jruby-openssl icon indicating copy to clipboard operation
jruby-openssl copied to clipboard
verified publisher icon jruby

Parsing invalid PEM files unexpectedly succeeds

Open tsaarni opened this issue 2 years ago • 1 comments

(1) Reading invalid private key in PEM format does not fail like expected

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> OpenSSL::PKey::read('not a PEM file')
=> #<OpenSSL::PKey::RSA:0x6785df10>

If using another approach, it will return expected error:

irb(main):003:0> OpenSSL::PKey::RSA.new('not a PEM file')
Traceback (most recent call last):
       10: from /home/tsaarni/.rbenv/versions/jruby-9.3.10.0/bin/irb:23:in `<main>'
        9: from org/jruby/RubyKernel.java:1052:in `load'
        8: from /home/tsaarni/.rbenv/versions/jruby-9.3.10.0/lib/ruby/gems/shared/gems/irb-1.0.0/exe/irb:11:in `<main>'
        7: from org/jruby/RubyKernel.java:1237:in `catch'
        6: from org/jruby/RubyKernel.java:1237:in `catch'
        5: from org/jruby/RubyKernel.java:1507:in `loop'
        4: from org/jruby/RubyKernel.java:1091:in `eval'
        3: from (irb):3:in `evaluate'
        2: from org/jruby/RubyClass.java:890:in `new'
        1: from org/jruby/ext/openssl/PKeyRSA.java:310:in `initialize'
OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key:)

(2) Reading invalid CA certificate into certificate store does not fail as expected

irb(main):002:0> store = OpenSSL::X509::Store.new
=> #<OpenSSL::X509::Store:0x56499781 @flags=0, @time=nil, @error=nil, @error_string=nil, @trust=0, @chain=nil, @purpose=0, @verify_callback=nil>
irb(main):003:0> store.add_file('invalid.pem')
=> #<OpenSSL::X509::Store:0x56499781 @flags=0, @time=nil, @error=nil, @error_string=nil, @trust=0, @chain=nil, @purpose=0, @verify_callback=nil>

On Ruby 3.2.2 the same tests produce following (expected) errors

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> OpenSSL::PKey::read('not a PEM file')
(irb):2:in `read': Could not parse PKey: unsupported (OpenSSL::PKey::PKeyError)
        from (irb):2:in `<main>'
        from /home/tsaarni/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/irb-1.6.2/exe/irb:11:in `<top (required)>'
        from /home/tsaarni/.rbenv/versions/3.2.2/bin/irb:25:in `load'
        from /home/tsaarni/.rbenv/versions/3.2.2/bin/irb:25:in `<main>'

irb(main):003:0> store = OpenSSL::X509::Store.new
=> #<OpenSSL::X509::Store:0x00007f37e047e1a8 @chain=nil, @error=nil, @error_string=nil, @time=nil, @verify_callback=nil>
irb(main):004:0> store.add_file('invalid.pem')
(irb):4:in `add_file': X509_LOOKUP_load_file: no certificate or crl found (OpenSSL::X509::StoreError)
        from (irb):4:in `<main>'
        from /home/tsaarni/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/irb-1.6.2/exe/irb:11:in `<top (required)>'
        from /home/tsaarni/.rbenv/versions/3.2.2/bin/irb:25:in `load'
        from /home/tsaarni/.rbenv/versions/3.2.2/bin/irb:25:in `<main>'

tsaarni avatar Sep 14 '23 11:09 tsaarni

implemented OpenSSL::PKey::read, the OpenSSL::X509::Store.new case is more complicated, thus leaving open

kares avatar Apr 09 '24 10:04 kares