Fix RUBY-1830 TLS client cert specification via URI options does not work on JRuby (#1383)

Author: p-mongo

.evergreen/.evg.yml

@@ -854,8 +854,7 @@ buildvariants:
 -
   matrix_name: "local-tls"
   matrix_spec:
-    # No JRuby due to https://jira.mongodb.org/browse/RUBY-1830
-    ruby: ["ruby-2.6", "ruby-1.9"]
+    ruby: "*"
     mongodb-version: '4.0'
     topology: standalone
   display_name: "Local TLS ${ruby}"

.evergreen/run-local-tls-tests.sh

@@ -39,15 +39,23 @@ mlaunch --dir "$dbdir" --binarypath "$BINDIR" --single \
   --sslCAFile spec/support/certificates/ca.crt \
   --sslClientCertificate spec/support/certificates/client.pem
 
+if echo $RVM_RUBY |grep -q jruby; then
+  # JRuby does not grok chained certificate bundles -
+  # https://github.com/jruby/jruby-openssl/issues/181
+  client_pem=client.pem
+else
+  client_pem=client-second-level-bundle.pem
+fi
+
 echo "Running specs"
 export MONGODB_URI="mongodb://localhost:27017/?tls=true&serverSelectionTimeoutMS=30000&"\
 "tlsCAFile=spec/support/certificates/ca.crt&"\
-"tlsCertificateKeyFile=spec/support/certificates/client-second-level-bundle.pem"
+"tlsCertificateKeyFile=spec/support/certificates/$client_pem"
 bundle exec rake spec:prepare
 
 export MONGODB_URI="mongodb://localhost:27017/?tls=true&"\
 "tlsCAFile=spec/support/certificates/ca.crt&"\
-"tlsCertificateKeyFile=spec/support/certificates/client-second-level-bundle.pem"
+"tlsCertificateKeyFile=spec/support/certificates/$client_pem"
 bundle exec rspec spec/mongo/socket*
 test_status=$?
 echo "TEST STATUS"

lib/mongo/socket/ssl.rb

@@ -199,16 +199,35 @@ def set_cert(context, options)
       def set_key(context, options)
         passphrase = options[:ssl_key_pass_phrase]
         if options[:ssl_key]
-          context.key = passphrase ? OpenSSL::PKey.read(File.read(options[:ssl_key]), passphrase) :
-            OpenSSL::PKey.read(File.open(options[:ssl_key]))
+          context.key = load_private_key(File.read(options[:ssl_key]), passphrase)
         elsif options[:ssl_key_string]
-          context.key = passphrase ? OpenSSL::PKey.read(options[:ssl_key_string], passphrase) :
-            OpenSSL::PKey.read(options[:ssl_key_string])
+          context.key = load_private_key(options[:ssl_key_string], passphrase)
         elsif options[:ssl_key_object]
           context.key = options[:ssl_key_object]
         end
       end
 
+      def load_private_key(text, passphrase)
+        args = if passphrase
+          [text, passphrase]
+        else
+          [text]
+        end
+        # On JRuby, PKey.read does not grok cert+key bundles.
+        # https://github.com/jruby/jruby-openssl/issues/176
+        if BSON::Environment.jruby?
+          [OpenSSL::PKey::RSA, OpenSSL::PKey::DSA].each do |cls|
+            begin
+              return cls.send(:new, *args)
+            rescue OpenSSL::PKey::PKeyError
+              # ignore
+            end
+          end
+          # Neither RSA nor DSA worked, fall through to trying PKey
+        end
+        OpenSSL::PKey.send(:read, *args)
+      end
+
       def set_cert_verification(context, options)
         context.verify_mode = OpenSSL::SSL::VERIFY_PEER
         cert_store = OpenSSL::X509::Store.new

spec/mongo/socket/ssl_spec.rb

@@ -559,9 +559,6 @@
     context 'when the client certificate uses an intermediate certificate' do
       require_local_tls
 
-      # https://github.com/jruby/jruby-openssl/issues/181
-      fails_on_jruby
-
       let(:server) do
         ClientRegistry.instance.global_client('authorized').cluster.next_primary
       end
@@ -590,6 +587,10 @@
         end
 
         context 'bundled with intermediate cert' do
+
+          # https://github.com/jruby/jruby-openssl/issues/181
+          fails_on_jruby
+
           let(:options) do
             SpecConfig.instance.test_options.merge(
               ssl: true,
@@ -631,6 +632,10 @@
         end
 
         context 'bundled with intermediate cert' do
+
+          # https://github.com/jruby/jruby-openssl/issues/181
+          fails_on_jruby
+
           let(:options) do
             SpecConfig.instance.test_options.merge(
               ssl: true,
@@ -653,6 +658,35 @@
       end
     end
 
+    context 'when client certificate and private key are bunded in a pem file' do
+      require_local_tls
+
+      let(:server) do
+        ClientRegistry.instance.global_client('authorized').cluster.next_primary
+      end
+
+      let(:connection) do
+        Mongo::Server::Connection.new(server, options)
+      end
+
+      let(:options) do
+        SpecConfig.instance.test_options.merge(
+          ssl: true,
+          ssl_cert: SpecConfig.instance.client_pem_path,
+          ssl_key: SpecConfig.instance.client_pem_path,
+          ssl_ca_cert: SpecConfig.instance.local_ca_cert_path,
+          ssl_verify: true,
+        )
+      end
+
+      it 'succeeds' do
+        connection
+        expect do
+          connection.connect!
+        end.not_to raise_error
+      end
+    end
+
     context 'when ssl_verify is not specified' do
       require_local_tls