Skip to content

Commit 57db514

Browse files
JeremiahM37JeremiahM37
committed
Address cconlon PR #334 review feedback
1 parent 655ea82 commit 57db514

8 files changed

Lines changed: 249 additions & 422 deletions

File tree

src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java

Lines changed: 82 additions & 231 deletions
Large diffs are not rendered by default.

src/java/com/wolfssl/provider/jsse/WolfSSLImplementSSLSession.java

Lines changed: 38 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -673,12 +673,11 @@ public Certificate[] getLocalCertificates() {
673673
public synchronized Principal getPeerPrincipal()
674674
throws SSLPeerUnverifiedException {
675675

676-
/* Use standard Java X509Certificate.getSubjectDN()
677-
* for X500Name equals() compatibility */
678676
Certificate[] certs = getPeerCertificates();
679677
if (certs != null && certs.length > 0 &&
680678
certs[0] instanceof X509Certificate) {
681-
return ((X509Certificate) certs[0]).getSubjectDN();
679+
return ((X509Certificate) certs[0])
680+
.getSubjectX500Principal();
682681
}
683682
throw new SSLPeerUnverifiedException("No peer certificate");
684683
}
@@ -1074,21 +1073,53 @@ protected int getPort() {
10741073

10751074
@Override
10761075
public String[] getLocalSupportedSignatureAlgorithms() {
1077-
ArrayList<String> algs = new ArrayList<String>(2);
1076+
ArrayList<String> algs = new ArrayList<String>();
10781077

10791078
if (WolfSSL.RsaEnabled()) {
1080-
algs.add("SHA256withRSA");
1079+
if (WolfSSL.Sha512Enabled()) {
1080+
algs.add("SHA512withRSA");
1081+
}
1082+
if (WolfSSL.Sha384Enabled()) {
1083+
algs.add("SHA384withRSA");
1084+
}
1085+
if (WolfSSL.Sha256Enabled()) {
1086+
algs.add("SHA256withRSA");
1087+
}
1088+
if (WolfSSL.Sha224Enabled()) {
1089+
algs.add("SHA224withRSA");
1090+
}
1091+
if (WolfSSL.ShaEnabled()) {
1092+
algs.add("SHA1withRSA");
1093+
}
10811094
}
10821095
if (WolfSSL.EccEnabled()) {
1083-
algs.add("SHA256withECDSA");
1096+
if (WolfSSL.Sha512Enabled()) {
1097+
algs.add("SHA512withECDSA");
1098+
}
1099+
if (WolfSSL.Sha384Enabled()) {
1100+
algs.add("SHA384withECDSA");
1101+
}
1102+
if (WolfSSL.Sha256Enabled()) {
1103+
algs.add("SHA256withECDSA");
1104+
}
1105+
if (WolfSSL.Sha224Enabled()) {
1106+
algs.add("SHA224withECDSA");
1107+
}
1108+
if (WolfSSL.ShaEnabled()) {
1109+
algs.add("SHA1withECDSA");
1110+
}
1111+
}
1112+
if (WolfSSL.RsaPssEnabled()) {
1113+
algs.add("RSASSA-PSS");
10841114
}
10851115

10861116
return algs.toArray(new String[algs.size()]);
10871117
}
10881118

10891119
@Override
10901120
public String[] getPeerSupportedSignatureAlgorithms() {
1091-
return new String[0];
1121+
/* TODO */
1122+
return null;
10921123
}
10931124

10941125
/**

src/java/com/wolfssl/provider/jsse/WolfSSLInternalVerifyCb.java

Lines changed: 52 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,8 @@
3838
import javax.net.ssl.X509ExtendedTrustManager;
3939
import java.io.IOException;
4040
import java.lang.ref.WeakReference;
41+
import java.nio.charset.StandardCharsets;
42+
import java.util.List;
4143

4244
/**
4345
* Internal verify callback.
@@ -132,33 +134,31 @@ private int verifyHostnameOnly(X509Certificate peer) {
132134
WolfSSLTrustX509 wolfTM = (WolfSSLTrustX509)tm;
133135

134136
try {
135-
if (this.callingSocket != null &&
136-
this.callingSocket.get() != null) {
137+
SSLSocket sock = (this.callingSocket != null) ?
138+
this.callingSocket.get() : null;
139+
SSLEngine eng = (this.callingEngine != null) ?
140+
this.callingEngine.get() : null;
137141

142+
if (sock != null) {
138143
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
139144
() -> "checking hostname verification using SSLSocket");
140145

141146
/* Throws CertificateException when verify fails */
142-
wolfTM.verifyHostname(peer, this.callingSocket.get(),
143-
null, clientMode);
147+
wolfTM.verifyHostname(peer, sock, null, clientMode);
144148
}
145-
else if (this.callingEngine != null &&
146-
this.callingEngine.get() != null) {
147-
149+
else if (eng != null) {
148150
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
149151
() -> "checking hostname verification using SSLEngine");
150152

151153
/* Throws CertificateException when verify fails */
152-
wolfTM.verifyHostname(peer, null,
153-
this.callingEngine.get(), clientMode);
154+
wolfTM.verifyHostname(peer, null, eng, clientMode);
154155
}
155156
else {
156157
/* SSLSocket/SSLEngine null. Fail if endpoint ID
157158
* is set, otherwise skip hostname verification. */
158159
String eia = null;
159160
if (this.params != null) {
160-
eia = this.params
161-
.getEndpointIdentificationAlgorithm();
161+
eia = this.params.getEndpointIdentificationAlgorithm();
162162
}
163163
if (eia != null && !eia.isEmpty()) {
164164
throw new CertificateException(
@@ -199,8 +199,7 @@ private int verifyHostnameForExternalTM(X509Certificate peer) {
199199

200200
/* Get endpoint identification algorithm from params */
201201
if (this.params != null) {
202-
endpointIdAlgo =
203-
this.params.getEndpointIdentificationAlgorithm();
202+
endpointIdAlgo = this.params.getEndpointIdentificationAlgorithm();
204203
}
205204

206205
/* If no endpoint identification algorithm set, skip hostname
@@ -209,10 +208,18 @@ private int verifyHostnameForExternalTM(X509Certificate peer) {
209208
return 1;
210209
}
211210

212-
/* Only HTTPS and LDAPS are supported */
211+
/* Only HTTPS and LDAPS are supported. Fail if endpoint ID was
212+
* explicitly set to something else (typo or unsupported algo). */
213213
if (!endpointIdAlgo.equals("HTTPS") &&
214214
!endpointIdAlgo.equals("LDAPS")) {
215-
return 1;
215+
final String tmpAlgoUnsup = endpointIdAlgo;
216+
this.verifyException = new CertificateException(
217+
"Unsupported endpoint identification algorithm: " +
218+
endpointIdAlgo);
219+
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
220+
() -> "Unsupported endpoint identification algorithm: "
221+
+ tmpAlgoUnsup);
222+
return 0;
216223
}
217224

218225
final String tmpAlgo = endpointIdAlgo;
@@ -222,21 +229,20 @@ private int verifyHostnameForExternalTM(X509Certificate peer) {
222229

223230
/* Get peer host from SSLEngine or SSLSocket handshake session */
224231
try {
225-
if (this.callingEngine != null &&
226-
this.callingEngine.get() != null) {
227-
session =
228-
this.callingEngine.get().getHandshakeSession();
232+
SSLEngine eng = (this.callingEngine != null) ?
233+
this.callingEngine.get() : null;
234+
SSLSocket sock = (this.callingSocket != null) ?
235+
this.callingSocket.get() : null;
236+
237+
if (eng != null) {
238+
session = eng.getHandshakeSession();
229239
}
230-
else if (this.callingSocket != null &&
231-
this.callingSocket.get() != null) {
232-
javax.net.ssl.SSLSocket sock =
233-
this.callingSocket.get();
240+
else if (sock != null) {
234241
session = sock.getHandshakeSession();
235242
}
236243
} catch (UnsupportedOperationException e) {
237244
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
238-
() -> "getHandshakeSession() not supported: " +
239-
e.getMessage());
245+
() -> "getHandshakeSession() not supported: " + e.getMessage());
240246
CertificateException ce = new CertificateException(
241247
"getHandshakeSession() not supported: " + e.getMessage());
242248
ce.initCause(e);
@@ -249,16 +255,15 @@ else if (this.callingSocket != null &&
249255
* but for SNI verification we need the logical hostname the client
250256
* requested (e.g. "something.netty.io"). */
251257
if (this.params != null) {
252-
java.util.List<WolfSSLSNIServerName> sniNames =
253-
this.params.getServerNames();
258+
List<WolfSSLSNIServerName> sniNames = this.params.getServerNames();
254259
if (sniNames != null && !sniNames.isEmpty()) {
255260
for (WolfSSLSNIServerName sni : sniNames) {
256261
/* Type 0 = host_name (RFC 6066) */
257262
if (sni.getType() == 0) {
258263
byte[] encoded = sni.getEncoded();
259264
if (encoded != null && encoded.length > 0) {
260265
peerHost = new String(encoded,
261-
java.nio.charset.StandardCharsets.US_ASCII);
266+
StandardCharsets.US_ASCII);
262267
}
263268
break;
264269
}
@@ -292,17 +297,15 @@ else if (this.callingSocket != null &&
292297
int ret = wCert.checkHost(peerHost);
293298
if (ret == WolfSSL.SSL_SUCCESS) {
294299
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
295-
() -> "Provider-level hostname " +
296-
"verification passed for: " + tmpHost);
300+
() -> "Provider-level hostname verification " +
301+
"passed for: " + tmpHost);
297302
return 1;
298303
} else {
299304
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
300-
() -> "Provider-level hostname " +
301-
"verification FAILED for: " + tmpHost);
302-
this.verifyException =
303-
new CertificateException(
304-
"Hostname verification failed for: "
305-
+ tmpHost);
305+
() -> "Provider-level hostname verification " +
306+
"FAILED for: " + tmpHost);
307+
this.verifyException = new CertificateException(
308+
"Hostname verification failed for: " + tmpHost);
306309
return 0;
307310
}
308311
} catch (Exception e) {
@@ -344,30 +347,29 @@ private boolean VerifyCertChainWithTrustManager(X509Certificate[] certs,
344347
try {
345348
/* Call TrustManager to do cert verification, should throw
346349
* CertificateException if verification fails */
350+
SSLSocket sock = (this.callingSocket != null) ?
351+
this.callingSocket.get() : null;
352+
SSLEngine eng = (this.callingEngine != null) ?
353+
this.callingEngine.get() : null;
354+
347355
if (this.clientMode) {
348356
if (this.tm instanceof X509ExtendedTrustManager) {
349357
X509ExtendedTrustManager xtm =
350358
(X509ExtendedTrustManager)this.tm;
351359

352-
if (this.callingSocket != null &&
353-
this.callingSocket.get() != null) {
354-
360+
if (sock != null) {
355361
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
356362
() -> "Calling TrustManager.checkServerTrusted(" +
357363
"SSLSocket)");
358364

359-
xtm.checkServerTrusted(certs, authType,
360-
this.callingSocket.get());
365+
xtm.checkServerTrusted(certs, authType, sock);
361366
}
362-
else if (this.callingEngine != null &&
363-
this.callingEngine.get() != null) {
364-
367+
else if (eng != null) {
365368
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
366369
() -> "Calling TrustManager.checkServerTrusted(" +
367370
"SSLEngine)");
368371

369-
xtm.checkServerTrusted(certs, authType,
370-
this.callingEngine.get());
372+
xtm.checkServerTrusted(certs, authType, eng);
371373
}
372374
else {
373375
/* If we do have access to X509ExtendedTrustManager,
@@ -391,25 +393,19 @@ else if (this.callingEngine != null &&
391393
X509ExtendedTrustManager xtm =
392394
(X509ExtendedTrustManager)this.tm;
393395

394-
if (this.callingSocket != null &&
395-
this.callingSocket.get() != null) {
396-
396+
if (sock != null) {
397397
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
398398
() -> "Calling TrustManager.checkClientTrusted(" +
399399
"SSLSocket)");
400400

401-
xtm.checkClientTrusted(certs, authType,
402-
this.callingSocket.get());
401+
xtm.checkClientTrusted(certs, authType, sock);
403402
}
404-
else if (this.callingEngine != null &&
405-
this.callingEngine.get() != null) {
406-
403+
else if (eng != null) {
407404
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
408405
() -> "Calling TrustManager.checkClientTrusted(" +
409406
"SSLEngine)");
410407

411-
xtm.checkClientTrusted(certs, authType,
412-
this.callingEngine.get());
408+
xtm.checkClientTrusted(certs, authType, eng);
413409
}
414410
else {
415411
/* If we do have access to X509ExtendedTrustManager,

src/java/com/wolfssl/provider/jsse/WolfSSLTrustX509.java

Lines changed: 26 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1076,13 +1076,34 @@ public List<X509Certificate> checkServerTrusted(X509Certificate[] chain,
10761076
"ret = " + ret);
10771077
}
10781078

1079-
/* Get DER-encoded leaf certificate from chain */
1080-
leafCertDer = chain[0].getEncoded();
1079+
/* Load intermediate CA certificates from verified chain.
1080+
* OCSP responses can be signed by an intermediate CA,
1081+
* which is in the chain but would not be in the trust
1082+
* store. certList order: [leaf, intermediate(s), root].
1083+
* Load indices 1 through size-1 (intermediates and root).
1084+
* Note: certList is guaranteed non-null/non-empty here since
1085+
* checkServerTrusted() above throws on invalid chains. */
1086+
for (int i = 1; i < certList.size(); i++) {
1087+
X509Certificate caCert = certList.get(i);
1088+
byte[] caCertDer = caCert.getEncoded();
1089+
ret = cm.CertManagerLoadCABuffer(caCertDer,
1090+
caCertDer.length, WolfSSL.SSL_FILETYPE_ASN1);
1091+
if (ret != WolfSSL.SSL_SUCCESS) {
1092+
final String subj =
1093+
caCert.getSubjectX500Principal().getName();
1094+
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
1095+
() -> "Failed to load chain CA for OCSP " +
1096+
"(subject: " + subj + "), continuing");
1097+
}
1098+
}
1099+
1100+
/* Get DER-encoded leaf certificate from verified chain */
1101+
leafCertDer = certList.get(0).getEncoded();
10811102

1082-
/* Get issuer certificate if available in chain. Issuer
1103+
/* Get issuer certificate from verified chain. Issuer
10831104
* needed to compute issuer key hash for OCSP matching. */
1084-
if (chain.length > 1) {
1085-
issuerCertDer = chain[1].getEncoded();
1105+
if (certList.size() > 1) {
1106+
issuerCertDer = certList.get(1).getEncoded();
10861107
}
10871108

10881109
/* Check OCSP response against the specific certificate */

0 commit comments

Comments
 (0)