Skip to content

Commit

Permalink
Bump BouncyCastle from jdk15on to jdk15to18 (#2901)
Browse files Browse the repository at this point in the history
jdk15to18 contains fix for
 - CVE-2023-33201 - Medium
   Severity Vulnerability

Signed-off-by: Andrey Pleskach <[email protected]>
  • Loading branch information
willyborankin authored Jun 29, 2023
1 parent e4f4817 commit 9a72355
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 69 deletions.
8 changes: 4 additions & 4 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -479,7 +479,7 @@ dependencies {
implementation 'com.google.guava:guava:32.0.1-jre'
implementation 'org.greenrobot:eventbus:3.2.0'
implementation 'commons-cli:commons-cli:1.3.1'
implementation "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"
implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
implementation 'org.ldaptive:ldaptive:1.2.3'
implementation 'io.jsonwebtoken:jjwt-api:0.10.8'
implementation('org.apache.cxf:cxf-rt-rs-security-jose:3.5.5') {
Expand Down Expand Up @@ -549,7 +549,7 @@ dependencies {
runtimeOnly 'org.apache.santuario:xmlsec:2.2.3'
runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
runtimeOnly 'org.checkerframework:checker-qual:3.5.0'
runtimeOnly "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'


Expand Down Expand Up @@ -613,8 +613,8 @@ dependencies {
integrationTestImplementation 'org.apache.logging.log4j:log4j-core:2.17.1'
integrationTestImplementation 'org.apache.logging.log4j:log4j-jul:2.17.1'
integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
integrationTestImplementation "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
integrationTestImplementation "org.bouncycastle:bcutil-jdk15on:${versions.bouncycastle}"
integrationTestImplementation "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
integrationTestImplementation "org.bouncycastle:bcutil-jdk15to18:${versions.bouncycastle}"
integrationTestImplementation('org.awaitility:awaitility:4.2.0') {
exclude(group: 'org.hamcrest', module: 'hamcrest')
}
Expand Down
7 changes: 5 additions & 2 deletions plugin-security.policy
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,13 @@ grant {
permission java.net.NetPermission "getNetworkInformation";
permission java.net.NetPermission "getProxySelector";
permission java.net.SocketPermission "*", "connect,accept,resolve";


// BouncyCastle permissions
permission java.security.SecurityPermission "putProviderProperty.BC";
permission java.security.SecurityPermission "insertProvider.BC";

permission java.security.SecurityPermission "removeProviderProperty.BC";
permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";

permission java.lang.RuntimePermission "accessUserInformation";

permission java.security.SecurityPermission "org.apache.xml.security.register";
Expand Down
117 changes: 54 additions & 63 deletions src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
Original file line number Diff line number Diff line change
Expand Up @@ -17,41 +17,7 @@

package org.opensearch.security.ssl;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;

import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;

import com.google.common.collect.ImmutableList;
import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ApplicationProtocolConfig.Protocol;
Expand All @@ -68,12 +34,12 @@
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1String;
import org.bouncycastle.asn1.ASN1TaggedObject;

import org.opensearch.OpenSearchException;
import org.opensearch.OpenSearchSecurityException;
import org.opensearch.SpecialPermission;
Expand All @@ -88,6 +54,38 @@
import org.opensearch.security.ssl.util.SSLConfigConstants;
import org.opensearch.transport.NettyAllocator;

import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;

import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD;
import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD;
import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_PEMKEY_PASSWORD;
Expand Down Expand Up @@ -1171,34 +1169,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) {
}

private List<String> getOtherName(List<?> altName) {
ASN1Primitive oct = null;
try {
byte[] altNameBytes = (byte[]) altName.get(1);
oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject());
} catch (IOException e) {
throw new RuntimeException("Could not read ASN1InputStream", e);
}
if (oct instanceof ASN1TaggedObject) {
oct = ((ASN1TaggedObject) oct).getObject();
if (altName.size() < 2) {
log.warn("Couldn't parse subject alternative names");
return null;
}
ASN1Sequence seq = ASN1Sequence.getInstance(oct);

// Get object identifier from first in sequence
ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0);
String oid = asnOID.getId();

// Get value of object from second element
final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1);
// Could be tagged twice due to bug in java cert.getSubjectAltName
ASN1Primitive prim = obj.getObject();
if (prim instanceof ASN1TaggedObject) {
prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject();
}

if (prim instanceof ASN1String) {
return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString()));
try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) {
final ASN1Primitive asn1Primitive = in.readObject();
final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive);
final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1));
ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject();
if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) {
maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject();
}
if (maybeTaggedAsn1Primitive instanceof ASN1String) {
return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString());
} else {
log.warn("Couldn't parse subject alternative names");
return null;
}
} catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions
throw new RuntimeException("Couldn't parse subject alternative names", ioe);
}

return null;
}
}

0 comments on commit 9a72355

Please sign in to comment.