Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #4385 - Limit new UnsupportedOperationException to direct SslContextFactory usage #4386

Merged
merged 6 commits into from
Dec 3, 2019
Merged

Issue #4385 - Limit new UnsupportedOperationException to direct SslContextFactory usage #4386

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
666ee4e
Issue #4385 - Remove UnsupportedOperationException in SslContextFactory
joakime Dec 2, 2019
e1d64af
Issue #4385 - Minimize impact of deprecated SNI mode on base class
joakime Dec 2, 2019
816e34b
Issue #4385 - Base Class usage now is a WARN logging event in SNI usage
joakime Dec 2, 2019
5b1f9d5
Issue #4385 - Client no longer needs override.
joakime Dec 2, 2019
65738e7
Issue #4385 - Fixing client testcase assertion
joakime Dec 2, 2019
d1376c7
Issue #4385 - Correcting exception variable name.
joakime Dec 2, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1249,10 +1249,17 @@ protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
// Is SNI needed to select a certificate?
if (!_certWilds.isEmpty() || _certHosts.size() > 1 || (_certHosts.size() == 1 && _aliasX509.size() > 1))
{
for (int idx = 0; idx < managers.length; idx++)
if (this instanceof SslContextFactory.Server)
{
if (managers[idx] instanceof X509ExtendedKeyManager)
managers[idx] = newSniX509ExtendedKeyManager((X509ExtendedKeyManager)managers[idx]);
for (int idx = 0; idx < managers.length; idx++)
{
if (managers[idx] instanceof X509ExtendedKeyManager)
managers[idx] = newSniX509ExtendedKeyManager((X509ExtendedKeyManager)managers[idx]);
}
}
else
{
LOG.warn("Unable to support SNI on {} (expecting {})", this.getClass().getName(), SslContextFactory.Server.class.getName());
}
}
}
Expand All @@ -1270,7 +1277,7 @@ protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
@Deprecated
protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)
{
throw new UnsupportedOperationException("X509ExtendedKeyManager only supported on Server");
throw new UnsupportedOperationException("X509ExtendedKeyManager only supported on " + SslContextFactory.Server.class.getName());
}

protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
Expand Down
20 changes: 17 additions & 3 deletions jetty-util/src/test/java/org/eclipse/jetty/util/ssl/X509Test.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,13 @@

package org.eclipse.jetty.util.ssl;

import java.nio.file.Path;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager;
import javax.net.ssl.X509ExtendedKeyManager;

import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.util.resource.PathResource;
import org.eclipse.jetty.util.resource.Resource;
import org.junit.jupiter.api.Test;

Expand Down Expand Up @@ -162,16 +165,27 @@ public void testSniX509ExtendedKeyManager_BaseClass() throws Exception
SslContextFactory baseSsl = new SslContextFactory();
X509ExtendedKeyManager x509ExtendedKeyManager = getX509ExtendedKeyManager(baseSsl);
UnsupportedOperationException npe = assertThrows(UnsupportedOperationException.class, () -> baseSsl.newSniX509ExtendedKeyManager(x509ExtendedKeyManager));
assertThat("UnsupportedOperationException.message", npe.getMessage(), containsString("X509ExtendedKeyManager only supported on Server"));
assertThat("UnsupportedOperationException.message", npe.getMessage(), containsString("X509ExtendedKeyManager only supported on " + SslContextFactory.Server.class.getName()));
}

@Test
public void testSniX509ExtendedKeyManager_BaseClass_Start() throws Exception
{
SslContextFactory baseSsl = new SslContextFactory();
Path keystorePath = MavenTestingUtils.getTestResourcePathFile("keystore_sni.p12");
baseSsl.setKeyStoreResource(new PathResource(keystorePath));
baseSsl.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
baseSsl.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
baseSsl.start(); // should not throw an exception
}

@Test
public void testSniX509ExtendedKeyManager_ClientClass() throws Exception
{
SslContextFactory clientSsl = new SslContextFactory.Client();
X509ExtendedKeyManager x509ExtendedKeyManager = getX509ExtendedKeyManager(clientSsl);
UnsupportedOperationException re = assertThrows(UnsupportedOperationException.class, () -> clientSsl.newSniX509ExtendedKeyManager(x509ExtendedKeyManager));
assertThat("UnsupportedOperationException.message", re.getMessage(), containsString("X509ExtendedKeyManager only supported on Server"));
X509ExtendedKeyManager sniX509ExtendedKeyManager = clientSsl.newSniX509ExtendedKeyManager(x509ExtendedKeyManager);
assertThat("SNI X509 ExtendedKeyManager is undefined in Client mode", sniX509ExtendedKeyManager, is(x509ExtendedKeyManager));
}

@Test
Expand Down
Binary file added jetty-util/src/test/resources/keystore_sni.p12
View file
Open in desktop
Binary file not shown.