From b7d84fab7470cc4ea358bb63d9e131fe3991d0f9 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Tue, 2 May 2023 16:25:42 +0300
Subject: [PATCH 1/2] Fix for CRL verify when signed with EC key

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
---
 src/main/java/org/jruby/ext/openssl/SecurityHelper.java | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/main/java/org/jruby/ext/openssl/SecurityHelper.java b/src/main/java/org/jruby/ext/openssl/SecurityHelper.java
index 009b2812..82021627 100644
--- a/src/main/java/org/jruby/ext/openssl/SecurityHelper.java
+++ b/src/main/java/org/jruby/ext/openssl/SecurityHelper.java
@@ -57,6 +57,7 @@
 import java.security.cert.X509CRL;
 import java.security.interfaces.DSAParams;
 import java.security.interfaces.DSAPublicKey;
+import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPublicKey;
 import java.util.Locale;
 import java.util.Map;
@@ -85,11 +86,13 @@
 import org.bouncycastle.crypto.params.DSAPublicKeyParameters;
 import org.bouncycastle.crypto.params.RSAKeyParameters;
 import org.bouncycastle.jce.provider.X509CRLObject;
+import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
 import org.bouncycastle.operator.ContentVerifierProvider;
 import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.OperatorException;
 import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder;
+import org.bouncycastle.operator.bc.BcECContentVerifierProviderBuilder;
 import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder;
 import org.jruby.util.SafePropertyAccessor;
 
@@ -610,6 +613,10 @@ static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolea
                     AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters);
                     verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey);
                 }
+                else if ( "EC".equalsIgnoreCase( publicKey.getAlgorithm() )) {
+                    AsymmetricKeyParameter ecKey = ECUtil.generatePublicKeyParameter(publicKey);
+                    verifierProvider = new BcECContentVerifierProviderBuilder(digestAlgFinder).build(ecKey);
+                }
                 else {
                     BigInteger mod = ((RSAPublicKey) publicKey).getModulus();
                     BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent();

From 53a37c1ff33915ea649800a4dff2ce38fa0c2aba Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Tue, 2 May 2023 17:39:52 +0300
Subject: [PATCH 2/2] Added test case for CRL validation

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
---
 src/test/ruby/x509/ec-ca.crl       |  7 +++++++
 src/test/ruby/x509/ec-ca.crt       | 10 ++++++++++
 src/test/ruby/x509/test_x509crl.rb |  8 +++++++-
 3 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 src/test/ruby/x509/ec-ca.crl
 create mode 100644 src/test/ruby/x509/ec-ca.crt

diff --git a/src/test/ruby/x509/ec-ca.crl b/src/test/ruby/x509/ec-ca.crl
new file mode 100644
index 00000000..c349d383
--- /dev/null
+++ b/src/test/ruby/x509/ec-ca.crl
@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHcMIGDAgEBMAoGCCqGSM49BAMCMBAxDjAMBgNVBAMTBWVjLWNhFw0yMzA1MDIx
+NDIwNTFaGA8yMDczMDIyODE0MjA1MVowGzAZAggXW1l2cygQyxcNMjMwNTAyMTQy
+MDUxWqAjMCEwHwYDVR0jBBgwFoAUttNRPFixOdwcEEs8Zc/AP+XGM8IwCgYIKoZI
+zj0EAwIDSAAwRQIhAIY/kYfZbkAJUOQkXcJrGfeZLUYpt2mofamD2aHGhaE8AiAh
+rW6t9BQ3xUCKHTODJHJHe+otaiwSCXoVI2jlJBcDWg==
+-----END X509 CRL-----
diff --git a/src/test/ruby/x509/ec-ca.crt b/src/test/ruby/x509/ec-ca.crt
new file mode 100644
index 00000000..1c3ab3ba
--- /dev/null
+++ b/src/test/ruby/x509/ec-ca.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBWzCCAQCgAwIBAgIIF1tZdnMbfdcwCgYIKoZIzj0EAwIwEDEOMAwGA1UEAxMF
+ZWMtY2EwIBcNMjMwNTAyMTQyMDUxWhgPMjA3MzA0MTkxNDIwNTFaMBAxDjAMBgNV
+BAMTBWVjLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3xYZYfagw6booMq2
+L/4x2RKVgwWM4UbAbycJHuubBESVic8AApX1WcjOEKjQt+9GqVFAJxKzjlxGA+Hc
+SVlpIaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFLbTUTxYsTncHBBLPGXPwD/lxjPCMAoGCCqGSM49BAMCA0kAMEYCIQD5QgDE
+1AijBncz7ItMv+q2vED1/AqNNY/whm71/wGK+QIhANkGiD6DdrydjEgVuFTvW/Kg
+S122sk5XXx5zlCmZVZQA
+-----END CERTIFICATE-----
diff --git a/src/test/ruby/x509/test_x509crl.rb b/src/test/ruby/x509/test_x509crl.rb
index f794c7bb..0f70c9c5 100644
--- a/src/test/ruby/x509/test_x509crl.rb
+++ b/src/test/ruby/x509/test_x509crl.rb
@@ -170,6 +170,12 @@ def test_to_java
     assert_same crl.to_java, crl.to_java(java.security.cert.X509CRL)
   end
 
+  def test_verify_crl_signature
+    crl = OpenSSL::X509::CRL.new(File.read(File.expand_path('../ec-ca.crl', __FILE__)))
+    ca = OpenSSL::X509::Certificate.new(File.read(File.expand_path('../ec-ca.crt', __FILE__)))
+    assert crl.verify(ca.public_key)
+  end
+
   private
 
   def get_subject_key_id(cert)
@@ -211,4 +217,4 @@ def get_subject_key_id(cert)
 -----END RSA PRIVATE KEY-----
   _end_of_pem_
 
-end
\ No newline at end of file
+end