Skip to content

keep in line with MRI if possible #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 11, 2015
Merged

keep in line with MRI if possible #61

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 41 additions & 5 deletions src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
package org.jruby.ext.openssl.x509store;


import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.util.Arrays;
Expand Down Expand Up @@ -292,13 +293,48 @@ else if ( keyUsage != null && ! keyUsage[5] ) { // KU_KEY_CERT_SIGN
public static final String X509_PRIVATE_DIR;

static {
OPENSSLDIR = "/usr/local/openssl"; // NOTE: blindly follow?!
// roughly following the ideas from https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
// and falling back to trust store from java to be on the save side

// TODO usability in limited environments should be tested/reviewed
final String JAVA_HOME = SafePropertyAccessor.getProperty("java.home", "");
X509_CERT_AREA = JAVA_HOME + "/lib/security";
X509_CERT_DIR = X509_CERT_AREA;
X509_CERT_FILE = X509_CERT_DIR + "/cacerts";
X509_PRIVATE_DIR = "/usr/lib/ssl/private"; // NOTE: blindly follow?!

// if the default files/dirs exist we use them. with this a switch
// from MRI to JRuby produces the same results. otherwise we use the
// certs from JAVA_HOME.
final String MAYBE_CERT_FILE;
final String LINUX_CERT_AREA = "/etc/ssl";
final String MACOS_CERT_AREA = "/System/Library/OpenSSL";
final String MAYBE_PKI_CERT_FILE = "/etc/pki/tls/certs/ca-bundle.crt";
if (new File(LINUX_CERT_AREA).exists()) {
X509_CERT_AREA = LINUX_CERT_AREA;
X509_CERT_DIR = X509_CERT_AREA + "/certs";
X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
MAYBE_CERT_FILE = X509_CERT_DIR + "/cert.pem";
}
else if (new File(MACOS_CERT_AREA).exists()) {
X509_CERT_AREA = MACOS_CERT_AREA;
X509_CERT_DIR = X509_CERT_AREA + "/certs";
X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
MAYBE_CERT_FILE = X509_CERT_AREA + "/cert.pem";
}
else {
X509_CERT_AREA = JAVA_HOME + "/lib/security";
X509_CERT_DIR = X509_CERT_AREA;
X509_PRIVATE_DIR = X509_CERT_AREA;
MAYBE_CERT_FILE = MAYBE_PKI_CERT_FILE;
}
if (new File(MAYBE_PKI_CERT_FILE).exists()) {
X509_CERT_FILE = MAYBE_PKI_CERT_FILE;
}
else if (new File(MAYBE_CERT_FILE).exists()) {
X509_CERT_FILE = MAYBE_CERT_FILE;
}
else {
X509_CERT_FILE = JAVA_HOME + "/lib/security/cacerts";
}
// keep it with some meaninful content as it is a public constant
OPENSSLDIR = X509_CERT_AREA;
}

public static final String X509_CERT_DIR_EVP = "SSL_CERT_DIR";
Expand Down