Revert "Refactor minissl to work in FIPS mode"

This reverts commit ca85508. Change-Id: I54ae3a8ed6e673457e331f785cc71f2e8764b34d
looker · Sep 11, 2024 · 42d4ab8 · 42d4ab8
1 parent fde2a97
commit 42d4ab8
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 12 deletions.
diff --git a/ext/puma_http11/org/jruby/puma/MiniSSL.java b/ext/puma_http11/org/jruby/puma/MiniSSL.java
@@ -141,26 +141,26 @@ public static synchronized IRubyObject server(ThreadContext context, IRubyObject
     String keystoreFile = miniSSLContext.callMethod(context, "keystore").convertToString().asJavaString();
     char[] password = miniSSLContext.callMethod(context, "keystore_pass").convertToString().asJavaString().toCharArray();
 
-    // In Looker's fips project, we configure Looker with Conscrypt and few other securityProviders.
-    // KeyStore functionalities from them cannot be specified as PKCS12 while reading a JKS format keystore file.
-    // So we need to explicitly define KeyStore as a JKS keystore. This works for both FIPS and non-FIPS.
-    KeyStore ks = KeyStore.getInstance("JKS");
-
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
     InputStream is = new FileInputStream(keystoreFile);
     try {
       ks.load(is, password);
     } finally {
       is.close();
     }
-
-    // In Conscrypt, SunX509 KeyManagerFactory is not supported. We need to use PKIX explicitly here.
-    // https://b.corp.google.com/issues/312217607#comment3.
-    KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX");
+    KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
     kmf.init(ks, password);
     keyManagerFactoryMap.put(keystoreFile, kmf);
 
-    TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
-    tmf.init(ks);
+    KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
+    is = new FileInputStream(keystoreFile);
+    try {
+      ts.load(is, password);
+    } finally {
+      is.close();
+    }
+    TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+    tmf.init(ts);
     trustManagerFactoryMap.put(keystoreFile, tmf);
 
     RubyClass klass = (RubyClass) recv;
@@ -172,6 +172,8 @@ public static synchronized IRubyObject server(ThreadContext context, IRubyObject
   @JRubyMethod
   public IRubyObject initialize(ThreadContext threadContext, IRubyObject miniSSLContext)
       throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
 
     String keystoreFile = miniSSLContext.callMethod(threadContext, "keystore").convertToString().asJavaString();
     KeyManagerFactory kmf = keyManagerFactoryMap.get(keystoreFile);
@@ -181,6 +183,7 @@ public IRubyObject initialize(ThreadContext threadContext, IRubyObject miniSSLCo
     }
 
     SSLContext sslCtx = SSLContext.getInstance("TLS");
+
     sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
     engine = sslCtx.createSSLEngine();
 

diff --git a/lib/puma/const.rb b/lib/puma/const.rb
@@ -100,7 +100,7 @@ class UnsupportedOption < RuntimeError
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "4.3.12.4.looker.custom".freeze
+    PUMA_VERSION = VERSION = "4.3.12.4.looker-pre-fips.custom".freeze
     CODE_NAME = "Mysterious Traveller".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze