From 668b6f1ed2af276d66a0cfe4c913af0096f44377 Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Thu, 29 Jun 2023 15:54:21 +0200 Subject: [PATCH] [Backport 2.x] Bump BouncyCastle from jdk15on to jdk15to18 (#2901) jdk15to18 contains fix for - CVE-2023-33201 - Medium Severity Vulnerability Signed-off-by: Andrey Pleskach (cherry picked from commit 9a72355cbf37972ce1b9d12918e2a3e7c5023d80) Signed-off-by: Andrey Pleskach --- build.gradle | 4 +- plugin-security.policy | 7 +- .../security/ssl/DefaultSecurityKeyStore.java | 113 ++++++++---------- 3 files changed, 59 insertions(+), 65 deletions(-) diff --git a/build.gradle b/build.gradle index ed20e89d76..788e200ffc 100644 --- a/build.gradle +++ b/build.gradle @@ -290,7 +290,7 @@ dependencies { implementation 'com.google.guava:guava:32.0.1-jre' implementation 'org.greenrobot:eventbus:3.2.0' implementation 'commons-cli:commons-cli:1.3.1' - implementation 'org.bouncycastle:bcprov-jdk15on:1.67' + implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}" implementation 'org.ldaptive:ldaptive:1.2.3' implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13' implementation 'io.jsonwebtoken:jjwt-api:0.10.8' @@ -363,7 +363,7 @@ dependencies { runtimeOnly 'org.apache.santuario:xmlsec:2.2.3' runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}" runtimeOnly 'org.checkerframework:checker-qual:3.5.0' - runtimeOnly "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}" + runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}" runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2' diff --git a/plugin-security.policy b/plugin-security.policy index 17b57c57b1..7bb18f76c9 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -55,10 +55,13 @@ grant { permission java.net.NetPermission "getNetworkInformation"; permission java.net.NetPermission "getProxySelector"; permission java.net.SocketPermission "*", "connect,accept,resolve"; - + + // BouncyCastle permissions permission java.security.SecurityPermission "putProviderProperty.BC"; permission java.security.SecurityPermission "insertProvider.BC"; - + permission java.security.SecurityPermission "removeProviderProperty.BC"; + permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write"; + permission java.lang.RuntimePermission "accessUserInformation"; permission java.security.SecurityPermission "org.apache.xml.security.register"; diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 9ae3349f63..6158eeedf2 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -17,39 +17,7 @@ package org.opensearch.security.ssl; -import java.io.ByteArrayInputStream; -import java.io.File; -import java.io.IOException; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; -import java.nio.file.LinkOption; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.AccessController; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; -import java.security.cert.CertificateParsingException; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; -import java.util.Date; -import java.util.HashSet; -import java.util.List; -import java.util.Objects; -import java.util.Set; -import java.util.function.Function; -import java.util.stream.Collectors; - -import javax.crypto.Cipher; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLException; -import javax.net.ssl.SSLParameters; - +import com.google.common.collect.ImmutableList; import io.netty.handler.ssl.ApplicationProtocolConfig; import io.netty.handler.ssl.ClientAuth; import io.netty.handler.ssl.OpenSsl; @@ -60,12 +28,12 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Object; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.ASN1String; import org.bouncycastle.asn1.ASN1TaggedObject; - import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; import org.opensearch.SpecialPermission; @@ -80,6 +48,36 @@ import org.opensearch.security.ssl.util.SSLConfigConstants; import org.opensearch.transport.NettyAllocator; +import javax.crypto.Cipher; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLParameters; +import java.io.File; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.LinkOption; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.AccessController; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.Date; +import java.util.HashSet; +import java.util.List; +import java.util.Objects; +import java.util.Set; +import java.util.function.Function; +import java.util.stream.Collectors; + public class DefaultSecurityKeyStore implements SecurityKeyStore { private static final String DEFAULT_STORE_TYPE = "JKS"; @@ -1130,34 +1128,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) { } private List getOtherName(List altName) { - ASN1Primitive oct = null; - try { - byte[] altNameBytes = (byte[]) altName.get(1); - oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject()); - } catch (IOException e) { - throw new RuntimeException("Could not read ASN1InputStream", e); - } - if (oct instanceof ASN1TaggedObject) { - oct = ((ASN1TaggedObject) oct).getObject(); + if (altName.size() < 2) { + log.warn("Couldn't parse subject alternative names"); + return null; } - ASN1Sequence seq = ASN1Sequence.getInstance(oct); - - // Get object identifier from first in sequence - ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0); - String oid = asnOID.getId(); - - // Get value of object from second element - final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1); - // Could be tagged twice due to bug in java cert.getSubjectAltName - ASN1Primitive prim = obj.getObject(); - if (prim instanceof ASN1TaggedObject) { - prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject(); - } - - if (prim instanceof ASN1String) { - return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString())); + try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) { + final ASN1Primitive asn1Primitive = in.readObject(); + final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive); + final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0)); + final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1)); + ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject(); + if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) { + maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject(); + } + if (maybeTaggedAsn1Primitive instanceof ASN1String) { + return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString()); + } else { + log.warn("Couldn't parse subject alternative names"); + return null; + } + } catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions + throw new RuntimeException("Couldn't parse subject alternative names", ioe); } - - return null; } }