Uploaded image for project: 'Ruby Driver'
  1. Ruby Driver
  2. RUBY-1830

TLS client cert specification via URI options does not work on JRuby

    • Fully Compatible

      It appears that JRuby cannot parse a certificate+private key bundle, per https://github.com/jruby/jruby-openssl/issues/176. When a client certificate is passed via URI options, since there is only one option which expects to be given such a bundle, JRuby fails to parse the client certificate. This means, as far as I can tell, that on JRuby the driver is currently unable to connect to a server configured to verify client certificates when certificates/TLS configuration is specified via URI options.

      Our key handling logic is currently as follows:

            def set_key(context, options)
              passphrase = options[:ssl_key_pass_phrase]
              if options[:ssl_key]
                context.key = passphrase ? OpenSSL::PKey.read(File.read(options[:ssl_key]), passphrase) :
                  OpenSSL::PKey.read(File.open(options[:ssl_key]))
              elsif options[:ssl_key_string]
                context.key = passphrase ? OpenSSL::PKey.read(options[:ssl_key_string], passphrase) :
                  OpenSSL::PKey.read(options[:ssl_key_string])
              elsif options[:ssl_key_object]
                context.key = options[:ssl_key_object]
              end
            end
      

      We could possibly make it work by explicitly using OpenSSL::PKey::RSA and OpenSSL::PKey::DSA on jruby.

      Exception for wrong key type looks like this:

      OpenSSL::PKey::DSAError: Neither PUB key nor PRIV key: (invalid key type org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey)
        initialize at org/jruby/ext/openssl/PKeyDSA.java:271
            <main> at rsa.rb:3
      

      DSAError is a subclass of PKeyError which is what we can probably rescue.

            Assignee:
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Reporter:
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: