Return X500Principal from getPeerPrincipal() and getLocalPrincipal()

Author: JeremiahM37

src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java

@@ -765,7 +765,7 @@ protected void updateTimeouts(int in, int side) {
                     diff = (now - current.creation.getTime()) / 1000;
 
                     if (diff < 0) {
-                    /* session is from the future ... */ /* TODO */
+                    /* session is from the future ... TODO */
 
                     }
 

src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java

@@ -321,8 +321,7 @@ protected synchronized void cacheRequestedServerNamesFromNetData() {
         List<SNIServerName> names;
         WolfSSLImplementSSLSession session;
 
-        if (this.engineHelper == null ||
-            this.engineHelper.getUseClientMode()) {
+        if (this.engineHelper == null || this.engineHelper.getUseClientMode()) {
             return;
         }
 
@@ -354,7 +353,8 @@ private List<SNIServerName> parseRequestedServerNamesFromNetData() {
         List<SNIServerName> names;
 
         synchronized (netDataLock) {
-            if (this.netData == null || this.netData.remaining() < 5) {
+            if (this.netData == null ||
+                this.netData.remaining() < TLS_RECORD_HEADER_LEN) {
                 return null;
             }
             in = this.netData.asReadOnlyBuffer();
@@ -1199,8 +1199,7 @@ private synchronized int RecvAppData(ByteBuffer[] out, int ofst, int length)
                 default:
                     /* Throw SSLHandshakeException if handshake not finished */
                     if (!this.handshakeFinished) {
-                        SSLHandshakeException hse =
-                            new SSLHandshakeException(
+                        SSLHandshakeException hse = new SSLHandshakeException(
                             "SSL/TLS handshake error in read: " + ret +
                             " , err = " + err);
                         if (this.engineHelper != null) {
@@ -1235,11 +1234,13 @@ private synchronized int RecvAppData(ByteBuffer[] out, int ofst, int length)
                 /* Copy from intermediate buffer to output bufs */
                 for (i = 0; i < ret;) {
                     if (idx + ofst >= length) {
+                        /* no more output buffers left */
                         break;
                     }
 
                     bufSpace = out[idx + ofst].remaining();
                     if (bufSpace == 0) {
+                        /* no more space in current out buffer, advance */
                         idx++;
                         continue;
                     }
@@ -1450,13 +1451,15 @@ else if (hs == SSLEngineResult.HandshakeStatus.NEED_WRAP &&
                          * report bytesConsumed() == 0. DTLS still
                          * relies on the native WANT_READ path. */
                         boolean bufferUnderflow = false;
-                        if (inRemaining > 0 &&
-                            (this.ssl.dtls() == 0)) {
+                        if (inRemaining > 0 && (this.ssl.dtls() == 0)) {
                             synchronized (netDataLock) {
                                 int pos = in.position();
                                 if (inRemaining < TLS_RECORD_HEADER_LEN) {
+                                    /* Not enough for TLS record header */
                                     bufferUnderflow = true;
                                 } else {
+                                    /* Peek at record length from header
+                                     * bytes 3-4 (big-endian) */
                                     int recLen =
                                         ((in.get(pos + TLS_RECORD_LEN_HI_OFF)
                                             & 0xFF) << 8) |
@@ -1482,8 +1485,7 @@ else if (hs == SSLEngineResult.HandshakeStatus.NEED_WRAP &&
                                 for (int pos = 0;
                                         pos < this.pendingAppDataLen;) {
                                     if (idx2 + ofst >= length) break;
-                                    int space =
-                                        out[idx2 + ofst].remaining();
+                                    int space = out[idx2 + ofst].remaining();
                                     if (space == 0) { idx2++; continue; }
                                     int sz2 = Math.min(space,
                                         this.pendingAppDataLen - pos);
@@ -1537,8 +1539,7 @@ else if (inRemaining > 0 &&
                                     in.position(inPosition);
                                 }
                                 produced = 0;
-                                status =
-                                    SSLEngineResult.Status.BUFFER_OVERFLOW;
+                                status = SSLEngineResult.Status.BUFFER_OVERFLOW;
                             }
                             else {
                                 /* Check for BUFFER_OVERFLOW status. This can
@@ -1657,9 +1658,8 @@ else if (ret < 0 &&
                                     "SSL/TLS handshake error, ret:err = " +
                                     ret + " : " + err);
                                 if (this.engineHelper != null) {
-                                    Exception verifyEx2 =
-                                        this.engineHelper
-                                            .getLastVerifyException();
+                                    Exception verifyEx2 = this.engineHelper
+                                        .getLastVerifyException();
                                     if (verifyEx2 != null) {
                                         hse2.initCause(verifyEx2);
                                     }

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -866,8 +866,7 @@ private boolean isTls13CipherSuite(String suite) {
         }
 
         return suite.startsWith("TLS_AES_") ||
-            suite.startsWith("TLS_CHACHA20_") ||
-            suite.startsWith("TLS_SM4_");
+            suite.startsWith("TLS_CHACHA20_") || suite.startsWith("TLS_SM4_");
     }
 
     private String[] getEffectiveProtocolsForCiphers(String[] protocols,
@@ -948,8 +947,7 @@ else if ("TLSv1.2".equals(proto) || "DTLSv1.2".equals(proto) ||
         return protocols;
     }
 
-    private void applyConfiguredCipherProtocolSettings()
-        throws SSLException {
+    private void applyConfiguredCipherProtocolSettings() throws SSLException {
 
         String[] suites;
         String[] protocols;
@@ -1081,8 +1079,7 @@ private void setLocalServerNames(SSLEngine engine) {
         /* SSLEngine(host, port) should send SNI by default if no explicit
          * server names were configured and SNI extension is enabled. */
         boolean isEngineConnectionWithHost = this.clientMode &&
-                engine != null &&
-                this.hostname != null &&
+                engine != null && this.hostname != null &&
                 this.params.getServerNames() == null;
 
         /* Enable SNI if explicitly requested via property, if

src/java/com/wolfssl/provider/jsse/WolfSSLImplementSSLSession.java

@@ -673,12 +673,11 @@ public Certificate[] getLocalCertificates() {
     public synchronized Principal getPeerPrincipal()
         throws SSLPeerUnverifiedException {
 
-        /* Use standard Java X509Certificate.getSubjectDN()
-         * for X500Name equals() compatibility */
+        /* Return X500Principal for proper equals() symmetry */
         Certificate[] certs = getPeerCertificates();
         if (certs != null && certs.length > 0 &&
             certs[0] instanceof X509Certificate) {
-            return ((X509Certificate) certs[0]).getSubjectDN();
+            return ((X509Certificate) certs[0]).getSubjectX500Principal();
         }
         throw new SSLPeerUnverifiedException("No peer certificate");
     }
@@ -699,7 +698,7 @@ public Principal getLocalPrincipal() {
         if (certs.length > 0){
             /* When chain of certificates exceeds one,
              * the user certifcate is the first */
-            localPrincipal = certs[0].getSubjectDN();
+            localPrincipal = certs[0].getSubjectX500Principal();
         }
 
         /* free native resources earlier than garbage collection if
@@ -1137,8 +1136,7 @@ public synchronized List<SNIServerName> getRequestedServerNames()
         byte[] sniRequestArr = null;
 
         if (this.ssl == null) {
-            if (this.sniServerNames != null &&
-                !this.sniServerNames.isEmpty()) {
+            if (this.sniServerNames != null && !this.sniServerNames.isEmpty()) {
                 return Collections.unmodifiableList(
                     new ArrayList<SNIServerName>(this.sniServerNames));
             }

src/java/com/wolfssl/provider/jsse/WolfSSLInternalVerifyCb.java

@@ -310,8 +310,7 @@ else if (sock != null) {
             }
         } catch (Exception e) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-                () -> "Hostname verification error: " +
-                e.getMessage());
+                () -> "Hostname verification error: " + e.getMessage());
             this.verifyException = e;
             return 0;
         } finally {

src/java/com/wolfssl/provider/jsse/WolfSSLSessionContext.java

@@ -91,8 +91,7 @@ public SSLSession getSession(byte[] sessionId) {
                 /* Native session may have been freed already */
             }
         }
-        WolfSSLImplementSSLSession session =
-            store.getSession(sessionId, side);
+        WolfSSLImplementSSLSession session = store.getSession(sessionId, side);
         if (session == null) {
             return null;
         }

src/java/com/wolfssl/provider/jsse/WolfSSLX509.java

@@ -802,14 +802,19 @@ public String toString() {
         public boolean equals(Object obj) {
             if (this == obj) return true;
             if (obj instanceof Principal) {
-                return getName().equals(((Principal) obj).getName());
+                String thisName = getName();
+                if (thisName == null) {
+                    return ((Principal) obj).getName() == null;
+                }
+                return thisName.equals(((Principal) obj).getName());
             }
             return false;
         }
 
         @Override
         public int hashCode() {
-            return getName().hashCode();
+            String n = getName();
+            return (n != null) ? n.hashCode() : 0;
         }
 
     }

src/test/com/wolfssl/provider/jsse/test/WolfSSLEngineTest.java

@@ -2565,8 +2565,7 @@ public void testGetPeerCertificateChainNoClientAuth() throws Exception {
     public void testSSLHandshakeExceptionCauseChain()
         throws NoSuchProviderException, NoSuchAlgorithmException,
                KeyManagementException, KeyStoreException,
-               CertificateException, IOException,
-               UnrecoverableKeyException {
+               CertificateException, IOException, UnrecoverableKeyException {
 
         System.out.print("\tSSLEngine SSLHandshakeException cause chain");
 
@@ -2629,10 +2628,9 @@ public X509Certificate[] getAcceptedIssuers() {
 
             cliToSer.flip();
             if (cliToSer.hasRemaining() &&
-                (server.getHandshakeStatus() ==
-                    HandshakeStatus.NEED_UNWRAP ||
+                (server.getHandshakeStatus() == HandshakeStatus.NEED_UNWRAP ||
                  server.getHandshakeStatus() ==
-                    HandshakeStatus.NOT_HANDSHAKING)) {
+                     HandshakeStatus.NOT_HANDSHAKING)) {
                 try {
                     server.unwrap(cliToSer, sink);
                 } catch (SSLException e) {
@@ -2651,10 +2649,9 @@ public X509Certificate[] getAcceptedIssuers() {
 
             serToCli.flip();
             if (serToCli.hasRemaining() &&
-                (client.getHandshakeStatus() ==
-                    HandshakeStatus.NEED_UNWRAP ||
+                (client.getHandshakeStatus() == HandshakeStatus.NEED_UNWRAP ||
                  client.getHandshakeStatus() ==
-                    HandshakeStatus.NOT_HANDSHAKING)) {
+                     HandshakeStatus.NOT_HANDSHAKING)) {
                 try {
                     client.unwrap(serToCli, sink);
                 } catch (SSLHandshakeException e) {
@@ -2701,8 +2698,7 @@ public void testCloseNotifyTLS13HandshakeStatus()
         }
 
         SSLEngine server = this.ctx.createSSLEngine();
-        SSLEngine client =
-            this.ctx.createSSLEngine("wolfSSL test", 11111);
+        SSLEngine client = this.ctx.createSSLEngine("wolfSSL test", 11111);
 
         server.setUseClientMode(false);
         server.setNeedClientAuth(false);
@@ -2733,8 +2729,7 @@ public void testCloseNotifyTLS13HandshakeStatus()
             client.getSession().getApplicationBufferSize());
 
         /* Wrap the close_notify */
-        SSLEngineResult result = client.wrap(
-            ByteBuffer.allocate(0), netBuf);
+        SSLEngineResult result = client.wrap(ByteBuffer.allocate(0), netBuf);
         if (result.getStatus() != SSLEngineResult.Status.CLOSED) {
             error("\t... failed");
             fail("wrap after closeOutbound should return CLOSED");
@@ -2785,17 +2780,15 @@ public void testCloseNotifyTLS13HandshakeStatus()
     public void testBufferUnderflowPartialRecord()
         throws NoSuchProviderException, NoSuchAlgorithmException,
                KeyManagementException, KeyStoreException,
-               CertificateException, IOException,
-               UnrecoverableKeyException {
+               CertificateException, IOException, UnrecoverableKeyException {
 
         /* Test that unwrap() returns BUFFER_UNDERFLOW with 0 bytes
          * consumed when given a partial TLS record. */
         System.out.print("\tTesting BUFFER_UNDERFLOW partial record");
 
         this.ctx = tf.createSSLContext("TLS", engineProvider);
         SSLEngine server = this.ctx.createSSLEngine();
-        SSLEngine client =
-            this.ctx.createSSLEngine("wolfSSL test", 11111);
+        SSLEngine client = this.ctx.createSSLEngine("wolfSSL test", 11111);
 
         server.setUseClientMode(false);
         server.setNeedClientAuth(false);
@@ -2812,16 +2805,13 @@ public void testBufferUnderflowPartialRecord()
         }
 
         /* Client wraps some application data */
-        String testData =
-            "Hello from client for underflow test";
-        ByteBuffer appBuf =
-            ByteBuffer.wrap(testData.getBytes());
+        String testData = "Hello from client for underflow test";
+        ByteBuffer appBuf = ByteBuffer.wrap(testData.getBytes());
         ByteBuffer netBuf = ByteBuffer.allocateDirect(
             client.getSession().getPacketBufferSize());
 
         SSLEngineResult result = client.wrap(appBuf, netBuf);
-        if (result.getStatus() !=
-            SSLEngineResult.Status.OK) {
+        if (result.getStatus() != SSLEngineResult.Status.OK) {
             error("\t... failed");
             fail("wrap failed: " + result.getStatus());
         }
@@ -2835,22 +2825,19 @@ public void testBufferUnderflowPartialRecord()
 
         /* Create a partial record (only first 3 bytes of the
          * TLS record header, less than the 5-byte header) */
-        ByteBuffer partialBuf =
-            ByteBuffer.allocateDirect(3);
+        ByteBuffer partialBuf = ByteBuffer.allocateDirect(3);
         byte[] partial = new byte[3];
         netBuf.get(partial);
         partialBuf.put(partial);
         partialBuf.flip();
 
         ByteBuffer outBuf = ByteBuffer.allocate(
-            server.getSession()
-                .getApplicationBufferSize());
+            server.getSession().getApplicationBufferSize());
 
         /* Unwrap partial record: BUFFER_UNDERFLOW expected */
         result = server.unwrap(partialBuf, outBuf);
 
-        if (result.getStatus() !=
-            SSLEngineResult.Status.BUFFER_UNDERFLOW) {
+        if (result.getStatus() != SSLEngineResult.Status.BUFFER_UNDERFLOW) {
             error("\t... failed");
             fail("expected BUFFER_UNDERFLOW for partial " +
                  "TLS record, got " + result.getStatus());
@@ -2878,8 +2865,7 @@ public void testBufferOverflowSmallOutput()
 
         this.ctx = tf.createSSLContext("TLS", engineProvider);
         SSLEngine server = this.ctx.createSSLEngine();
-        SSLEngine client =
-            this.ctx.createSSLEngine("wolfSSL test", 11111);
+        SSLEngine client = this.ctx.createSSLEngine("wolfSSL test", 11111);
 
         server.setUseClientMode(false);
         server.setNeedClientAuth(false);
@@ -2917,8 +2903,7 @@ public void testBufferOverflowSmallOutput()
 
         result = server.unwrap(netCopy, tinyOut);
 
-        if (result.getStatus() !=
-            SSLEngineResult.Status.BUFFER_OVERFLOW) {
+        if (result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW) {
             error("\t... failed");
             fail("expected BUFFER_OVERFLOW for small output buffer, " +
                  "got " + result.getStatus());

src/test/com/wolfssl/provider/jsse/test/WolfSSLSessionContextTest.java

@@ -551,14 +551,12 @@ public void testSessionTimeoutBoundaryExpiry()
 
         String originalProp = Security.getProperty(
             "wolfjsse.clientSessionCache.disabled");
-        Security.setProperty("wolfjsse.clientSessionCache.disabled",
-            "false");
+        Security.setProperty("wolfjsse.clientSessionCache.disabled", "false");
 
         try {
             this.ctx = tf.createSSLContext("TLS", engineProvider);
             server = this.ctx.createSSLEngine();
-            client = this.ctx.createSSLEngine(
-                "wolfSSL timeout test", 11111);
+            client = this.ctx.createSSLEngine("wolfSSL timeout test", 11111);
 
             server.setUseClientMode(false);
             server.setNeedClientAuth(false);
@@ -658,8 +656,7 @@ public void testSessionInvalidationFilteredFromGetIds()
 
         String originalProp = Security.getProperty(
             "wolfjsse.clientSessionCache.disabled");
-        Security.setProperty("wolfjsse.clientSessionCache.disabled",
-            "false");
+        Security.setProperty("wolfjsse.clientSessionCache.disabled", "false");
 
         try {
             this.ctx = tf.createSSLContext("TLS", engineProvider);

src/test/com/wolfssl/provider/jsse/test/WolfSSLTestFactory.java

@@ -870,8 +870,7 @@ public int CloseConnection(SSLEngine server, SSLEngine client,
         if (!s.toString().equals("NEED_WRAP") ||
                 !result.getStatus().name().equals("CLOSED") ) {
             throw new SSLException(
-                "Bad status: HS=" + s +
-                " status=" + result.getStatus());
+                "Bad status: HS=" + s + " status=" + result.getStatus());
         }
 
         /* server wraps its own close_notify */