[Backport 2.x] Bump BouncyCastle from jdk15on to jdk15to18 (#2901)

jdk15to18 contains fix for
 - CVE-2023-33201 - Medium
   Severity Vulnerability

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 9a72355)
Signed-off-by: Andrey Pleskach <[email protected]>

build.gradle

@@ -290,7 +290,7 @@ dependencies {
     implementation 'com.google.guava:guava:32.0.1-jre'
     implementation 'org.greenrobot:eventbus:3.2.0'
     implementation 'commons-cli:commons-cli:1.3.1'
-    implementation 'org.bouncycastle:bcprov-jdk15on:1.67'
+    implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
     implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
     implementation 'io.jsonwebtoken:jjwt-api:0.10.8'
@@ -363,7 +363,7 @@ dependencies {
     runtimeOnly 'org.apache.santuario:xmlsec:2.2.3'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
     runtimeOnly 'org.checkerframework:checker-qual:3.5.0'
-    runtimeOnly "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
+    runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
     runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'
 
 

plugin-security.policy

@@ -55,10 +55,13 @@ grant {
   permission java.net.NetPermission "getNetworkInformation";
   permission java.net.NetPermission "getProxySelector";
   permission java.net.SocketPermission "*", "connect,accept,resolve";
-
+
+  // BouncyCastle permissions
   permission java.security.SecurityPermission "putProviderProperty.BC";
   permission java.security.SecurityPermission "insertProvider.BC";
-
+  permission java.security.SecurityPermission "removeProviderProperty.BC";
+  permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";
+
   permission java.lang.RuntimePermission "accessUserInformation";
 
   permission java.security.SecurityPermission "org.apache.xml.security.register";

src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java

@@ -50,6 +50,7 @@
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
 
+import com.google.common.collect.ImmutableList;
 import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.OpenSsl;
@@ -60,6 +61,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Object;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
@@ -1130,34 +1132,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) {
     }
 
     private List<String> getOtherName(List<?> altName) {
-        ASN1Primitive oct = null;
-        try {
-            byte[] altNameBytes = (byte[]) altName.get(1);
-            oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject());
-        } catch (IOException e) {
-            throw new RuntimeException("Could not read ASN1InputStream", e);
-        }
-        if (oct instanceof ASN1TaggedObject) {
-            oct = ((ASN1TaggedObject) oct).getObject();
+        if (altName.size() < 2) {
+            log.warn("Couldn't parse subject alternative names");
+            return null;
         }
-        ASN1Sequence seq = ASN1Sequence.getInstance(oct);
-
-        // Get object identifier from first in sequence
-        ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0);
-        String oid = asnOID.getId();
-
-        // Get value of object from second element
-        final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1);
-        // Could be tagged twice due to bug in java cert.getSubjectAltName
-        ASN1Primitive prim = obj.getObject();
-        if (prim instanceof ASN1TaggedObject) {
-            prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject();
-        }
-
-        if (prim instanceof ASN1String) {
-            return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString()));
+        try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) {
+            final ASN1Primitive asn1Primitive = in.readObject();
+            final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive);
+            final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
+            final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1));
+            ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject();
+            if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) {
+                maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject();
+            }
+            if (maybeTaggedAsn1Primitive instanceof ASN1String) {
+                return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString());
+            } else {
+                log.warn("Couldn't parse subject alternative names");
+                return null;
+            }
+        } catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions
+            throw new RuntimeException("Couldn't parse subject alternative names", ioe);
         }
-
-        return null;
     }
 }