Merge pull request wolfSSL#310 from JeremiahM37/netty-fixes

springboot and netty wolfjsse fixes

Author: cconlon

src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java

@@ -580,7 +580,10 @@ private synchronized int DoHandshake(boolean fromWrap) throws SSLException {
             }
 
         } catch (SocketTimeoutException | SocketException e) {
-            throw new SSLException(e);
+            SSLHandshakeException hsException = new SSLHandshakeException(
+                "Socket error during SSL/TLS handshake: " + e.getMessage());
+            hsException.initCause(e);
+            throw hsException;
         }
 
         return ret;
@@ -1058,6 +1061,12 @@ private synchronized int RecvAppData(ByteBuffer[] out, int ofst, int length)
                     }
                     break;
                 default:
+                    /* Throw SSLHandshakeException if handshake not finished */
+                    if (!this.handshakeFinished) {
+                        throw new SSLHandshakeException(
+                            "SSL/TLS handshake error in read: " + ret +
+                            " , err = " + err);
+                    }
                     throw new SSLException(
                         "wolfSSL_read() error: " + ret + " , err = " + err);
             }
@@ -1393,6 +1402,14 @@ else if (ret < 0 &&
                                  * any more data */
                                 this.outBoundOpen = false;
                             }
+                            /* Throw SSLHandshakeException if handshake not
+                             * finished, otherwise throw SSLException for
+                             * post-handshake errors */
+                            if (!this.handshakeFinished) {
+                                throw new SSLHandshakeException(
+                                    "SSL/TLS handshake error, ret:err = " +
+                                    ret + " : " + err);
+                            }
                             throw new SSLException(
                                 "wolfSSL error, ret:err = " + ret + " : " +
                                 err);

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -1349,6 +1349,11 @@ private void initHandshakeInternal(SSLSocket socket, SSLEngine engine)
             else {
                 this.session.setSessionContext(authStore.getServerContext());
                 this.session.setSide(WolfSSL.WOLFSSL_SERVER_END);
+                /* Track client auth state for getPeerCertificates() */
+                boolean clientAuthRequested =
+                    this.params.getNeedClientAuth() ||
+                    this.params.getWantClientAuth();
+                this.session.setClientAuthRequested(clientAuthRequested);
             }
 
             if (this.sessionCreation == false && !this.session.isFromTable) {

src/java/com/wolfssl/provider/jsse/WolfSSLImplementSSLSession.java

@@ -73,6 +73,9 @@ public class WolfSSLImplementSSLSession extends ExtendedSSLSession {
     byte[] pseudoSessionID = null; /* used with TLS 1.3*/
     private int side = 0;
 
+    /* Track if client auth was requested, for getPeerCertificates() behavior */
+    private volatile boolean clientAuthRequested = false;
+
     /* Cache peer certificates after received. Applications assume that
      * SSLSocket.getSession().getPeerCertificates() will return the peer
      * certificate even on a resumed connection where the cert has not been
@@ -260,6 +263,7 @@ public WolfSSLImplementSSLSession (WolfSSLImplementSSLSession orig) {
             this.pseudoSessionID = orig.pseudoSessionID.clone();
         }
         this.side = orig.side;
+        this.clientAuthRequested = orig.clientAuthRequested;
         if (orig.peerCerts != null) {
             this.peerCerts = orig.peerCerts.clone();
         }
@@ -519,6 +523,15 @@ public synchronized Certificate[] getPeerCertificates()
                 "SSLSocket/Engine closed");
         }
 
+        /* Throw if server side with no client auth requested */
+        if (this.side == WolfSSL.WOLFSSL_SERVER_END &&
+            !this.clientAuthRequested) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                () -> "Server side, no client auth, throwing exception");
+            throw new SSLPeerUnverifiedException(
+                "peer not authenticated (no client auth requested)");
+        }
+
         try {
             x509 = this.ssl.getPeerCertificate();
         } catch (IllegalStateException | WolfSSLJNIException ex) {
@@ -605,8 +618,8 @@ public Certificate[] getLocalCertificates() {
     }
 
     @Override
-    public synchronized javax.security.cert.X509Certificate[] getPeerCertificateChain()
-        throws SSLPeerUnverifiedException {
+    public synchronized javax.security.cert.X509Certificate[]
+        getPeerCertificateChain() throws SSLPeerUnverifiedException {
 
         long peerX509 = 0;
         WolfSSLX509X x509;
@@ -615,10 +628,17 @@ public synchronized javax.security.cert.X509Certificate[] getPeerCertificateChai
             throw new SSLPeerUnverifiedException("handshake not done");
         }
 
+        /* Throw if server side with no client auth requested */
+        if (this.side == WolfSSL.WOLFSSL_SERVER_END &&
+            !this.clientAuthRequested) {
+            throw new SSLPeerUnverifiedException(
+                "peer not authenticated (no client auth requested)");
+        }
+
         try {
             peerX509 = this.ssl.getPeerCertificate();
             if (peerX509 == 0) {
-                return null;
+                throw new SSLPeerUnverifiedException("No peer certificate");
             }
 
             /* wolfSSL starting with 5.3.0 returns a new WOLFSSL_X509
@@ -657,10 +677,17 @@ public synchronized Principal getPeerPrincipal()
             throw new SSLPeerUnverifiedException("handshake not done");
         }
 
+        /* Throw if server side with no client auth requested */
+        if (this.side == WolfSSL.WOLFSSL_SERVER_END &&
+            !this.clientAuthRequested) {
+            throw new SSLPeerUnverifiedException(
+                "peer not authenticated (no client auth requested)");
+        }
+
         try {
             peerX509 = this.ssl.getPeerCertificate();
             if (peerX509 == 0) {
-                return null;
+                throw new SSLPeerUnverifiedException("No peer certificate");
             }
 
             /* wolfSSL starting with 5.3.0 returns a new WOLFSSL_X509
@@ -1039,6 +1066,16 @@ protected int getSide() {
         return this.side;
     }
 
+    /**
+     * Set whether client auth was requested.
+     * Used for getPeerCertificates() behavior.
+     *
+     * @param requested true if client auth was requested, false otherwise
+     */
+    protected void setClientAuthRequested(boolean requested) {
+        this.clientAuthRequested = requested;
+    }
+
     /**
      * Return the side session is on (server/client) as a String
      * @return "client" or "server" representing the side of this session

src/java/com/wolfssl/provider/jsse/WolfSSLKeyX509.java

@@ -375,7 +375,18 @@ public String chooseClientAlias(String[] type, Principal[] issuers,
         for (i = 0; i < type.length; i++) {
             String[] all = getAliases(type[i], issuers);
             if (all != null) {
-                return all[0];
+                /* Find first alias that has a private key, skip cert-only
+                 * entries (trustedCertEntry) which have no private key */
+                for (String alias : all) {
+                    PrivateKey key = getPrivateKey(alias);
+                    if (key != null) {
+                        final String selectedAlias = alias;
+                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            () -> "chooseClientAlias() returning alias " +
+                            "with private key: " + selectedAlias);
+                        return alias;
+                    }
+                }
             }
         }
         return null;
@@ -398,7 +409,18 @@ public String chooseEngineClientAlias(String[] type, Principal[] issuers,
         for (i = 0; i < type.length; i++) {
             String[] all = getAliases(type[i], issuers);
             if (all != null) {
-                return all[0];
+                /* Find first alias that has a private key, skip cert-only
+                 * entries (trustedCertEntry) which have no private key */
+                for (String alias : all) {
+                    PrivateKey key = getPrivateKey(alias);
+                    if (key != null) {
+                        final String selectedAlias = alias;
+                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            () -> "chooseEngineClientAlias() returning " +
+                            "alias with private key: " + selectedAlias);
+                        return alias;
+                    }
+                }
             }
         }
         return null;

src/java/com/wolfssl/provider/jsse/WolfSSLTrustManager.java

@@ -34,9 +34,17 @@
 import java.security.cert.CertificateException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
+import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.KeyStoreBuilderParameters;
 import javax.net.ssl.ManagerFactoryParameters;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactorySpi;
+import java.security.cert.CertPathParameters;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Set;
 import com.wolfssl.WolfSSL;
 import com.wolfssl.WolfSSLDebug;
 import com.wolfssl.WolfSSLCertificate;
@@ -761,9 +769,72 @@ protected void engineInit(ManagerFactoryParameters arg0)
         WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
             () -> "entered engineInit(ManagerFactoryParameters arg0)");
 
-        throw new UnsupportedOperationException(
-            "TrustManagerFactory.init(ManagerFactoryParameters) " +
-            "not supported yet");
+        /* Handle CertPathTrustManagerParameters */
+        if (arg0 instanceof CertPathTrustManagerParameters) {
+            CertPathTrustManagerParameters certPathParams =
+                (CertPathTrustManagerParameters) arg0;
+            CertPathParameters certPathParameters =
+                certPathParams.getParameters();
+
+            if (certPathParameters instanceof PKIXParameters) {
+                PKIXParameters pkixParams =
+                    (PKIXParameters) certPathParameters;
+                Set<TrustAnchor> anchors = pkixParams.getTrustAnchors();
+
+                try {
+                    KeyStore ks =
+                        KeyStore.getInstance(KeyStore.getDefaultType());
+                    ks.load(null, null);
+                    int count = 0;
+                    for (TrustAnchor anchor : anchors) {
+                        X509Certificate cert = anchor.getTrustedCert();
+                        if (cert != null) {
+                            ks.setCertificateEntry(
+                                "trustanchor-" + count, cert);
+                            count++;
+                        }
+                    }
+                    final int finalCount = count;
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        () -> "Initialized TrustManager from " +
+                            "CertPathTrustManagerParameters with " +
+                            finalCount + " anchors");
+                    engineInit(ks);
+                    return;
+                } catch (Exception e) {
+                    throw new InvalidAlgorithmParameterException(
+                        "Failed to create KeyStore from TrustAnchors: " +
+                        e.getMessage(), e);
+                }
+            }
+        }
+
+        /* Handle KeyStoreBuilderParameters */
+        if (arg0 instanceof KeyStoreBuilderParameters) {
+            KeyStoreBuilderParameters ksParams =
+                (KeyStoreBuilderParameters) arg0;
+            List<KeyStore.Builder> builders = ksParams.getParameters();
+
+            if (builders != null && !builders.isEmpty()) {
+                try {
+                    /* Use the first KeyStore builder */
+                    KeyStore ks = builders.get(0).getKeyStore();
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        () -> "Initialized TrustManager from " +
+                            "KeyStoreBuilderParameters");
+                    engineInit(ks);
+                    return;
+                } catch (Exception e) {
+                    throw new InvalidAlgorithmParameterException(
+                        "Failed to get KeyStore from Builder: " +
+                        e.getMessage(), e);
+                }
+            }
+        }
+
+        throw new InvalidAlgorithmParameterException(
+            "Unsupported ManagerFactoryParameters type: " +
+            (arg0 != null ? arg0.getClass().getName() : "null"));
     }
 
     @Override

src/java/com/wolfssl/provider/jsse/WolfSSLUtil.java

@@ -75,6 +75,11 @@ public WolfSSLUtil() {
     protected static String[] sanitizeProtocols(String[] protocols,
         WolfSSL.TLS_VERSION currentVersion) {
 
+        /* Return null if protocols is null, let caller handle */
+        if (protocols == null) {
+            return null;
+        }
+
         ArrayList<String> filtered = new ArrayList<String>();
 
         String disabledAlgos =

src/test/com/wolfssl/provider/jsse/test/WolfSSLContextTest.java

@@ -56,6 +56,8 @@
 import com.wolfssl.WolfSSL;
 import com.wolfssl.provider.jsse.WolfSSLProvider;
 
+import java.lang.reflect.Method;
+
 public class WolfSSLContextTest {
 
     private static WolfSSLTestFactory tf;
@@ -965,5 +967,36 @@ public void testWolfJSSEEnabledCipherSuites()
 
         System.out.println("\t... passed");
     }
+
+    @Test
+    public void testSanitizeProtocolsNullInput() {
+
+        System.out.print("\tTesting sanitizeProtocols(null)");
+
+        try {
+            Class<?> utilClass = Class.forName(
+                "com.wolfssl.provider.jsse.WolfSSLUtil");
+            Method sanitizeMethod = utilClass.getDeclaredMethod(
+                "sanitizeProtocols",
+                String[].class,
+                WolfSSL.TLS_VERSION.class);
+            sanitizeMethod.setAccessible(true);
+
+            String[] result = (String[]) sanitizeMethod.invoke(
+                null, (String[]) null, WolfSSL.TLS_VERSION.TLSv1_2);
+
+            if (result != null) {
+                System.out.println("\t... failed");
+                fail("sanitizeProtocols(null) should return null");
+                return;
+            }
+
+            System.out.println("\t\t... passed");
+
+        } catch (Exception e) {
+            System.out.println("\t... failed");
+            fail("Exception during sanitizeProtocols test: " + e.getMessage());
+        }
+    }
 }