Skip to content

Commit

Permalink
Bump BouncyCastle from jdk15on to jdk15to18 (opensearch-project#2901)
Browse files Browse the repository at this point in the history
jdk15to18 contains fix for
 - CVE-2023-33201 - Medium
   Severity Vulnerability

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 9a72355)
Signed-off-by: Andrey Pleskach <[email protected]>
  • Loading branch information
willyborankin committed Jun 29, 2023
1 parent fa79d0e commit 2dbcd3c
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 31 deletions.
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ dependencies {
implementation 'com.google.guava:guava:30.0-jre'
implementation 'org.greenrobot:eventbus:3.2.0'
implementation 'commons-cli:commons-cli:1.3.1'
implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
implementation 'org.bouncycastle:bcprov-jdk15to18:1.75'
implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1'
implementation 'org.ldaptive:ldaptive:1.2.3'
implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
Expand Down
7 changes: 5 additions & 2 deletions plugin-security.policy
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,13 @@ grant {
permission java.net.NetPermission "getNetworkInformation";
permission java.net.NetPermission "getProxySelector";
permission java.net.SocketPermission "*", "connect,accept,resolve";


// BouncyCastle permissions
permission java.security.SecurityPermission "putProviderProperty.BC";
permission java.security.SecurityPermission "insertProvider.BC";

permission java.security.SecurityPermission "removeProviderProperty.BC";
permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";

permission java.lang.RuntimePermission "accessUserInformation";

permission java.security.SecurityPermission "org.apache.xml.security.register";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

package org.opensearch.security.ssl;

import com.google.common.collect.ImmutableList;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
Expand Down Expand Up @@ -58,6 +59,7 @@
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;

import org.bouncycastle.asn1.ASN1Object;
import org.opensearch.security.ssl.util.CertFileProps;
import org.opensearch.security.ssl.util.CertFromFile;
import org.opensearch.security.ssl.util.CertFromKeystore;
Expand Down Expand Up @@ -985,34 +987,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) {
}

private List<String> getOtherName(List<?> altName) {
ASN1Primitive oct = null;
try {
byte[] altNameBytes = (byte[]) altName.get(1);
oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject());
} catch (IOException e) {
throw new RuntimeException("Could not read ASN1InputStream", e);
}
if (oct instanceof ASN1TaggedObject) {
oct = ((ASN1TaggedObject) oct).getObject();
}
ASN1Sequence seq = ASN1Sequence.getInstance(oct);

// Get object identifier from first in sequence
ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0);
String oid = asnOID.getId();

// Get value of object from second element
final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1);
// Could be tagged twice due to bug in java cert.getSubjectAltName
ASN1Primitive prim = obj.getObject();
if (prim instanceof ASN1TaggedObject) {
prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject();
}

if (prim instanceof ASN1String) {
return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString()));
if (altName.size() < 2) {
log.warn("Couldn't parse subject alternative names");
return null;
}
try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) {
final ASN1Primitive asn1Primitive = in.readObject();
final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive);
final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1));
ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject();
if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) {
maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject();
}
if (maybeTaggedAsn1Primitive instanceof ASN1String) {
return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString());
} else {
log.warn("Couldn't parse subject alternative names");
return null;
}
} catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions
throw new RuntimeException("Couldn't parse subject alternative names", ioe);
}

return null;
}
}

0 comments on commit 2dbcd3c

Please sign in to comment.