support PKCS7#decrypt with 1 argument (pkey only - without certificate)

Author: kares

src/main/java/org/jruby/ext/openssl/PKCS7.java

@@ -139,8 +139,15 @@ private static PKCS7 wrap(final Ruby runtime, org.jruby.ext.openssl.impl.PKCS7 p
         return wrapped;
     }
 
-    public static IRubyObject membio2str(Ruby runtime, BIO bio) {
-        return runtime.newString( new ByteList(((MemBIO) bio).getMemCopy(), false) );
+    static RubyString membio2str(Ruby runtime, BIO bio, boolean mem) {
+        final ByteList bytes;
+        if (mem) {
+            bytes = new ByteList(((MemBIO) bio).getBuffer(), 0, ((MemBIO) bio).length(), false);
+        }
+        else {
+            bytes = new ByteList(bio.toBytes(), false);
+        }
+        return runtime.newString(bytes);
     }
 
     private static List<X509AuxCertificate> getAuxCerts(final IRubyObject arg) {
@@ -156,8 +163,8 @@ private static List<X509AuxCertificate> getAuxCerts(final IRubyObject arg) {
     public static IRubyObject read_smime(IRubyObject self, IRubyObject arg) {
         final Ruby runtime = self.getRuntime();
         final BIO in = obj2bio(arg);
-        final BIO[] out = new BIO[]{ null };
-        org.jruby.ext.openssl.impl.PKCS7 pkcs7Impl = null;
+        final BIO[] out = new BIO[] { null };
+        org.jruby.ext.openssl.impl.PKCS7 pkcs7Impl;
         try {
             pkcs7Impl = new SMIME(Mime.DEFAULT).readPKCS7(in, out);
         }
@@ -170,7 +177,7 @@ public static IRubyObject read_smime(IRubyObject self, IRubyObject arg) {
         if ( pkcs7Impl == null ) {
             throw newPKCS7Error(runtime, (String) null);
         }
-        IRubyObject data = out[0] != null ? membio2str(runtime, out[0]) : runtime.getNil();
+        IRubyObject data = out[0] != null ? membio2str(runtime, out[0], false) : runtime.getNil();
         final PKCS7 pkcs7 = wrap(runtime, pkcs7Impl);
         pkcs7.setData(data);
         return pkcs7;
@@ -608,62 +615,59 @@ public IRubyObject verify(IRubyObject[] args) {
         catch (NotVerifiedPKCS7Exception e) {
             // result = false;
         }
-        catch (PKCS7Exception pkcs7e) {
-            if ( isDebug(runtime) ) {
-                // runtime.getOut().println(pkcs7e);
-                pkcs7e.printStackTrace(runtime.getOut());
-            }
-            // result = false;
+        catch (PKCS7Exception ex) {
+            OpenSSL.debugStackTrace(ex);
         }
 
-        IRubyObject data = membio2str(getRuntime(), out);
+        IRubyObject data = membio2str(runtime, out, true);
         setData(data);
 
         return result ? runtime.getTrue() : runtime.getFalse();
     }
 
     @JRubyMethod(rest=true)
-    public IRubyObject decrypt(IRubyObject[] args) {
+    public IRubyObject decrypt(ThreadContext context, IRubyObject... args) {
         IRubyObject dflags;
-        if ( Arity.checkArgumentCount(getRuntime(), args, 2, 3) == 3 ) {
+        if ( Arity.checkArgumentCount(context.runtime, args, 1, 3) == 3 ) {
             dflags = args[2];
         }
         else {
-            dflags = getRuntime().getNil();
+            dflags = context.nil;
         }
         PKey pkey = (PKey) args[0];
-        X509Cert cert = (X509Cert) args[1];
 
         final PrivateKey privKey = pkey.getPrivateKey();
-        final X509AuxCertificate auxCert = cert.getAuxCert();
-        final int flg = dflags.isNil() ? 0 : RubyNumeric.fix2int(dflags);
+        final X509AuxCertificate auxCert = args.length > 1 ? ((X509Cert) args[1]).getAuxCert() : null;
+        final int flg = dflags == context.nil ? 0 : RubyNumeric.fix2int(dflags);
 
         final BIO out = BIO.mem();
         try {
             p7.decrypt(privKey, auxCert, out, flg);
         }
-        catch (PKCS7Exception pkcs7e) {
-            throw newPKCS7Error(getRuntime(), pkcs7e);
+        catch (PKCS7Exception ex) {
+            OpenSSL.debugStackTrace(ex);
+            throw newPKCS7Error(context.runtime, ex);
         }
-        return membio2str(getRuntime(), out);
+        return membio2str(context.runtime, out, true);
     }
 
     @JRubyMethod(name = {"to_pem", "to_s"})
     public IRubyObject to_pem() {
         StringWriter writer = new StringWriter();
         try {
             PEMInputOutput.writePKCS7(writer, p7.toASN1());
-            return getRuntime().newString( writer.toString() );
         }
-        catch (IOException e) {
-            throw getRuntime().newIOErrorFromException(e);
+        catch (IOException ex) {
+            OpenSSL.debugStackTrace(ex);
+            throw getRuntime().newIOErrorFromException(ex);
         }
+        return StringHelper.newUTF8String(getRuntime(), writer.getBuffer());
     }
 
     @JRubyMethod
     public IRubyObject to_der() {
         try {
-            return getRuntime().newString(new ByteList(p7.toASN1(), false));
+            return StringHelper.newString(getRuntime(), p7.toASN1());
         }
         catch (IOException e) {
             throw newPKCS7Error(getRuntime(), e.getMessage());

src/main/java/org/jruby/ext/openssl/impl/EVP.java

@@ -108,7 +108,14 @@ public static byte[] decrypt(byte[] input, int offset, int len, Key key) throws
                                                                                     NoSuchPaddingException,
                                                                                     IllegalBlockSizeException,
                                                                                     BadPaddingException {
-        Cipher cipher = SecurityHelper.getCipher(key.getAlgorithm());
+        String algorithm = key.getAlgorithm();
+        if ("RSA".equals(algorithm)) {
+            // with BC we need to get explicit, since:
+            // RSA is not a regular block cipher, its operation is based on big integer arithmetic.
+            // As this is the case leading zero bytes will be lost since they are not meaningful
+            algorithm = "RSA/NONE/PKCS1Padding";
+        }
+        Cipher cipher = SecurityHelper.getCipher(algorithm);
         cipher.init(Cipher.DECRYPT_MODE, key);
         return cipher.doFinal(input, offset, len);
     }
@@ -126,10 +133,7 @@ public static byte[] decrypt(byte[] input, Key key) throws InvalidKeyException,
 
     private static String getAlgorithmName(ASN1ObjectIdentifier oid) {
         String algorithm = ASN1Registry.o2a(oid);
-        if (algorithm != null) {
-            return algorithm.toUpperCase();
-        } else {
-            return oid.getId();
-        }
+        return (algorithm != null) ? algorithm.toUpperCase() : oid.getId();
     }
+
 }// EVP

src/test/ruby/pkcs7/test_pkcs7.rb

@@ -786,6 +786,96 @@ def assert_raise_pkcs7_exception
       end
     end
 
+    public
+
+    def test_enveloped
+      @rsa1024 = OpenSSL::PKey.read <<-_PEM_
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx
+aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/
+Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB
+AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0
+maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T
+gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572
+74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE
+JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX
+sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII
+8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA
+wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi
+qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD
+dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA==
+-----END RSA PRIVATE KEY-----
+      _PEM_
+      @rsa2048 = OpenSSL::PKey.read <<-_PEM_
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN
+s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign
+4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D
+kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl
+NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J
+DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb
+I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq
+PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V
+seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0
+Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc
+VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW
+wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G
+0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj
+XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb
+aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n
+h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw
+Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k
+IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb
+v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId
+U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr
+vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS
+Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC
+9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41
+gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG
+4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw==
+-----END RSA PRIVATE KEY-----
+      _PEM_
+      ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+      ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
+      ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
+
+      ca_exts = [
+          ["basicConstraints","CA:TRUE",true],
+          ["keyUsage","keyCertSign, cRLSign",true],
+          ["subjectKeyIdentifier","hash",false],
+          ["authorityKeyIdentifier","keyid:always",false],
+      ]
+      @ca_cert = issue_cert(ca, @rsa2048, 1, ca_exts, nil, nil)
+      ee_exts = [
+          ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
+          ["authorityKeyIdentifier","keyid:always",false],
+          ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
+      ]
+      @ee1_cert = issue_cert(ee1, @rsa1024, 2, ee_exts, @ca_cert, @rsa2048)
+      @ee2_cert = issue_cert(ee2, @rsa1024, 3, ee_exts, @ca_cert, @rsa2048)
+
+      #
+
+      certs = [@ee1_cert, @ee2_cert]
+      cipher = OpenSSL::Cipher::AES.new("128-CBC")
+      data = "aaaaa\nbbbbb\nccccc\n"
+
+      tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY)
+      p7 = OpenSSL::PKCS7.new(tmp.to_der)
+      recip = p7.recipients
+      assert_equal(:enveloped, p7.type)
+      assert_equal(2, recip.size)
+
+      assert_equal(@ca_cert.subject.to_s, recip[0].issuer.to_s)
+      assert_equal(2, recip[0].serial)
+      assert_equal(data, p7.decrypt(@rsa1024, @ee1_cert))
+
+      assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s)
+      assert_equal(3, recip[1].serial)
+      assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))
+      assert_equal(data, p7.decrypt(@rsa1024))
+    end
+
   end
 end
 

src/test/ruby/test_helper.rb

@@ -139,17 +139,28 @@ def jruby?; self.class.jruby? end
 
   def debug(msg); puts msg if $VERBOSE end
 
-  def issue_cert(dn, key, serial, not_before, not_after, extensions, issuer, issuer_key, digest)
+  def issue_cert(*args)
+  # def issue_cert(dn, key, serial, not_before, not_after, extensions, issuer, issuer_key, digest)
+  # def issue_cert(dn, key, serial, extensions, issuer, issuer_key,
+  #                not_before: nil, not_after: nil, digest: "sha256")
+    if args.length == 9
+      dn, key, serial, not_before, not_after, extensions, issuer, issuer_key, digest = *args
+    else
+      dn, key, serial, extensions, issuer, issuer_key, opts = *args
+      opts ||= {}
+      not_before, not_after, digest = opts[:not_before], opts[:not_after], opts[:digest] || "sha256"
+    end
     cert = OpenSSL::X509::Certificate.new
     issuer = cert unless issuer
     issuer_key = key unless issuer_key
     cert.version = 2
     cert.serial = serial
     cert.subject = dn
     cert.issuer = issuer.subject
-    cert.public_key = key.public_key
-    cert.not_before = not_before
-    cert.not_after = not_after
+    cert.public_key = key
+    now = Time.now
+    cert.not_before = not_before || now - 3600
+    cert.not_after = not_after || now + 3600
     ef = OpenSSL::X509::ExtensionFactory.new
     ef.subject_certificate = cert
     ef.issuer_certificate = issuer