springboot fixes

JeremiahM37 · JeremiahM37 · commit 6434f177c778 · 2026-01-26T09:16:46.000-07:00
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java b/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java
@@ -580,7 +580,8 @@ private synchronized int DoHandshake(boolean fromWrap) throws SSLException {
             }
 
         } catch (SocketTimeoutException | SocketException e) {
-            throw new SSLException(e);
+            throw new SSLHandshakeException(
+                "Socket error during SSL/TLS handshake: " + e.getMessage());
         }
 
         return ret;
@@ -1058,6 +1059,12 @@ private synchronized int RecvAppData(ByteBuffer[] out, int ofst, int length)
                     }
                     break;
                 default:
+                    /* Throw SSLHandshakeException if handshake not finished */
+                    if (!this.handshakeFinished) {
+                        throw new SSLHandshakeException(
+                            "SSL/TLS handshake error in read: " + ret +
+                            " , err = " + err);
+                    }
                     throw new SSLException(
                         "wolfSSL_read() error: " + ret + " , err = " + err);
             }
@@ -1393,6 +1400,14 @@ else if (ret < 0 &&
                                  * any more data */
                                 this.outBoundOpen = false;
                             }
+                            /* Throw SSLHandshakeException if handshake not
+                             * finished, otherwise throw SSLException for
+                             * post-handshake errors */
+                            if (!this.handshakeFinished) {
+                                throw new SSLHandshakeException(
+                                    "SSL/TLS handshake error, ret:err = " +
+                                    ret + " : " + err);
+                            }
                             throw new SSLException(
                                 "wolfSSL error, ret:err = " + ret + " : " +
                                 err);
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLKeyX509.java b/src/java/com/wolfssl/provider/jsse/WolfSSLKeyX509.java
@@ -375,7 +375,18 @@ public String chooseClientAlias(String[] type, Principal[] issuers,
         for (i = 0; i < type.length; i++) {
             String[] all = getAliases(type[i], issuers);
             if (all != null) {
-                return all[0];
+                /* Find first alias that has a private key, skip cert-only
+                 * entries (trustedCertEntry) which have no private key */
+                for (String alias : all) {
+                    PrivateKey key = getPrivateKey(alias);
+                    if (key != null) {
+                        final String selectedAlias = alias;
+                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            () -> "chooseClientAlias() returning alias " +
+                            "with private key: " + selectedAlias);
+                        return alias;
+                    }
+                }
             }
         }
         return null;
@@ -398,7 +409,18 @@ public String chooseEngineClientAlias(String[] type, Principal[] issuers,
         for (i = 0; i < type.length; i++) {
             String[] all = getAliases(type[i], issuers);
             if (all != null) {
-                return all[0];
+                /* Find first alias that has a private key, skip cert-only
+                 * entries (trustedCertEntry) which have no private key */
+                for (String alias : all) {
+                    PrivateKey key = getPrivateKey(alias);
+                    if (key != null) {
+                        final String selectedAlias = alias;
+                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            () -> "chooseEngineClientAlias() returning " +
+                            "alias with private key: " + selectedAlias);
+                        return alias;
+                    }
+                }
             }
         }
         return null;
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLTrustManager.java b/src/java/com/wolfssl/provider/jsse/WolfSSLTrustManager.java
@@ -761,9 +761,78 @@ protected void engineInit(ManagerFactoryParameters arg0)
         WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
             () -> "entered engineInit(ManagerFactoryParameters arg0)");
 
-        throw new UnsupportedOperationException(
-            "TrustManagerFactory.init(ManagerFactoryParameters) " +
-            "not supported yet");
+        /* Handle CertPathTrustManagerParameters (used by Tomcat, etc) */
+        if (arg0 instanceof javax.net.ssl.CertPathTrustManagerParameters) {
+            javax.net.ssl.CertPathTrustManagerParameters certPathParams =
+                (javax.net.ssl.CertPathTrustManagerParameters) arg0;
+            java.security.cert.CertPathParameters certPathParameters =
+                certPathParams.getParameters();
+
+            if (certPathParameters instanceof
+                    java.security.cert.PKIXParameters) {
+                java.security.cert.PKIXParameters pkixParams =
+                    (java.security.cert.PKIXParameters) certPathParameters;
+                java.util.Set<java.security.cert.TrustAnchor> anchors =
+                    pkixParams.getTrustAnchors();
+
+                try {
+                    java.security.KeyStore ks =
+                        java.security.KeyStore.getInstance(
+                            java.security.KeyStore.getDefaultType());
+                    ks.load(null, null);
+                    int count = 0;
+                    for (java.security.cert.TrustAnchor anchor : anchors) {
+                        java.security.cert.X509Certificate cert =
+                            anchor.getTrustedCert();
+                        if (cert != null) {
+                            ks.setCertificateEntry(
+                                "trustanchor-" + count, cert);
+                            count++;
+                        }
+                    }
+                    final int finalCount = count;
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        () -> "Initialized TrustManager from " +
+                            "CertPathTrustManagerParameters with " +
+                            finalCount + " anchors");
+                    engineInit(ks);
+                    return;
+                } catch (Exception e) {
+                    throw new InvalidAlgorithmParameterException(
+                        "Failed to create KeyStore from TrustAnchors: " +
+                        e.getMessage(), e);
+                }
+            }
+        }
+
+        /* Handle KeyStoreBuilderParameters */
+        if (arg0 instanceof javax.net.ssl.KeyStoreBuilderParameters) {
+            javax.net.ssl.KeyStoreBuilderParameters ksParams =
+                (javax.net.ssl.KeyStoreBuilderParameters) arg0;
+            java.util.List<java.security.KeyStore.Builder> builders =
+                ksParams.getParameters();
+
+            if (builders != null && !builders.isEmpty()) {
+                try {
+                    /* Use the first KeyStore builder */
+                    java.security.KeyStore ks =
+                        builders.get(0).getKeyStore();
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        () -> "Initialized TrustManager from " +
+                            "KeyStoreBuilderParameters");
+                    engineInit(ks);
+                    return;
+                } catch (Exception e) {
+                    throw new InvalidAlgorithmParameterException(
+                        "Failed to get KeyStore from Builder: " +
+                        e.getMessage(), e);
+                }
+            }
+        }
+
+        throw new InvalidAlgorithmParameterException(
+            "Unsupported ManagerFactoryParameters type: " +
+            (arg0 != null ? arg0.getClass().getName() : "null"));
     }
 
     @Override
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLUtil.java b/src/java/com/wolfssl/provider/jsse/WolfSSLUtil.java
@@ -75,6 +75,11 @@ public WolfSSLUtil() {
     protected static String[] sanitizeProtocols(String[] protocols,
         WolfSSL.TLS_VERSION currentVersion) {
 
+        /* Return null if protocols is null, let caller handle */
+        if (protocols == null) {
+            return null;
+        }
+
         ArrayList<String> filtered = new ArrayList<String>();
 
         String disabledAlgos =
