jruby-openssl icon indicating copy to clipboard operation
jruby-openssl copied to clipboard
verified publisher icon jruby

"Duplicate extensions not allowed" should not raise errors despite bug in Java

Open docwhat opened this issue 10 years ago • 4 comments

There is a nasty little bug in Java: JDK-8062548 Support duplicate Extended Key Usage certificate extensions

This causes problems on OS X systems such as jruby/jruby#1055 because Apple creates some certificates with multiple "X509v3 Extended Key Usage" sections.

It may cause problems elsewhere as well.

This is not a bug in JRuby, however, I think JRuby should work around it by dropping any of these certificates.

How to recreate:

  1. Create a file called openjdk-bug-cert.pem with the contents of the certificate in JDK-8062548 (copied below for ease of use)
  2. Run env -u SSL_CERT_DIR SSL_CERT_FILE=$PWD/openjdk-bug-cert.pem jruby -ropenssl -e 'puts "hi"'

Example output:

Using:

  • Oracle Java 1.7.0_80, 1.8.0_45, and 1.8.0_51
  • JRuby 1.7.21
$ env -u SSL_CERT_DIR SSL_CERT_FILE=$PWD/openjdk-bug-cert.pem jruby -ropenssl -e 'puts "hi"'
OpenSSL::X509::StoreError: setting default path failed: problem creating X509 Aux certificate: java.io.IOException: problem parsing cert: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
  set_default_paths at org/jruby/ext/openssl/X509Store.java:185
             (root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/jopenssl/load.rb:22
            require at org/jruby/RubyKernel.java:1040
             (root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
            require at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:54
            require at org/jruby/RubyKernel.java:1040
             (root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/openssl.rb:1

The above command works fine with ruby instead of jruby.

Workaround

Find the offending certificates and remove them from your SSL_CERT_FILE or SSL_CERT_DIR. I'll see if I can create a script to help with that.

Edits

  • Corrected link to jruby bug

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

docwhat avatar Jul 21 '15 18:07 docwhat

Interesting note:

If you put the offending certificate as a .pem file in your SSL_CERT_DIR jruby works fine. It appears that whatever code is getting the certificate doesn't cause JRuby-OpenSSL to blow up.

However, there are two mechanisms for generate the c_rehash hashes (MD5 in older OpenSSL and SHA1 in newer) that will cause some versions of OpenSSL not to be able to find things in a directory.

So the single file mechanism is still the best for compatibility. sigh

docwhat avatar Jul 21 '15 20:07 docwhat

I have a working "workaround" in a gist: https://gist.github.com/docwhat/24f0add92c2f43d8ec9e

This script filters out the offending certificates and dumps them to a single cert.pem file in /usr/local/etc/openssl/ (or SSL_CERT_FILE if you have that set).

docwhat avatar Jul 21 '15 20:07 docwhat

@docwhat How can I modify your ruby script to give/show me the offending cert instead? I don't think Ruby has stuff like map.accept(&:extended_key_usage?)

totszwai avatar May 31 '17 19:05 totszwai

Instead of reject use select

docwhat avatar Jun 01 '17 15:06 docwhat