test: will now pass regardless or actual JCE setup

Author: kares

src/test/ruby/ssl/test_context.rb

@@ -102,13 +102,16 @@ def test_context_set_ssl_version
 
   def test_context_ciphers
     return skip('on Java 6') if defined?(ENV_JAVA) && ENV_JAVA['java.version'] < '1.7'
-    
+
+    self.class.disable_security_restrictions
+
     context = OpenSSL::SSL::SSLContext.new
     context.ciphers = "ALL"
 
-    all_ciphers = context.ciphers.map{ |cipher_array| cipher_array[0] }
+    all_ciphers = context.ciphers.map { |cipher_array| cipher_array[0] }
 
-    # Java 8 (1.8.0_112-b15) :
+    # NOTE: assuming JCE installed ()CryptoSecurity.setAllPermissionPolicy)
+    #  ...  otherwise on Java 8 (1.8.0_112-b15) :
     # Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
     # Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
     # Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
@@ -177,15 +180,14 @@ def test_context_ciphers
     # Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     # Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 
-    java_8 = (ENV_JAVA['java.version'] == '1.8') || nil
-
-    expected_ciphers = [java_8 && "ECDHE-ECDSA-AES256-SHA",
-                        java_8 && "ECDHE-RSA-AES256-SHA",
-                        java_8 && "AES256-SHA",
-                        java_8 && "ECDH-ECDSA-AES256-SHA",
-                        java_8 && "ECDH-RSA-AES256-SHA",
-                        java_8 && "DHE-RSA-AES256-SHA",
-                        java_8 && "DHE-DSS-AES256-SHA",
+    jce_installed = true # || nil
+    expected_ciphers = [jce_installed && "ECDHE-ECDSA-AES256-SHA",
+                        jce_installed && "ECDHE-RSA-AES256-SHA",
+                        jce_installed && "AES256-SHA",
+                        jce_installed && "ECDH-ECDSA-AES256-SHA",
+                        jce_installed && "ECDH-RSA-AES256-SHA",
+                        jce_installed && "DHE-RSA-AES256-SHA",
+                        jce_installed && "DHE-DSS-AES256-SHA",
                         "ECDHE-ECDSA-AES128-SHA256",
                         "ECDHE-RSA-AES128-SHA256",
                         "ECDH-ECDSA-AES128-SHA256",
@@ -204,8 +206,8 @@ def test_context_ciphers
                         "ECDH-RSA-DES-CBC3-SHA",
                         "EDH-RSA-DES-CBC3-SHA",
                         "EDH-DSS-DES-CBC3-SHA",
-                        java_8 && "AECDH-AES256-SHA",
-                        java_8 && "ADH-AES256-SHA",
+                        jce_installed && "AECDH-AES256-SHA",
+                        jce_installed && "ADH-AES256-SHA",
                         "AECDH-AES128-SHA",
                         "ADH-AES128-SHA",
                         "AECDH-DES-CBC3-SHA",

src/test/ruby/test_helper.rb

@@ -99,46 +99,28 @@ def assert_not_same(expected, actual)
     end
   end
 
-  def self.disable_security_restrictions!; end # do nothing on MRI
+  def self.disable_security_restrictions!; @@security_restrictions = nil end # do nothing on MRI
 
-  @@security_restrictions = nil
+  @@security_restrictions = ''
 
   def self.disable_security_restrictions!
-    jce_security_class = java.lang.Class.for_name('javax.crypto.JceSecurity')
-    restricted_field = jce_security_class.getDeclaredField('isRestricted')
-    restricted_field.accessible = true
-    @@security_restrictions = restricted_field.getBoolean(nil)
-    return false unless @@security_restrictions
-
-    if java.lang.reflect.Modifier.isFinal restricted_field.modifiers
-      field_class = java.lang.Class.for_name('java.lang.reflect.Field')
-      # NOTE: this no longer works since 8u111 as it's using unsafe :
-      # Can not set static final boolean field javax.crypto.JceSecurity.isRestricted to (boolean)false
-      #   sun.reflect.UnsafeFieldAccessorImpl.throwFinalFieldIllegalAccessException(sun/reflect/UnsafeFieldAccessorImpl.java:76)
-      #   sun.reflect.UnsafeFieldAccessorImpl.throwFinalFieldIllegalAccessException(sun/reflect/UnsafeFieldAccessorImpl.java:84)
-      #   sun.reflect.UnsafeQualifiedStaticBooleanFieldAccessorImpl.setBoolean(sun/reflect/UnsafeQualifiedStaticBooleanFieldAccessorImpl.java:93)
-      #   java.lang.reflect.Field.setBoolean(java/lang/reflect/Field.java:801)
-      mods_field = field_class.getDeclaredField('modifiers')
-      mods_field.accessible = true
-
-      # restricted_field = jce_security_class.getDeclaredField('isRestricted')
-      # restricted_field.accessible = true
-      mods_field.setInt restricted_field, (~java.lang.reflect.Modifier::FINAL & restricted_field.modifiers)
+    debug = OpenSSL.debug
+    begin
+      OpenSSL.debug = true
+      #org.jruby.ext.openssl.util.CryptoSecurity.unrestrictSecurity
+      #org.jruby.ext.openssl.util.CryptoSecurity.setAllPermissionPolicy
+      @@security_restrictions = OpenSSL.send :_disable_security_restrictions!
+    ensure
+      OpenSSL.debug = debug
     end
-    restricted_field.setBoolean nil, false; return true
-  rescue Java::JavaLang::ClassNotFoundException => e
-    warn "failed to disable JCE security restrictions: #{e.inspect}"; nil
-  rescue Java::JavaLang::NoSuchFieldException => e # Java 6
-    warn "failed to disable JCE security restrictions: #{e.inspect}"; nil
-  rescue Java::JavaLang::IllegalAccessException => e
-    warn "failed to disable JCE security restrictions: #{e.inspect}"; nil
-  rescue NameError => e
-    warn "failed to disable JCE security restrictions: #{e.inspect}"; nil
   end if defined? JRUBY_VERSION
 
+  def self.disable_security_restrictions
+    disable_security_restrictions! if @@security_restrictions.eql?('')
+  end
+
   def self.security_restrictions?
-    disable_security_restrictions! if @@security_restrictions.nil?
-    @@security_restrictions
+    disable_security_restrictions; return @@security_restrictions
   end
 
   def self.java6?; java_version.last.to_i == 6 end
@@ -155,8 +137,7 @@ def jruby?; self.class.jruby? end
 
   private
 
-  def issue_cert(dn, key, serial, not_before, not_after, extensions,
-                 issuer, issuer_key, digest)
+  def issue_cert(dn, key, serial, not_before, not_after, extensions, issuer, issuer_key, digest)
     cert = OpenSSL::X509::Certificate.new
     issuer = cert unless issuer
     issuer_key = key unless issuer_key