Creation of BouncyCastle security provider results in security errors when run
in an unprivileged context
---------------------------------------------------------------------------------------------------------
Key: JRUBY-3919
URL: http://jira.codehaus.org/browse/JRUBY-3919
Project: JRuby
Issue Type: Bug
Components: Extensions
Affects Versions: JRuby 1.3
Reporter: Trejkaz
We have some code running under a secure context which is simply doing this:
require 'digest/md5'
This gives us an error:
[exec]
file:/D:/Program/lib/jruby-complete.jar!/META-INF/jruby.home/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
`require': library `digest' could not be loaded: java.lang.InternalError:
cannot create instance of org.bouncycastle.jce.provider.symmetric.AESMappings :
java.security.AccessControlException: access denied
(java.security.SecurityPermission putProviderProperty.BC) (LoadError)
[exec] from
file:/D:/Program/lib/jruby-complete.jar!/META-INF/jruby.home/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
`require'
[exec] from C:\Testing/file-test-helper.rb:4
[exec] from C:\Testing/file-test-helper.rb:31:in `require'
[exec] from
file:/D:/Program/lib/jruby-complete.jar!/META-INF/jruby.home/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
`require'
[exec] from C:\Testing/test-sanity.rb:3
[exec] from C:\Testing/test-sanity.rb:31:in `require'
[exec] from
file:/D:/Program/lib/jruby-complete.jar!/META-INF/jruby.home/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
`require'
[exec] from C:\Testing\run-tests.rb:15
[exec] ...internal jruby stack elided...
[exec] from
Kernel.require(file:/D:/Program/lib/jruby-complete.jar!/META-INF/jruby.home/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31)
[exec] from Kernel.require(C:\Testing/file-test-helper.rb:4)
[exec] from (unknown).(unknown)(C:\Testing/file-test-helper.rb:31)
[exec] from
Kernel.require(file:/D:/Program/lib/jruby-complete.jar!/META-INF/jruby.home/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31)
[exec] from Kernel.require(C:\Testing/test-sanity.rb:3)
[exec] from (unknown).(unknown)(C:\Testing/test-sanity.rb:31)
[exec] from
Kernel.require(file:/D:/Program/lib/jruby-complete.jar!/META-INF/jruby.home/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31)
[exec] from Kernel.require(C:\Testing\run-tests.rb:15)
[exec] from (unknown).(unknown)(:1)
This is before we even get a chance to run our own code which adds the BC
provider, so I had to search for other possible culprits, and JRuby itself is
using it directly which I thought was suspicious (surely it should let the JVM
tell it which provider to use instead of assuming BC's is the one we want,
which is the whole point of service providers...)
Unfortunately the Java stack trace is missing (something forgot to set the
cause when rethrowing it as LoadError?) so I couldn't immediately see *where*
it came from.
The only slightly suspicious place was RubyDigest.createDigest, which does
instantiate a BouncyCastleProvider without using
AccessController.doPrivileged... but if the exception occurred there it would
have been caught in the catch block in the same place.
I'm about to update to JRuby 1.3.1 in case it has fixed it, but I noticed
nothing along these lines in the changelog so I'm pessimistically assuming it
isn't fixed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
