509::CRL:0xb61edb9>

It seems that internally the crl should be either in crl or crlHolder, and to_der will check both but to_pem will only check crl. When I initialize a new object from an existing crl it initializes crl internally, but when calling new with no arguments it doesn't initialize anything (sign initializes crlHolder but sets crl to null).

This is also seen by:

[16] pry(PuppetSpec::SSL)> OpenSSL::X509::CRL.new.to_der
Java::JavaLang::IllegalStateException: no crl holder
from org.jruby.ext.openssl.X509CRL.getCRL(X509CRL.java:140)

I'm on jruby 9.1.16.0.

pcarlisle avatar May 04 '18 22:05 pcarlisle