tmp4

Use X509ExtendedTrustManager to avoid JDK AlgorithmChecker constraints
Netty 4.2.15 fixed CVE-2026-50010 by removing the silent wrapping of plain X509TrustManager in X509ExtendedTrustManager. When a plain X509TrustManager is used, the JDK wraps it in AbstractTrustManagerWrapper and runs TrustManagerImpl.checkTrusted() with AlgorithmChecker before calling the custom trust manager. This caused client certificates signed with SHA3-512withECDSA to be rejected even though they are not explicitly blacklisted in java.security, because the JDK's internal PKIX validator applies stricter constraints. By making our custom trust managers implement X509ExtendedTrustManager directly, the JDK calls the 3-arg methods directly and bypasses its internal TrustManagerImpl, restoring the pre-4.2.15 behavior where only our custom PKIX validation runs. Files changed: - rbcs-common/RBCS.kt: getTrustManager() returns X509ExtendedTrustManager - rbcs-client/RemoteBuildCacheClient.kt: trust-all manager uses X509ExtendedTrustManager
2026-06-12 08:46:27 +08:00 · 2026-06-12 08:38:26 +08:00 · 2026-06-12 07:46:06 +08:00 · 2026-06-12 07:14:39 +08:00 · 2026-06-09 22:32:40 +08:00
13 changed files with 1101 additions and 30 deletions
@@ -4,8 +4,6 @@
 # Ignore Gradle build output directory
 build

-rbcs-cli/native-image/*.json
-
 # Ignore JDTLS files
 .classpath
 .project
@@ -50,6 +50,7 @@ COPY --from=base-native /etc/rbcs /etc/rbcs
 COPY --from=base-native /var/lib/rbcs /var/lib/rbcs
 COPY --from=base-native /var/tmp/rbcs /var/tmp/rbcs
 ADD rbcs-cli.upx /usr/bin/rbcs-cli
+ADD logback.xml /etc/rbcs/logback.xml
 USER rbcs
 WORKDIR /var/lib/rbcs
 ENV RBCS_CONFIGURATION_DIR="/etc/rbcs"
@@ -2,9 +2,9 @@ org.gradle.configuration-cache=false
 org.gradle.parallel=true
 org.gradle.caching=true

-rbcs.version = 0.5.0
+rbcs.version = 0.5.1

-lys.version = 2026.05.27
+lys.version = 2026.06.08

 gitea.maven.url = https://gitea.woggioni.net/api/packages/woggioni/maven
 docker.registry.url=gitea.woggioni.net
@@ -90,7 +90,7 @@ Provider<EnvelopeJarTask> envelopeJarTaskProvider = tasks.named(EnvelopePlugin.E
 tasks.named(NativeImagePlugin.CONFIGURE_NATIVE_IMAGE_TASK_NAME, NativeImageConfigurationTask) {
    toolchain {
        languageVersion = JavaLanguageVersion.of(25)
-        vendor = JvmVendorSpec.GRAAL_VM
+        vendor = JvmVendorSpec.ORACLE
    }
    mainClass = "net.woggioni.rbcs.cli.graal.GraalNativeImageConfiguration"
    classpath = project.files(
@@ -108,10 +108,10 @@ tasks.named(NativeImagePlugin.CONFIGURE_NATIVE_IMAGE_TASK_NAME, NativeImageConfi
 nativeImage {
    toolchain {
        languageVersion = JavaLanguageVersion.of(25)
-        vendor = JvmVendorSpec.GRAAL_VM
+        vendor = JvmVendorSpec.ORACLE
    }
    mainClass = mainClassName
-//    mainModule = mainModuleName
+    //mainModule = mainModuleName
    useMusl = true
    buildStaticImage = true
    linkAtBuildTime = false
@@ -119,6 +119,7 @@ nativeImage {
    compressExecutable = true
    compressionLevel = 6
    useLZMA = false
+    //verbose = true
 }

 Provider<UpxTask> upxTaskProvider = tasks.named(NativeImagePlugin.UPX_TASK_NAME, UpxTask) {
@@ -127,7 +128,7 @@ Provider<UpxTask> upxTaskProvider = tasks.named(NativeImagePlugin.UPX_TASK_NAME,
 Provider<JlinkTask> jlinkTaskProvider = tasks.named(JlinkPlugin.JLINK_TASK_NAME, JlinkTask) {
    toolchain {
        languageVersion = JavaLanguageVersion.of(25)
-        vendor = JvmVendorSpec.GRAAL_VM
+        vendor = JvmVendorSpec.ORACLE
    }

    mainClass = mainClassName
@@ -152,7 +153,6 @@ Provider<JlinkTask> jlinkTaskProvider = tasks.named(JlinkPlugin.JLINK_TASK_NAME,
 }

 Provider<Tar> jlinkDistTarTaskProvider = tasks.named(JlinkPlugin.JLINK_DIST_TAR_TASK_NAME, Tar) {
-    exclude 'lib/libjvmcicompiler.so'
 }

 tasks.named(JavaPlugin.PROCESS_RESOURCES_TASK_NAME, ProcessResources) {
@@ -1,2 +1,11 @@
-Args=-O3 -march=x86-64-v2 --gc=serial --initialize-at-run-time=io.netty --enable-url-protocols=jpms -H:+UnlockExperimentalVMOptions -H:+SharedArenaSupport --initialize-at-build-time=net.woggioni.rbcs.common.RbcsUrlStreamHandlerFactory,net.woggioni.rbcs.common.RbcsUrlStreamHandlerFactory$JpmsHandler
+Args=-O3 \
+   -march=x86-64-v3 \
+   --gc=serial \
+   --enable-url-protocols=jpms \
+   --pgo=conf/default.iprof \
+   --initialize-at-run-time=io.netty \
+   --initialize-at-build-time=net.woggioni.rbcs.common.RbcsUrlStreamHandlerFactory,net.woggioni.rbcs.common.RbcsUrlStreamHandlerFactory$JpmsHandler \
+   --trace-object-instantiation=ch.qos.logback.classic.Logger \
+   -H:+UnlockExperimentalVMOptions \
+   -H:+SharedArenaSupport
 #-H:TraceClassInitialization=io.netty.handler.ssl.BouncyCastleAlpnSslUtils
@@ -10,6 +10,7 @@ import java.util.concurrent.TimeUnit
 import java.util.concurrent.TimeoutException
 import java.util.concurrent.atomic.AtomicInteger
 import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509ExtendedTrustManager
 import javax.net.ssl.X509TrustManager
 import kotlin.random.Random
 import io.netty.util.concurrent.Future as NettyFuture
@@ -74,13 +75,25 @@ class RemoteBuildCacheClient(private val profile: Configuration.Profile) : AutoC
                    )
                    profile.tlsTruststore?.let { trustStore ->
                        if (!trustStore.verifyServerCertificate) {
-                            trustManager(object : X509TrustManager {
+                            trustManager(object : X509ExtendedTrustManager() {
                                override fun checkClientTrusted(certChain: Array<out X509Certificate>, p1: String?) {
                                }

+                                override fun checkClientTrusted(certChain: Array<out X509Certificate>, p1: String?, socket: java.net.Socket) {
+                                }
+
+                                override fun checkClientTrusted(certChain: Array<out X509Certificate>, p1: String?, engine: javax.net.ssl.SSLEngine) {
+                                }
+
                                override fun checkServerTrusted(certChain: Array<out X509Certificate>, p1: String?) {
                                }

+                                override fun checkServerTrusted(certChain: Array<out X509Certificate>, p1: String?, socket: java.net.Socket) {
+                                }
+
+                                override fun checkServerTrusted(certChain: Array<out X509Certificate>, p1: String?, engine: javax.net.ssl.SSLEngine) {
+                                }
+
                                override fun getAcceptedIssuers() = null
                            })
                        } else {
@@ -19,6 +19,7 @@ import java.security.cert.X509Certificate
 import java.util.EnumSet
 import java.util.ServiceLoader
 import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509ExtendedTrustManager
 import javax.net.ssl.X509TrustManager
 import net.woggioni.jwo.JWO
 import net.woggioni.jwo.Tuple2
@@ -124,7 +125,7 @@ object RBCS {
        return keystore
    }

-    fun getTrustManager(trustStore: KeyStore?, certificateRevocationEnabled: Boolean): X509TrustManager {
+    fun getTrustManager(trustStore: KeyStore?, certificateRevocationEnabled: Boolean): X509ExtendedTrustManager {
        return if (trustStore != null) {
            val certificateFactory = CertificateFactory.getInstance("X.509")
            val validator = CertPathValidator.getInstance("PKIX").apply {
@@ -136,7 +137,7 @@ object RBCS {
            val params = PKIXParameters(trustStore).apply {
                isRevocationEnabled = certificateRevocationEnabled
            }
-            object : X509TrustManager {
+            object : X509ExtendedTrustManager() {
                override fun checkClientTrusted(chain: Array<out X509Certificate>, authType: String) {
                    val clientCertificateChain = certificateFactory.generateCertPath(chain.toList())
                    try {
@@ -146,10 +147,26 @@ object RBCS {
                    }
                }

+                override fun checkClientTrusted(chain: Array<out X509Certificate>, authType: String, socket: java.net.Socket) {
+                    checkClientTrusted(chain, authType)
+                }
+
+                override fun checkClientTrusted(chain: Array<out X509Certificate>, authType: String, engine: javax.net.ssl.SSLEngine) {
+                    checkClientTrusted(chain, authType)
+                }
+
                override fun checkServerTrusted(chain: Array<out X509Certificate>, authType: String) {
                    throw NotImplementedError()
                }

+                override fun checkServerTrusted(chain: Array<out X509Certificate>, authType: String, socket: java.net.Socket) {
+                    checkServerTrusted(chain, authType)
+                }
+
+                override fun checkServerTrusted(chain: Array<out X509Certificate>, authType: String, engine: javax.net.ssl.SSLEngine) {
+                    checkServerTrusted(chain, authType)
+                }
+
                private val acceptedIssuers = trustStore.aliases().asSequence()
                    .filter(trustStore::isCertificateEntry)
                    .map(trustStore::getCertificate)
@@ -161,8 +178,8 @@ object RBCS {
            }
        } else {
            val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-            trustManagerFactory.trustManagers.asSequence().filter { it is X509TrustManager }
-                .single() as X509TrustManager
+            trustManagerFactory.trustManagers.asSequence().filter { it is X509ExtendedTrustManager }
+                .single() as X509ExtendedTrustManager
        }
    }

@@ -188,7 +188,7 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
                ?: return anonymousUserGroups?.let { AuthenticationResult(null, it) }
            val ldapName = try {
                LdapName(subjectDn)
-            } catch (e: Exception) {
+            } catch (_: Exception) {
                log.debug(ctx) {
                    "Invalid subject DN in header $headerName: $subjectDn"
                }
@@ -354,7 +354,7 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
                    }?.let {
                        pattern.matcher(it.value.toString())
                    }?.takeIf(Matcher::matches)?.group(1)
-                    cfg.users[userName] ?: throw java.lang.RuntimeException("Failed to extract user")
+                    cfg.users[userName] ?: throw RuntimeException("Failed to extract user")
                }
            }

@@ -368,7 +368,7 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
                    }?.let {
                        pattern.matcher(it.value.toString())
                    }?.takeIf(Matcher::matches)?.group(1)
-                    cfg.groups[groupName] ?: throw java.lang.RuntimeException("Failed to extract group")
+                    cfg.groups[groupName] ?: throw RuntimeException("Failed to extract group")
                }
            }

@@ -344,14 +344,14 @@ object Parser {
                        roles = parseRoles(child)
                    }
                    "group-quota" -> {
-                        userQuota = parseQuota(child)
+                        groupQuota = parseQuota(child)
                    }
                    "user-quota" -> {
-                        groupQuota = parseQuota(child)
+                        userQuota = parseQuota(child)
                    }
                }
            }
-            groupName to Group(groupName, roles, userQuota, groupQuota)
+            groupName to Group(groupName, roles, groupQuota, userQuota)
        }.toMap()
        val users = knownUsersMap.map { (name, user) ->
            name to User(name, user.password, userGroups[name]?.mapNotNull { groups[it] }?.toSet() ?: emptySet(), user.quota)
@@ -23,23 +23,21 @@ class ProxyProtocolHandler(private val trustedProxyIPs : List<Cidr>) : SimpleCha
    ) {
        val sourceAddress = ctx.channel().remoteAddress()
        if (sourceAddress is InetSocketAddress &&
-            trustedProxyIPs.isEmpty() ||
-            trustedProxyIPs.any { it.contains((sourceAddress as InetSocketAddress).address) }.also {
-                if(!it && log.isTraceEnabled) {
+            (trustedProxyIPs.isEmpty() ||
+            trustedProxyIPs.any { it.contains(sourceAddress.address) }.also {
+                if(!it) {
                    log.trace {
                        "Received a proxied connection request from $sourceAddress which is not a trusted proxy address, " +
                                "the proxy server address will be used instead"
                    }
                }
-            }) {
+            })) {
            val proxiedClientAddress = InetSocketAddress(
                InetAddress.ofLiteral(msg.sourceAddress()),
                msg.sourcePort()
            )
-            if(log.isTraceEnabled) {
-                log.trace {
-                    "Received proxied connection request from $sourceAddress forwarded for $proxiedClientAddress"
-                }
+            log.trace {
+                "Received proxied connection request from $sourceAddress forwarded for $proxiedClientAddress"
            }
            ctx.channel().attr(RemoteBuildCacheServer.clientIp).set(proxiedClientAddress)
        }
@@ -171,7 +171,6 @@ class ServerHandler(private val serverPrefix: Path, private val cacheHandlerSupp
                ctx.pipeline().addBefore(ExceptionHandler.NAME, null, cacheHandler)
                key.let(::CacheGetRequest)
                    .let(ctx::fireChannelRead)
-                    ?: ctx.channel().write(CacheValueNotFoundResponse(key))
            } else {
                cacheRequestInProgress = false
                log.warn(ctx) {
Author	SHA1	Message	Date
woggioni	976ee1ac88	tmp4 CI / build (push) Successful in 3m31s Details	2026-06-12 08:46:27 +08:00
opencode	7dc12a37e4	Use X509ExtendedTrustManager to avoid JDK AlgorithmChecker constraints Netty 4.2.15 fixed CVE-2026-50010 by removing the silent wrapping of plain X509TrustManager in X509ExtendedTrustManager. When a plain X509TrustManager is used, the JDK wraps it in AbstractTrustManagerWrapper and runs TrustManagerImpl.checkTrusted() with AlgorithmChecker before calling the custom trust manager. This caused client certificates signed with SHA3-512withECDSA to be rejected even though they are not explicitly blacklisted in java.security, because the JDK's internal PKIX validator applies stricter constraints. By making our custom trust managers implement X509ExtendedTrustManager directly, the JDK calls the 3-arg methods directly and bypasses its internal TrustManagerImpl, restoring the pre-4.2.15 behavior where only our custom PKIX validation runs. Files changed: - rbcs-common/RBCS.kt: getTrustManager() returns X509ExtendedTrustManager - rbcs-client/RemoteBuildCacheClient.kt: trust-all manager uses X509ExtendedTrustManager	2026-06-12 08:38:26 +08:00
woggioni	6b798f3046	tmp3 CI / build (push) Successful in 5m50s Details	2026-06-12 07:46:06 +08:00
woggioni	4037ac9ddc	tmp CI / build (push) Successful in 3m15s Details	2026-06-12 07:14:39 +08:00
woggioni	b4a97845ca	tmp CI / build (push) Failing after 1m26s Details	2026-06-09 22:32:40 +08:00