Skip to content

Commit

Permalink
Merge branch 'main' into #2553_refresh
Browse files Browse the repository at this point in the history
  • Loading branch information
@DarshitChanpura
DarshitChanpura committed Sep 6, 2023
2 parents 7d00991 + 1034cef commit ffcf0b5
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 25 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/auto-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
steps:
- name: GitHub App token
id: github_app_token
uses: tibdex/[email protected].0
uses: tibdex/[email protected].2
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/backport.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
steps:
- name: GitHub App token
id: github_app_token
uses: tibdex/[email protected].0
uses: tibdex/[email protected].2
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
Expand Down
4 changes: 2 additions & 2 deletions plugin-security.policy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ grant {
permission java.util.PropertyPermission "*","read,write";

//Enable when we switch to UnboundID LDAP SDK
//permission java.util.PropertyPermission "*", "read,write";
//permission java.lang.RuntimePermission "setFactory";
//permission javax.net.ssl.SSLPermission "setHostnameVerifier";

Expand All @@ -60,11 +59,12 @@ grant {
permission java.security.SecurityPermission "putProviderProperty.BC";
permission java.security.SecurityPermission "insertProvider.BC";
permission java.security.SecurityPermission "removeProviderProperty.BC";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests";

permission java.lang.RuntimePermission "accessUserInformation";

permission java.security.SecurityPermission "org.apache.xml.security.register";
permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "write";

permission java.lang.RuntimePermission "createClassLoader";

Expand Down
67 changes: 46 additions & 21 deletions src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -968,18 +968,26 @@ private SslContext buildSSLServerContext(
final ClientAuth authMode
) throws SSLException {

final SslContextBuilder _sslContextBuilder = configureSSLServerContextBuilder(
SslContextBuilder.forServer(_key, _cert),
sslProvider,
ciphers,
authMode
);
try {
final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContextBuilder>() {
@Override
public SslContextBuilder run() throws Exception {
return configureSSLServerContextBuilder(SslContextBuilder.forServer(_key, _cert), sslProvider, ciphers, authMode);
}
});

if (_trustedCerts != null && _trustedCerts.length > 0) {
_sslContextBuilder.trustManager(_trustedCerts);
}
if (_trustedCerts != null && _trustedCerts.length > 0) {
_sslContextBuilder.trustManager(_trustedCerts);
}

return buildSSLContext0(_sslContextBuilder);
return buildSSLContext0(_sslContextBuilder);
} catch (final PrivilegedActionException e) {
if (e.getCause() instanceof SSLException) {
throw (SSLException) e.getCause();
} else {
throw new RuntimeException(e);
}
}
}

private SslContext buildSSLServerContext(
Expand All @@ -991,19 +999,32 @@ private SslContext buildSSLServerContext(
final SslProvider sslProvider,
final ClientAuth authMode
) throws SSLException {
final SecurityManager sm = System.getSecurityManager();

final SslContextBuilder _sslContextBuilder = configureSSLServerContextBuilder(
SslContextBuilder.forServer(_cert, _key, pwd),
sslProvider,
ciphers,
authMode
);

if (_trustedCerts != null) {
_sslContextBuilder.trustManager(_trustedCerts);
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}

return buildSSLContext0(_sslContextBuilder);
try {
final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContextBuilder>() {
@Override
public SslContextBuilder run() throws Exception {
return configureSSLServerContextBuilder(SslContextBuilder.forServer(_cert, _key, pwd), sslProvider, ciphers, authMode);
}
});

if (_trustedCerts != null) {
_sslContextBuilder.trustManager(_trustedCerts);
}

return buildSSLContext0(_sslContextBuilder);
} catch (final PrivilegedActionException e) {
if (e.getCause() instanceof SSLException) {
throw (SSLException) e.getCause();
} else {
throw new RuntimeException(e);
}
}
}

private SslContextBuilder configureSSLServerContextBuilder(
Expand Down Expand Up @@ -1095,7 +1116,11 @@ public SslContext run() throws Exception {
}
});
} catch (final PrivilegedActionException e) {
throw (SSLException) e.getCause();
if (e.getCause() instanceof SSLException) {
throw (SSLException) e.getCause();
} else {
throw new RuntimeException(e);
}
}

return sslContext;
Expand Down

0 comments on commit ffcf0b5

Please sign in to comment.