[fix] for CRL verify when signed with EC key (#276)

* Fix for CRL verify when signed with EC key

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* Added test case for CRL validation

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

Author: tsaarni

src/main/java/org/jruby/ext/openssl/SecurityHelper.java

@@ -57,6 +57,7 @@
 import java.security.cert.X509CRL;
 import java.security.interfaces.DSAParams;
 import java.security.interfaces.DSAPublicKey;
+import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPublicKey;
 import java.util.Locale;
 import java.util.Map;
@@ -85,11 +86,13 @@
 import org.bouncycastle.crypto.params.DSAPublicKeyParameters;
 import org.bouncycastle.crypto.params.RSAKeyParameters;
 import org.bouncycastle.jce.provider.X509CRLObject;
+import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
 import org.bouncycastle.operator.ContentVerifierProvider;
 import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.OperatorException;
 import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder;
+import org.bouncycastle.operator.bc.BcECContentVerifierProviderBuilder;
 import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder;
 import org.jruby.util.SafePropertyAccessor;
 
@@ -610,6 +613,10 @@ static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolea
                     AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters);
                     verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey);
                 }
+                else if ( "EC".equalsIgnoreCase( publicKey.getAlgorithm() )) {
+                    AsymmetricKeyParameter ecKey = ECUtil.generatePublicKeyParameter(publicKey);
+                    verifierProvider = new BcECContentVerifierProviderBuilder(digestAlgFinder).build(ecKey);
+                }
                 else {
                     BigInteger mod = ((RSAPublicKey) publicKey).getModulus();
                     BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent();

src/test/ruby/x509/ec-ca.crl

@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHcMIGDAgEBMAoGCCqGSM49BAMCMBAxDjAMBgNVBAMTBWVjLWNhFw0yMzA1MDIx
+NDIwNTFaGA8yMDczMDIyODE0MjA1MVowGzAZAggXW1l2cygQyxcNMjMwNTAyMTQy
+MDUxWqAjMCEwHwYDVR0jBBgwFoAUttNRPFixOdwcEEs8Zc/AP+XGM8IwCgYIKoZI
+zj0EAwIDSAAwRQIhAIY/kYfZbkAJUOQkXcJrGfeZLUYpt2mofamD2aHGhaE8AiAh
+rW6t9BQ3xUCKHTODJHJHe+otaiwSCXoVI2jlJBcDWg==
+-----END X509 CRL-----

src/test/ruby/x509/ec-ca.crt

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBWzCCAQCgAwIBAgIIF1tZdnMbfdcwCgYIKoZIzj0EAwIwEDEOMAwGA1UEAxMF
+ZWMtY2EwIBcNMjMwNTAyMTQyMDUxWhgPMjA3MzA0MTkxNDIwNTFaMBAxDjAMBgNV
+BAMTBWVjLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3xYZYfagw6booMq2
+L/4x2RKVgwWM4UbAbycJHuubBESVic8AApX1WcjOEKjQt+9GqVFAJxKzjlxGA+Hc
+SVlpIaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFLbTUTxYsTncHBBLPGXPwD/lxjPCMAoGCCqGSM49BAMCA0kAMEYCIQD5QgDE
+1AijBncz7ItMv+q2vED1/AqNNY/whm71/wGK+QIhANkGiD6DdrydjEgVuFTvW/Kg
+S122sk5XXx5zlCmZVZQA
+-----END CERTIFICATE-----

src/test/ruby/x509/test_x509crl.rb

@@ -170,6 +170,12 @@ def test_to_java
     assert_same crl.to_java, crl.to_java(java.security.cert.X509CRL)
   end
 
+  def test_verify_crl_signature
+    crl = OpenSSL::X509::CRL.new(File.read(File.expand_path('../ec-ca.crl', __FILE__)))
+    ca = OpenSSL::X509::Certificate.new(File.read(File.expand_path('../ec-ca.crt', __FILE__)))
+    assert crl.verify(ca.public_key)
+  end
+
   private
 
   def get_subject_key_id(cert)
@@ -211,4 +217,4 @@ def get_subject_key_id(cert)
 -----END RSA PRIVATE KEY-----
   _end_of_pem_
 
-end
+end