[Backport 1.x] Bump BouncyCastle from jdk15on to jdk15to18 (#2901) (#…

…2919) (#2931) jdk15to18 contains fix for - CVE-2023-33201 - Medium Severity Vulnerability (cherry picked from commit 9a72355) Signed-off-by: Andrey Pleskach <ples@aiven.io> (cherry picked from commit 8e6eef7) Co-authored-by: Andrey Pleskach <ples@aiven.io>
opensearch-project · Jul 5, 2023 · a62edf3 · a62edf3
1 parent c72e00d
commit a62edf3
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 31 deletions.
diff --git a/build.gradle b/build.gradle
@@ -92,13 +92,20 @@ configurations.all {
 }
 
 dependencies {
+
+    modules {
+        module("org.bouncycastle:bcprov-jdk15on") {
+            replacedBy("org.bouncycastle:bcprov-jdk15to18", "the jdk15on artifacts are not supported anymore")
+        }
+    }
+
     implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5'
     implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}"
     implementation "org.opensearch.client:opensearch-rest-high-level-client:${opensearch_version}"
     implementation 'com.google.guava:guava:30.0-jre'
     implementation 'org.greenrobot:eventbus:3.2.0'
     implementation 'commons-cli:commons-cli:1.3.1'
-    implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
+    implementation 'org.bouncycastle:bcprov-jdk15to18:1.75'
     implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1'
     implementation 'org.ldaptive:ldaptive:1.2.3'
     implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'

diff --git a/plugin-security.policy b/plugin-security.policy
@@ -59,10 +59,13 @@ grant {
   permission java.net.NetPermission "getNetworkInformation";
   permission java.net.NetPermission "getProxySelector";
   permission java.net.SocketPermission "*", "connect,accept,resolve";
-
+
+  // BouncyCastle permissions
   permission java.security.SecurityPermission "putProviderProperty.BC";
   permission java.security.SecurityPermission "insertProvider.BC";
-
+  permission java.security.SecurityPermission "removeProviderProperty.BC";
+  permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";
+
   permission java.lang.RuntimePermission "accessUserInformation";
 
   permission java.security.SecurityPermission "org.apache.xml.security.register";

diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
@@ -17,6 +17,7 @@
 
 package org.opensearch.security.ssl;
 
+import com.google.common.collect.ImmutableList;
 import io.netty.buffer.PooledByteBufAllocator;
 import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.ClientAuth;
@@ -58,6 +59,7 @@
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
 
+import org.bouncycastle.asn1.ASN1Object;
 import org.opensearch.security.ssl.util.CertFileProps;
 import org.opensearch.security.ssl.util.CertFromFile;
 import org.opensearch.security.ssl.util.CertFromKeystore;
@@ -985,34 +987,27 @@ public String getSubjectAlternativeNames(X509Certificate cert) {
     }
 
     private List<String> getOtherName(List<?> altName) {
-        ASN1Primitive oct =  null;
-        try {
-            byte[] altNameBytes = (byte[]) altName.get(1);
-            oct = (new ASN1InputStream(new ByteArrayInputStream(altNameBytes)).readObject());
-        } catch (IOException e) {
-            throw new RuntimeException("Could not read ASN1InputStream", e);
-        }
-        if (oct instanceof ASN1TaggedObject) {
-            oct = ((ASN1TaggedObject) oct).getObject();
-        }
-        ASN1Sequence seq = ASN1Sequence.getInstance(oct);
-
-        // Get object identifier from first in sequence
-        ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0);
-        String oid = asnOID.getId();
-
-        // Get value of object from second element
-        final ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1);
-        // Could be tagged twice due to bug in java cert.getSubjectAltName
-        ASN1Primitive prim = obj.getObject();
-        if (prim instanceof ASN1TaggedObject) {
-            prim = ASN1TaggedObject.getInstance(((ASN1TaggedObject) prim)).getObject();
-        }
-
-        if (prim instanceof ASN1String) {
-            return Collections.unmodifiableList(Arrays.asList(oid, ((ASN1String) prim).getString()));
+        if (altName.size() < 2) {
+            log.warn("Couldn't parse subject alternative names");
+            return null;
+        }
+        try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) {
+            final ASN1Primitive asn1Primitive = in.readObject();
+            final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive);
+            final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
+            final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1));
+            ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getBaseObject();
+            if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) {
+                maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getBaseObject();
+            }
+            if (maybeTaggedAsn1Primitive instanceof ASN1String) {
+                return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString());
+            } else {
+                log.warn("Couldn't parse subject alternative names");
+                return null;
+            }
+        } catch (final Exception ioe) { // catch all exception here since BC throws diff exceptions
+            throw new RuntimeException("Couldn't parse subject alternative names", ioe);
         }
-
-        return null;
     }
 }