From 51e86b15196f10ca319f27610697ac09fa7f1400 Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Thu, 29 Jun 2023 15:54:21 +0200 Subject: [PATCH] [Backport 2.x] Bump BouncyCastle from jdk15on to jdk15to18 (#2901) jdk15to18 contains fix for - CVE-2023-33201 - Medium Severity Vulnerability Signed-off-by: Andrey Pleskach (cherry picked from commit 9a72355cbf37972ce1b9d12918e2a3e7c5023d80) Signed-off-by: Andrey Pleskach --- build.gradle | 4 +- plugin-security.policy | 7 ++- .../security/ssl/DefaultSecurityKeyStore.java | 49 +++++++++---------- 3 files changed, 29 insertions(+), 31 deletions(-) diff --git a/build.gradle b/build.gradle index ed20e89d76..788e200ffc 100644 --- a/build.gradle +++ b/build.gradle @@ -290,7 +290,7 @@ dependencies { implementation 'com.google.guava:guava:32.0.1-jre' implementation 'org.greenrobot:eventbus:3.2.0' implementation 'commons-cli:commons-cli:1.3.1' - implementation 'org.bouncycastle:bcprov-jdk15on:1.67' + implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}" implementation 'org.ldaptive:ldaptive:1.2.3' implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13' implementation 'io.jsonwebtoken:jjwt-api:0.10.8' @@ -363,7 +363,7 @@ dependencies { runtimeOnly 'org.apache.santuario:xmlsec:2.2.3' runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}" runtimeOnly 'org.checkerframework:checker-qual:3.5.0' - runtimeOnly "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}" + runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}" runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2' diff --git a/plugin-security.policy b/plugin-security.policy index 17b57c57b1..7bb18f76c9 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -55,10 +55,13 @@ grant { permission java.net.NetPermission "getNetworkInformation"; permission java.net.NetPermission "getProxySelector"; permission java.net.SocketPermission "*", "connect,accept,resolve"; - + + // BouncyCastle permissions permission java.security.SecurityPermission "putProviderProperty.BC"; permission java.security.SecurityPermission "insertProvider.BC"; - + permission java.security.SecurityPermission "removeProviderProperty.BC"; + permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write"; + permission java.lang.RuntimePermission "accessUserInformation"; permission java.security.SecurityPermission "org.apache.xml.security.register"; diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 9ae3349f63..c130131edf 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -50,6 +50,7 @@ import javax.net.ssl.SSLException; import javax.net.ssl.SSLParameters; +import com.google.common.collect.ImmutableList; import io.netty.handler.ssl.ApplicationProtocolConfig; import io.netty.handler.ssl.ClientAuth; import io.netty.handler.ssl.OpenSsl; @@ -60,6 +61,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Object; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.ASN1Sequence; @@ -1130,34 +1132,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) { } private List getOtherName(List altName) { - ASN1Primitive oct = null; - try { - byte[] altNameBytes = (byte[]) altName.get(1); - oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject()); - } catch (IOException e) { - throw new RuntimeException("Could not read ASN1InputStream", e); - } - if (oct instanceof ASN1TaggedObject) { - oct = ((ASN1TaggedObject) oct).getObject(); + if (altName.size() < 2) { + log.warn("Couldn't parse subject alternative names"); + return null; } - ASN1Sequence seq = ASN1Sequence.getInstance(oct); - - // Get object identifier from first in sequence - ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0); - String oid = asnOID.getId(); - - // Get value of object from second element - final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1); - // Could be tagged twice due to bug in java cert.getSubjectAltName - ASN1Primitive prim = obj.getObject(); - if (prim instanceof ASN1TaggedObject) { - prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject(); - } - - if (prim instanceof ASN1String) { - return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString())); + try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) { + final ASN1Primitive asn1Primitive = in.readObject(); + final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive); + final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0)); + final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1)); + ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject(); + if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) { + maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject(); + } + if (maybeTaggedAsn1Primitive instanceof ASN1String) { + return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString()); + } else { + log.warn("Couldn't parse subject alternative names"); + return null; + } + } catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions + throw new RuntimeException("Couldn't parse subject alternative names", ioe); } - - return null; } }