Bump BouncyCastle to jdk18on

willyborankin · willyborankin · commit 8f781dd50588 · 2023-06-24T13:57:36.000+02:00
Signed-off-by: Andrey Pleskach &lt;ples@aiven.io&gt;
diff --git a/plugin-security.policy b/plugin-security.policy
@@ -55,10 +55,13 @@ grant {
   permission java.net.NetPermission "getNetworkInformation";
   permission java.net.NetPermission "getProxySelector";
   permission java.net.SocketPermission "*", "connect,accept,resolve";
-  
+
+  // BouncyCastle permissions
   permission java.security.SecurityPermission "putProviderProperty.BC";
   permission java.security.SecurityPermission "insertProvider.BC";
-  
+  permission java.security.SecurityPermission "removeProviderProperty.BC";
+  permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";
+
   permission java.lang.RuntimePermission "accessUserInformation";
   
   permission java.security.SecurityPermission "org.apache.xml.security.register";
diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
@@ -17,41 +17,7 @@
 
 package org.opensearch.security.ssl;
 
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.nio.file.LinkOption;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.security.AccessController;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Objects;
-import java.util.Set;
-import java.util.function.Function;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-import java.util.stream.StreamSupport;
-
-import javax.crypto.Cipher;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLParameters;
-
+import com.google.common.collect.ImmutableList;
 import io.netty.handler.codec.http2.Http2SecurityUtil;
 import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.ApplicationProtocolConfig.Protocol;
@@ -68,12 +34,12 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Object;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1String;
 import org.bouncycastle.asn1.ASN1TaggedObject;
-
 import org.opensearch.OpenSearchException;
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.SpecialPermission;
@@ -88,6 +54,38 @@
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.transport.NettyAllocator;
 
+import javax.crypto.Cipher;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
+import java.io.File;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.LinkOption;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.AccessController;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Objects;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import java.util.stream.StreamSupport;
+
 import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD;
 import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD;
 import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_HTTP_PEMKEY_PASSWORD;
@@ -1171,34 +1169,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) {
     }
 
     private List<String> getOtherName(List<?> altName) {
-        ASN1Primitive oct = null;
-        try {
-            byte[] altNameBytes = (byte[]) altName.get(1);
-            oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject());
-        } catch (IOException e) {
-            throw new RuntimeException("Could not read ASN1InputStream", e);
-        }
-        if (oct instanceof ASN1TaggedObject) {
-            oct = ((ASN1TaggedObject) oct).getObject();
+        if (altName.size() < 2) {
+            log.warn("Couldn't parse subject alternative names");
+            return null;
         }
-        ASN1Sequence seq = ASN1Sequence.getInstance(oct);
-
-        // Get object identifier from first in sequence
-        ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0);
-        String oid = asnOID.getId();
-
-        // Get value of object from second element
-        final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1);
-        // Could be tagged twice due to bug in java cert.getSubjectAltName
-        ASN1Primitive prim = obj.getObject();
-        if (prim instanceof ASN1TaggedObject) {
-            prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject();
-        }
-
-        if (prim instanceof ASN1String) {
-            return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString()));
+        try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) {
+            final ASN1Primitive asn1Primitive = in.readObject();
+            final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive);
+            final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
+            final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1));
+            ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject();
+            if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) {
+                maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject();
+            }
+            if (maybeTaggedAsn1Primitive instanceof ASN1String) {
+                return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString());
+            } else {
+                log.warn("Couldn't parse subject alternative names");
+                return null;
+            }
+        } catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions
+            throw new RuntimeException("Couldn't parse subject alternative names", ioe);
         }
-
-        return null;
     }
 }
