Skip to content

Commit

Permalink
[Backport 2.x] Bump BouncyCastle from jdk15on to jdk15to18 (#2901)
Browse files Browse the repository at this point in the history
jdk15to18 contains fix for
 - CVE-2023-33201 - Medium
   Severity Vulnerability

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 9a72355)
Signed-off-by: Andrey Pleskach <[email protected]>
  • Loading branch information
willyborankin committed Jun 29, 2023
1 parent 101f58c commit 668b6f1
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 65 deletions.
4 changes: 2 additions & 2 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ dependencies {
implementation 'com.google.guava:guava:32.0.1-jre'
implementation 'org.greenrobot:eventbus:3.2.0'
implementation 'commons-cli:commons-cli:1.3.1'
implementation 'org.bouncycastle:bcprov-jdk15on:1.67'
implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
implementation 'org.ldaptive:ldaptive:1.2.3'
implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
implementation 'io.jsonwebtoken:jjwt-api:0.10.8'
Expand Down Expand Up @@ -363,7 +363,7 @@ dependencies {
runtimeOnly 'org.apache.santuario:xmlsec:2.2.3'
runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
runtimeOnly 'org.checkerframework:checker-qual:3.5.0'
runtimeOnly "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'


Expand Down
7 changes: 5 additions & 2 deletions plugin-security.policy
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,13 @@ grant {
permission java.net.NetPermission "getNetworkInformation";
permission java.net.NetPermission "getProxySelector";
permission java.net.SocketPermission "*", "connect,accept,resolve";


// BouncyCastle permissions
permission java.security.SecurityPermission "putProviderProperty.BC";
permission java.security.SecurityPermission "insertProvider.BC";

permission java.security.SecurityPermission "removeProviderProperty.BC";
permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";

permission java.lang.RuntimePermission "accessUserInformation";

permission java.security.SecurityPermission "org.apache.xml.security.register";
Expand Down
113 changes: 52 additions & 61 deletions src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
Original file line number Diff line number Diff line change
Expand Up @@ -17,39 +17,7 @@

package org.opensearch.security.ssl;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;

import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;

import com.google.common.collect.ImmutableList;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
Expand All @@ -60,12 +28,12 @@
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1String;
import org.bouncycastle.asn1.ASN1TaggedObject;

import org.opensearch.OpenSearchException;
import org.opensearch.OpenSearchSecurityException;
import org.opensearch.SpecialPermission;
Expand All @@ -80,6 +48,36 @@
import org.opensearch.security.ssl.util.SSLConfigConstants;
import org.opensearch.transport.NettyAllocator;

import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;

public class DefaultSecurityKeyStore implements SecurityKeyStore {

private static final String DEFAULT_STORE_TYPE = "JKS";
Expand Down Expand Up @@ -1130,34 +1128,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) {
}

private List<String> getOtherName(List<?> altName) {
ASN1Primitive oct = null;
try {
byte[] altNameBytes = (byte[]) altName.get(1);
oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject());
} catch (IOException e) {
throw new RuntimeException("Could not read ASN1InputStream", e);
}
if (oct instanceof ASN1TaggedObject) {
oct = ((ASN1TaggedObject) oct).getObject();
if (altName.size() < 2) {
log.warn("Couldn't parse subject alternative names");
return null;
}
ASN1Sequence seq = ASN1Sequence.getInstance(oct);

// Get object identifier from first in sequence
ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0);
String oid = asnOID.getId();

// Get value of object from second element
final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1);
// Could be tagged twice due to bug in java cert.getSubjectAltName
ASN1Primitive prim = obj.getObject();
if (prim instanceof ASN1TaggedObject) {
prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject();
}

if (prim instanceof ASN1String) {
return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString()));
try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) {
final ASN1Primitive asn1Primitive = in.readObject();
final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive);
final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1));
ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject();
if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) {
maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject();
}
if (maybeTaggedAsn1Primitive instanceof ASN1String) {
return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString());
} else {
log.warn("Couldn't parse subject alternative names");
return null;
}
} catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions
throw new RuntimeException("Couldn't parse subject alternative names", ioe);
}

return null;
}
}

0 comments on commit 668b6f1

Please sign in to comment.