From 96e9898852f6948da476c46dc58c15754306f68a Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Mon, 3 Jul 2023 22:44:26 +0200 Subject: [PATCH] [Backport 1.x] Bump BouncyCastle from jdk15on to jdk15to18 (#2901) (#2919) jdk15to18 contains fix for - CVE-2023-33201 - Medium Severity Vulnerability (cherry picked from commit 9a72355cbf37972ce1b9d12918e2a3e7c5023d80) Signed-off-by: Andrey Pleskach (cherry picked from commit 8e6eef7c8c6f8a1805b227320984ec928831a9c3) --- build.gradle | 9 +++- plugin-security.policy | 7 ++- .../security/ssl/DefaultSecurityKeyStore.java | 51 +++++++++---------- 3 files changed, 36 insertions(+), 31 deletions(-) diff --git a/build.gradle b/build.gradle index d91919bb72..b224029ce6 100644 --- a/build.gradle +++ b/build.gradle @@ -92,13 +92,20 @@ configurations.all { } dependencies { + + modules { + module("org.bouncycastle:bcprov-jdk15on") { + replacedBy("org.bouncycastle:bcprov-jdk15to18", "the jdk15on artifacts are not supported anymore") + } + } + implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5' implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}" implementation "org.opensearch.client:opensearch-rest-high-level-client:${opensearch_version}" implementation 'com.google.guava:guava:30.0-jre' implementation 'org.greenrobot:eventbus:3.2.0' implementation 'commons-cli:commons-cli:1.3.1' - implementation 'org.bouncycastle:bcprov-jdk15on:1.70' + implementation 'org.bouncycastle:bcprov-jdk15to18:1.75' implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1' implementation 'org.ldaptive:ldaptive:1.2.3' implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13' diff --git a/plugin-security.policy b/plugin-security.policy index d34b40f1a9..a0b51c26a8 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -59,10 +59,13 @@ grant { permission java.net.NetPermission "getNetworkInformation"; permission java.net.NetPermission "getProxySelector"; permission java.net.SocketPermission "*", "connect,accept,resolve"; - + + // BouncyCastle permissions permission java.security.SecurityPermission "putProviderProperty.BC"; permission java.security.SecurityPermission "insertProvider.BC"; - + permission java.security.SecurityPermission "removeProviderProperty.BC"; + permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write"; + permission java.lang.RuntimePermission "accessUserInformation"; permission java.security.SecurityPermission "org.apache.xml.security.register"; diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 982364fd73..39ad5d7b7e 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -17,6 +17,7 @@ package org.opensearch.security.ssl; +import com.google.common.collect.ImmutableList; import io.netty.buffer.PooledByteBufAllocator; import io.netty.handler.ssl.ApplicationProtocolConfig; import io.netty.handler.ssl.ClientAuth; @@ -58,6 +59,7 @@ import javax.net.ssl.SSLException; import javax.net.ssl.SSLParameters; +import org.bouncycastle.asn1.ASN1Object; import org.opensearch.security.ssl.util.CertFileProps; import org.opensearch.security.ssl.util.CertFromFile; import org.opensearch.security.ssl.util.CertFromKeystore; @@ -985,34 +987,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) { } private List getOtherName(List altName) { - ASN1Primitive oct = null; - try { - byte[] altNameBytes = (byte[]) altName.get(1); - oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject()); - } catch (IOException e) { - throw new RuntimeException("Could not read ASN1InputStream", e); - } - if (oct instanceof ASN1TaggedObject) { - oct = ((ASN1TaggedObject) oct).getObject(); - } - ASN1Sequence seq = ASN1Sequence.getInstance(oct); - - // Get object identifier from first in sequence - ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0); - String oid = asnOID.getId(); - - // Get value of object from second element - final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1); - // Could be tagged twice due to bug in java cert.getSubjectAltName - ASN1Primitive prim = obj.getObject(); - if (prim instanceof ASN1TaggedObject) { - prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject(); - } - - if (prim instanceof ASN1String) { - return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString())); + if (altName.size() < 2) { + log.warn("Couldn't parse subject alternative names"); + return null; + } + try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) { + final ASN1Primitive asn1Primitive = in.readObject(); + final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive); + final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0)); + final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1)); + ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject(); + if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) { + maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject(); + } + if (maybeTaggedAsn1Primitive instanceof ASN1String) { + return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString()); + } else { + log.warn("Couldn't parse subject alternative names"); + return null; + } + } catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions + throw new RuntimeException("Couldn't parse subject alternative names", ioe); } - - return null; } }