wolfJSSE fixes for FIPS test coverage

Author: JeremiahM37

src/java/com/wolfssl/WolfSSLCertManager.java

@@ -179,7 +179,8 @@ public synchronized int CertManagerLoadCAKeyStore(KeyStore ks)
                     cert = (X509Certificate) ks.getCertificate(name);
                 }
 
-                if (cert != null && cert.getBasicConstraints() >= 0) {
+                if (cert != null && (cert.getBasicConstraints() >= 0 ||
+                        WolfSSL.trustPeerCertEnabled())) {
                     ret = CertManagerLoadCABuffer(cert.getEncoded(),
                             cert.getEncoded().length,
                             WolfSSL.SSL_FILETYPE_ASN1);

src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java

@@ -331,8 +331,9 @@ protected WolfSSLImplementSSLSession getSession(
             return null;
         }
 
-        /* Return new session if in server mode, or if host is null */
-        if (!clientMode || host == null) {
+        /* Return new session if in server mode, host is null, or port is
+         * unknown (-1). Netty uses SSLEngine(host, -1) as a valid JSSE hint. */
+        if (!clientMode || host == null || port < 0) {
             return this.getSession(ssl, clientMode, host, port);
         }
 
@@ -762,10 +763,16 @@ protected void updateTimeouts(int in, int side) {
 
                     }
 
-                    if (in > 0 && diff > in) {
+                    if (in > 0 && diff >= in) {
+                        current.invalidate();
+                    }
+                    try {
+                        current.setNativeTimeout(in);
+                    } catch (IllegalStateException e) {
+                        /* Native WolfSSLSession has been freed,
+                         * invalidate this session entry */
                         current.invalidate();
                     }
-                    current.setNativeTimeout(in);
                 }
             }
         }
@@ -803,4 +810,3 @@ protected synchronized void finalize() throws Throwable {
         super.finalize();
     }
 }
-

src/java/com/wolfssl/provider/jsse/WolfSSLContext.java

@@ -488,7 +488,7 @@ protected SSLEngine engineCreateSSLEngine()
         try {
             return new WolfSSLEngine(this.ctx, this.authStore, this.params);
         } catch (WolfSSLException ex) {
-            throw new IllegalStateException("Unable to create engine");
+            throw new IllegalStateException("Unable to create engine", ex);
         }
     }
 
@@ -516,7 +516,7 @@ protected SSLEngine engineCreateSSLEngine(String host, int port)
             return new WolfSSLEngine(this.ctx, this.authStore, this.params,
                 host, port);
         } catch (WolfSSLException ex) {
-            throw new IllegalStateException("Unable to create engine");
+            throw new IllegalStateException("Unable to create engine", ex);
         }
     }
 

src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java

@@ -161,7 +161,9 @@ protected WolfSSLEngineHelper(WolfSSLSession ssl, WolfSSLAuthStore store,
             WolfSSLParameters params, int port, String hostname)
             throws WolfSSLException {
 
-        if (params == null || ssl == null || store == null || port < 0) {
+        /* SSLEngine(host, -1) is valid in JSSE/Netty and uses -1 as an
+         * unknown port hint. Only reject ports below -1. */
+        if (params == null || ssl == null || store == null || port < -1) {
             throw new WolfSSLException("Bad argument");
         }
 
@@ -192,7 +194,7 @@ protected WolfSSLEngineHelper(WolfSSLSession ssl, WolfSSLAuthStore store,
             throws WolfSSLException {
 
         if (params == null || ssl == null || store == null ||
-                peerAddr == null || port < 0) {
+                peerAddr == null || port < -1) {
             throw new WolfSSLException("Bad argument");
         }
 
@@ -475,6 +477,19 @@ protected synchronized WolfSSLImplementSSLSession getSession() {
         return this.session;
     }
 
+    /**
+     * Get the last exception from TrustManager certificate verification.
+     * Delegates to the internal verify callback if available.
+     *
+     * @return Exception from last failed verification, or null
+     */
+    protected synchronized Exception getLastVerifyException() {
+        if (this.wicb != null) {
+            return this.wicb.getVerifyException();
+        }
+        return null;
+    }
+
     /**
      * Get all supported cipher suites in native wolfSSL library, which
      * are also allowed by "wolfjsse.enabledCipherSuites" system Security
@@ -870,7 +885,7 @@ private void setLocalAuth(SSLSocket socket, SSLEngine engine) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                 () -> "Using checkClientTrusted/ServerTrusted() " +
                 "for verification");
-            this.verifyMask = WolfSSL.SSL_VERIFY_PEER;
+            this.verifyMask = mask;
         }
 
         this.ssl.setVerify(this.verifyMask, wicb);
@@ -916,7 +931,7 @@ private static boolean checkBooleanProperty(String prop,
      * name depending on what createSocket() API the user has called and with
      * what String.
      */
-    private void setLocalServerNames() {
+    private void setLocalServerNames(SSLEngine engine) {
         boolean autoSNI = this.wolfjsseAutoSni;
 
         /* Detect HttpsURLConnection usage by checking:
@@ -931,9 +946,16 @@ private void setLocalServerNames() {
                 this.peerAddr != null &&
                 this.params.getServerNames() == null;
 
-        /* Enable SNI if explicitly requested via property or if
-         * HttpsURLConnection is detected */
-        autoSNI = autoSNI || isHttpsConnection;
+        /* SSLEngine(host, port) should send SNI by default if no explicit
+         * server names were configured and SNI extension is enabled. */
+        boolean isEngineConnectionWithHost = this.clientMode &&
+                engine != null &&
+                this.hostname != null &&
+                this.params.getServerNames() == null;
+
+        /* Enable SNI if explicitly requested via property, if
+         * HttpsURLConnection is detected, or for SSLEngine(host, port). */
+        autoSNI = autoSNI || isHttpsConnection || isEngineConnectionWithHost;
 
         if (!this.jsseEnableSniExtension) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
@@ -1256,7 +1278,7 @@ private void setLocalParams(SSLSocket socket, SSLEngine engine)
             WolfSSLUtil.sanitizeProtocols(
                 this.params.getProtocols(), WolfSSL.TLS_VERSION.INVALID));
         this.setLocalAuth(socket, engine);
-        this.setLocalServerNames();
+        this.setLocalServerNames(engine);
         this.setLocalSessionTicket();
         this.setLocalAlpnProtocols();
         this.setLocalSecureRenegotiation();
@@ -1450,11 +1472,11 @@ protected synchronized int doHandshake(int isSSLEngine, int timeout)
              * try to use IP address:port instead. If both are null, skip
              * setting serverID. Setting newSession to 1 for setServerID since
              * we are controlling get/set session from Java */
-            if (hostname != null) {
+            if (this.port >= 0 && hostname != null) {
                 serverId = this.hostname.concat(
                     Integer.toString(this.port)).getBytes();
             }
-            else if (peerAddr != null) {
+            else if (this.port >= 0 && peerAddr != null) {
                 hostAddress = this.peerAddr.getHostAddress();
                 if (hostAddress != null) {
                     serverId = hostAddress.concat(
@@ -1708,4 +1730,3 @@ protected synchronized void finalize() throws Throwable {
         super.finalize();
     }
 }
-

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -281,8 +281,12 @@ public WolfSSLImplementSSLSession (WolfSSLImplementSSLSession orig) {
         this.sesPtr = orig.sesPtr;
         this.sesPtrUpdatedAfterTable = false;
 
-        /* Not copying binding, not needed */
-        this.binding = null;
+        /* Copy binding HashMap so session values are preserved */
+        if (orig.binding != null) {
+            this.binding = new HashMap<String, Object>(orig.binding);
+        } else {
+            this.binding = new HashMap<String, Object>();
+        }
 
         WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
             () -> "created new session (WolfSSLImplementSSLSession)");
@@ -669,52 +673,14 @@ public Certificate[] getLocalCertificates() {
     public synchronized Principal getPeerPrincipal()
         throws SSLPeerUnverifiedException {
 
-        long peerX509 = 0;
-        Principal peerPrincipal = null;
-        WolfSSLX509 x509 = null;
-
-        if (ssl == null) {
-            throw new SSLPeerUnverifiedException("handshake not done");
-        }
-
-        /* Throw if server side with no client auth requested */
-        if (this.side == WolfSSL.WOLFSSL_SERVER_END &&
-            !this.clientAuthRequested) {
-            throw new SSLPeerUnverifiedException(
-                "peer not authenticated (no client auth requested)");
-        }
-
-        try {
-            peerX509 = this.ssl.getPeerCertificate();
-            if (peerX509 == 0) {
-                throw new SSLPeerUnverifiedException("No peer certificate");
-            }
-
-            /* wolfSSL starting with 5.3.0 returns a new WOLFSSL_X509
-             * structure from wolfSSL_get_peer_certificate(). In that case,
-             * we need to free the pointer when finished. Prior to 5.3.0,
-             * this memory was freed internally by wolfSSL since the API
-             * only returned a pointer to internal memory */
-            if (WolfSSL.getLibVersionHex() >= 0x05003000) {
-                x509 = new WolfSSLX509(peerX509, true);
-            }
-            else {
-                x509 = new WolfSSLX509(peerX509, false);
-            }
-
-            if (x509 != null) {
-                peerPrincipal = x509.getSubjectDN();
-                x509.free();
-            }
-
-            return peerPrincipal;
-
-        } catch (IllegalStateException | WolfSSLJNIException |
-                WolfSSLException ex) {
-            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-                () -> "Error getting peer principal: " + ex.getMessage());
+        /* Use standard Java X509Certificate.getSubjectDN()
+         * for X500Name equals() compatibility */
+        Certificate[] certs = getPeerCertificates();
+        if (certs != null && certs.length > 0 &&
+            certs[0] instanceof X509Certificate) {
+            return ((X509Certificate) certs[0]).getSubjectDN();
         }
-        return null;
+        throw new SSLPeerUnverifiedException("No peer certificate");
     }
 
     @Override