Re: [jruby-dev] Problem and solution in OpenSSL (Attn: Bill)

Fri, 30 Nov 2007 23:36:19 -0800 

Bill Dortch wrote:
The jruby-openssl code already directly imports some of the BC code, and in other places explicitly passes the provider arg "BC" to the JCE interface.. So we wouldn't be creating a new dependency, it's already there. It would be *nice* if the provider were pluggable, but that isn't what we have now. 


So I'd say the approach is fine (I was already looking at doing this for 
the DH impl, which I haven't quite finished), but will take some work.  
It might be easiest for now to stick (mostly) with the JCE interface, 
but just replace the various SomeJCEThingy.getInstance(xxx, "BC") calls 
with direct instantiation and/or retrieval of the corresponding BC class.



If we all agree to this, I'll do this in the code I'm working on, but I 
can't commit now to doing this in the rest of the package.


Well I'd say give it a try. But this is going to be a challenge.


I've started some conversions, unfortunately having to learn about 
crypto as I go. It's been slow, but Digest passes all tests and Cipher 
passes all but one. For those APIs I think it's just a matter of putting 
the time in.


Where it starts to get tricky is when we cross over into javax.net.ssl.


As part of the openssl extension, we have to provide an SSLSocket 
implementation. This will essentially does all the handshaking between 
client and server and makes sure everything is encrypted/decrypted on 
the wire. This is where Ola's work mostly came to an end; he implemented 
all the various bits and pieces for encryption, certificates, and so on, 
but the SSL bit is largely handed off to the javax.net.ssl library's 
SSLEngine. So this is where it gets complicated, because I'm pretty sure 
SSLEngine depends on JCE, which means it would depend on BC being 
registered as a provider if BC's features are needed.



The C Ruby extension does something rather similar, handing off SSL to 
OpenSSL for the most part, allowing it to do its encryption, and then 
writing the results to the underlying socket. The difference is that 
Ruby is still in control of the socket object, and Ruby handles doing 
the actual IO.


SSLEngine and friends are going to be a problem.

- Charlie

---------------------------------------------------------------------
To unsubscribe from this list please visit:

   http://xircles.codehaus.org/manage_email























					Reply via email to