Missing OpenSSL::PKCS12

[dlee]

The MRI stdlib version of OpenSSL has PKCS12 support, but I don't see it in jruby-openssl.

[owenthereal]

Any update for this issue? It's missing from jruby-openssl....

[owenthereal]

I found this test for pkcs12 though (https://github.com/jruby/jruby-ossl/blob/master/test/1.9/test_pkcs12.rb). How come OpenSSL::PKCS12 is not exposed as a constant?

[owenthereal]

cc / @headius @nicksieger

[owenthereal]

I have put up a patch for my project on OpenSSL::PKCS12:

require 'openssl'

unless OpenSSL.const_defined?(:PKCS12)
  require 'java'

  module Patch
    module JRuby
      module OpenSSL
        class PKCS12
          java_import java.io.StringReader
          java_import java.io.StringBufferInputStream
          java_import java.security.cert.CertificateFactory
          java_import java.security.KeyStore
          java_import java.io.ByteArrayOutputStream
          java_import org.bouncycastle.openssl.PEMReader

          java.security.Security.add_provider(org.bouncycastle.jce.provider.BouncyCastleProvider.new)

          def self.create(pass, name, key, cert)
            pkcs12 = self.new(pass, name, key, cert)
            pkcs12.generate
            pkcs12
          end

          attr_reader :key, :certificate

          def initialize(pass, name, key, cert)
            @pass = pass
            @name = name
            @key = key
            @certificate = cert
          end

          def generate
            key_reader = StringReader.new(key.to_pem)
            key_pair = PEMReader.new(key_reader).read_object

            cert_input_stream = StringBufferInputStream.new(certificate.to_pem)
            certs = CertificateFactory.get_instance("X.509").generate_certificates(cert_input_stream)

            store = KeyStore.get_instance("PKCS12", "BC")
            store.load(nil, nil)
            store.set_key_entry(@name, key_pair.get_private, nil, certs.to_array(Java::java.security.cert.Certificate[certs.size].new))

            pkcs12_output_stream = ByteArrayOutputStream.new
            store.store(pkcs12_output_stream, @pass.to_java.to_char_array)

            @der = String.from_java_bytes(pkcs12_output_stream.to_byte_array)
          end

          def to_der
            @der
          end
        end
      end
    end
  end

  OpenSSL.const_set(:PKCS12, Patch::JRuby::OpenSSL::PKCS12)
end

[owenthereal]

note: this is a simplify version of MRI's OpenSSL::PKCS12

[headius]

I'm totally in favor of incorporating this into jruby-ossl until we have a full Java impl (or forever, if this is sufficient for all users).

[nahi]

Agreed. @jingweno, did you run tests in CRuby 1.9.3 against your patch? I didn't expect full green. Just 1 green is enough.

[owenthereal]

How did you know there is 1 green? :)

before

360 tests, 1902 assertions, 19 failures, 36 errors, 0 skips

after

360 tests, 1904 assertions, 18 failures, 36 errors, 0 skips

note: This patch only implements the minimized logic working for my project. Need more work to support the whole PKCS12 set.

[headius]

It's a great start :) And I like the code a lot better than most of the Java code that makes up the rest of jruby-ossl!

[kyledrake]

Just FYI, this interface appears to be different than the MRI version for new: http://www.ensta-paristech.fr/~diam/ruby/online/ruby-1.9.1/classes/OpenSSL/PKCS12.html#M006607

[kyledrake]

To add more information: #create is used to make the PKCS12, but PKCS12.new is how you convert a PKCS12 to a PEM. I will be attempting to work around this by using the shell command and a couple tempfiles: openssl pkcs12 -in #{tf_p12.path} -out #{tf_pem.path} -nodes -clcerts

[kyledrake]

Related: https://github.com/highgroove/grocer/issues/17

[owenthereal]

@nahi @headius I saw there is a project on reimplementing jruby-openssl with krypt in this year's Google Summer of Code (https://github.com/jruby/jruby/wiki/GoogleSummerOfCode2012). Wondering whether it will be made into jruby-openssl sooner?

@kyledrake Please see my comment. The implementation is only partially done. I will look at the Ruby specs to see how it should behave and come up with a patch.

[kyledrake]

Apologies if I wasn't clear. My intent wasn't to point out that it is incomplete, but to make a note of the fact that it is implemented differently. I discovered this when I ran a test, so I wanted to point it out incase anybody else ran into it.

[vanstee]

Any recent progress here? We were hoping to fix an issue in grocer once this was resolved.

[kyledrake]

I haven't heard anything back on this in months. PKCS12 is not implemented correctly on JRuby, it does something completely different than what is in MRI unfortunately. The shell-out is the only solution I've found so far.