search

jruby / jruby-openssl

JRuby's OpenSSL gem
http://www.jruby.org
Other
45 stars 80 forks source link

PKey::EC.new failing with java.lang.StringIndexOutOfBoundsException: String index out of range: 0 #318

Open kares opened 18 hours ago

kares commented 18 hours ago

OpenSSL::PKey::EC.new(...) decoding some (public key) DER could fail curve name detection, sample script:

    def do_test_from_sequence_with_packed_point(curve, jwk_x, jwk_y)
      group = OpenSSL::PKey::EC::Group.new(curve)

      x_octets = ::Base64.urlsafe_decode64(jwk_x)
      y_octets = ::Base64.urlsafe_decode64(jwk_y)

      point = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new([0x04, x_octets, y_octets].pack('Ca*a*'), 2))
      sequence = OpenSSL::ASN1::Sequence([
                                OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId('id-ecPublicKey'), OpenSSL::ASN1::ObjectId(curve)]),
                                OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
       ])

       OpenSSL::PKey::EC.new(sequence.to_der)
     end

    jwk_x = "mAObq2aOmjkZwS5ruLmZITbXKTepItbnyrMm1VWGeeg"
    jwk_y = "EtQDulK7N-v_0mdbFQe-bNCyc-ey1sPRa1l--_7vAiA"
    do_test_from_sequence_with_packed_point('prime256v1', jwk_x, jwk_y)

leads to:

 Java::JavaLang::StringIndexOutOfBoundsException: String index out of range: 0
java.base/java.lang.StringLatin1.charAt(StringLatin1.java:48)
java.base/java.lang.String.charAt(String.java:1517)
org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil.getOID(Unknown Source)
org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil.getNamedCurveOid(Unknown Source)
org.jruby.ext.openssl.PKeyEC.getCurveOID(PKeyEC.java:191)
org.jruby.ext.openssl.PKeyEC.isCurveName(PKeyEC.java:195)
org.jruby.ext.openssl.PKeyEC.initialize(PKeyEC.java:276)
org.jruby.ext.openssl.PKeyEC$INVOKER$i$0$0$initialize.call(PKeyEC$INVOKER$i$0$0$initialize.gen)
org.jruby.dist/org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:224)
org.jruby.dist/org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:257)
org.jruby.dist/org.jruby.RubyClass.newInstance(RubyClass.java:922)
org.jruby.dist/org.jruby.RubyClass$INVOKER$i$newInstance.call(RubyClass$INVOKER$i$newInstance.gen)

when the DER encoding has a space char at the end of the string, due: https://github.com/bcgit/bc-java/blob/1.78.1/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/ECUtil.java#L325

kares commented 18 hours ago

upstream issue: https://github.com/bcgit/bc-java/issues/1869