JNI/JSSE: Fix visibility and access modifiers found by SpotBugs

- Add missing final to WOLFSSL_LEFT_MOST_WILDCARD_ONLY constant
- Update generated JNI header for WOLFSSL_LEFT_MOST_WILDCARD_ONLY
- Make WolfSSLProvider.setDevId() static
- Reduce visibility of WolfSSLCustomUser fields to package-protected
- Make WolfSSLEngine debug flags private
- Rename internal PascalCase methods to camelCase
  (LoadKeyAndCertChain, GetJavaHome, LoadKeyStoreFileByType,
  GetCtxAttributes)

Author: cconlon

native/com_wolfssl_WolfSSL.h

@@ -299,19 +299,6 @@
         <Bug pattern="IS2_INCONSISTENT_SYNC"/>
     </Match>
 
-    <!--
-        IS2_INCONSISTENT_SYNC: WolfSSLParameters objects are copied
-        via copy() before being shared across threads. The copy()
-        method is synchronized to protect the source object during
-        copying. Individual getters/setters are intentionally not
-        synchronized to match JDK SSLParameters behavior.
-    -->
-    <Match>
-        <Class name=
-            "com.wolfssl.provider.jsse.WolfSSLParameters"/>
-        <Bug pattern="IS2_INCONSISTENT_SYNC"/>
-    </Match>
-
     <!--
         NM_METHOD_NAMING_CONVENTION: Public native JNI methods use
         PascalCase to match native wolfSSL C function naming.
@@ -461,50 +448,4 @@
         <Bug pattern="PA_PUBLIC_PRIMITIVE_ATTRIBUTE"/>
     </Match>
 
-    <!--
-        AT_STALE_THREAD_WRITE_OF_PRIMITIVE: WolfSSLParameters
-        objects are copied via copy() before being shared across
-        threads, providing the thread-safety boundary. Matching
-        the JDK SSLParameters pattern which also does not
-        synchronize primitive getters/setters.
-
-        WolfSSLImplementSSLSession.side is set once during setup
-        before the session is used across threads.
-    -->
-    <Match>
-        <Class name=
-            "com.wolfssl.provider.jsse.WolfSSLParameters"/>
-        <Bug pattern="AT_STALE_THREAD_WRITE_OF_PRIMITIVE"/>
-    </Match>
-    <Match>
-        <Class name=
-            "com.wolfssl.provider.jsse.WolfSSLImplementSSLSession"/>
-        <Field name="side"/>
-        <Bug pattern="AT_STALE_THREAD_WRITE_OF_PRIMITIVE"/>
-    </Match>
-
-    <!--
-        RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE: Defensive null
-        check on getSession() return value. The session could be
-        null depending on engine state, keeping as defensive check.
-    -->
-    <Match>
-        <Class name="com.wolfssl.provider.jsse.WolfSSLEngine"/>
-        <Method name="cacheRequestedServerNamesFromNetData"/>
-        <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"/>
-    </Match>
-
-    <!--
-        RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE: Defensive null check
-        on certPem in catch block after constructor threw. Kept as
-        defensive coding to free native resources if constructor
-        behavior changes in the future.
-    -->
-    <Match>
-        <Class name=
-            "com.wolfssl.provider.jsse.WolfSSLTrustManager"/>
-        <Method name="LoadAndroidSystemCertsManually"/>
-        <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE"/>
-    </Match>
-
 </FindBugsFilter>

spotbugs-exclude.xml

@@ -586,7 +586,7 @@ public enum TLS_VERSION {
     /* ------------------------- Flag Values ---------------------------- */
     /** WolfSSLCertificate.checkHost() match only wildcards in left-most
      * position, used for LDAPS hostname verification. */
-    public static int WOLFSSL_LEFT_MOST_WILDCARD_ONLY = 0x40;
+    public static final int WOLFSSL_LEFT_MOST_WILDCARD_ONLY = 0x40;
 
     /* ------------------------ Internal state -------------------------- */
 

src/java/com/wolfssl/WolfSSL.java

@@ -86,7 +86,7 @@ private void createCtx() throws WolfSSLException {
         /* Allow ability for user to hard-code and override version, cipher
          * suite, and NO_* disable options. Otherwise just sets defaults
          * into ctxAttr. */
-        WolfSSLCustomUser ctxAttr = WolfSSLCustomUser.GetCtxAttributes
+        WolfSSLCustomUser ctxAttr = WolfSSLCustomUser.getCtxAttributes
                           (this.currentVersion, ciphersIana);
 
         /* Explicitly set SSLContext version if overridden by

src/java/com/wolfssl/provider/jsse/WolfSSLContext.java

@@ -39,11 +39,11 @@
  */
 public class WolfSSLCustomUser {
     /** SSL/TLS version to be used with new SSLContext objects. */
-    public TLS_VERSION version;
+    TLS_VERSION version;
     /** String array of allowed cipher suites for new SSLContext objects */
-    public String[] list;
+    String[] list;
     /** Mask of options to set for the associated native WOLFSSL_CTX */
-    public long noOptions;
+    long noOptions;
 
     /** Default WolfSSLCustomUser constructor */
     public WolfSSLCustomUser() { }
@@ -65,7 +65,7 @@ public WolfSSLCustomUser() { }
      *                      list needs to contain a subset of the default cipher
      *                      list. If it is null, default list is applied.
      */
-    public static WolfSSLCustomUser GetCtxAttributes(TLS_VERSION version,
+    public static WolfSSLCustomUser getCtxAttributes(TLS_VERSION version,
                                                      String[] list) {
 
         WolfSSLCustomUser ctxAttr = new WolfSSLCustomUser();

src/java/com/wolfssl/provider/jsse/WolfSSLCustomUser.java

@@ -167,12 +167,12 @@ public class WolfSSLEngine extends SSLEngine {
     protected BiFunction<SSLEngine, List<String>, String> alpnSelector = null;
 
     /** Turn on extra/verbose SSLEngine debug logging */
-    public boolean extraDebugEnabled = false;
+    private boolean extraDebugEnabled = false;
 
     /** Turn on Send/Recv callback debug to print out bytes sent/received.
      * WARNING: enabling this will slow down sending and receiving data,
      * enough so that app may run into timeouts. Enable with caution. */
-    public boolean ioDebugEnabled = false;
+    private boolean ioDebugEnabled = false;
 
     /**
      * Turns on additional debugging based on system properties set.
@@ -264,7 +264,7 @@ private synchronized void LoadCertAndKey() throws SSLException {
         }
 
         try {
-            this.engineHelper.LoadKeyAndCertChain(null, this);
+            this.engineHelper.loadKeyAndCertChain(null, this);
             certKeyLoaded = true;
         } catch (CertificateEncodingException | IOException |
                  WolfSSLException e) {
@@ -281,7 +281,7 @@ private synchronized void LoadCertAndKey() throws SSLException {
      *
      * This logic is not included directly in WolfSSLEngine constructors
      * to avoid possible 'this' escape before subclass is fully initialized
-     * when using 'this' in LoadKeyAndCertChain().
+     * when using 'this' in loadKeyAndCertChain().
      *
      * @throws SSLException if initialization fails
      */

src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java

@@ -329,7 +329,7 @@ else if (engine != null) {
      * @throws IOException on error concatenating certificate chain into
      *         single byte array
      */
-    protected synchronized void LoadKeyAndCertChain(
+    protected synchronized void loadKeyAndCertChain(
         Socket sock, SSLEngine engine)
         throws WolfSSLException, CertificateEncodingException, IOException {
 

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -106,15 +106,15 @@ private KeyStore LoadKeyStoreFromSystemProperties(String requiredType)
                         "KeyStore type from wolfjsse.keystore.type.required");
                 }
 
-                sysStore = WolfSSLUtil.LoadKeyStoreFileByType(
+                sysStore = WolfSSLUtil.loadKeyStoreFileByType(
                     file, this.pswd, type);
             }
             else {
                 /* Try with wolfJCE WKS type first, in case wolfCrypt
                  * FIPS is being used */
                 if (wksAvailable &&
                     (requiredType == null || requiredType.equals("WKS"))) {
-                    sysStore = WolfSSLUtil.LoadKeyStoreFileByType(
+                    sysStore = WolfSSLUtil.loadKeyStoreFileByType(
                         file, this.pswd, "WKS");
                 }
 
@@ -123,7 +123,7 @@ private KeyStore LoadKeyStoreFromSystemProperties(String requiredType)
                     (requiredType == null || requiredType.equals("BKS"))) {
                     WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                         () -> "Detected Android VM, trying BKS KeyStore type");
-                    sysStore = WolfSSLUtil.LoadKeyStoreFileByType(
+                    sysStore = WolfSSLUtil.loadKeyStoreFileByType(
                         file, this.pswd, "BKS");
                 }
 
@@ -133,7 +133,7 @@ private KeyStore LoadKeyStoreFromSystemProperties(String requiredType)
                     WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                         () -> "javax.net.ssl.keyStoreType system property " +
                         "not set, trying type: JKS");
-                    sysStore = WolfSSLUtil.LoadKeyStoreFileByType(
+                    sysStore = WolfSSLUtil.loadKeyStoreFileByType(
                         file, this.pswd, "JKS");
                 }
             }

src/java/com/wolfssl/provider/jsse/WolfSSLKeyManager.java

@@ -168,7 +168,7 @@ public WolfSSLProvider() {
      * @throws WolfSSLException if error registering native crypto callback
      *         function
      */
-    public void setDevId(int devId) throws WolfSSLException {
+    public static void setDevId(int devId) throws WolfSSLException {
 
         /* Store devId into static WolfSSL variable, used by
          * WolfSSLContext (SSLContext) */

src/java/com/wolfssl/provider/jsse/WolfSSLProvider.java

@@ -543,9 +543,9 @@ private void checkAndInitSSLSocket() throws IOException {
                         () -> "loading private key and cert chain");
 
                     if (this.socket != null) {
-                        EngineHelper.LoadKeyAndCertChain(this.socket, null);
+                        EngineHelper.loadKeyAndCertChain(this.socket, null);
                     } else {
-                        EngineHelper.LoadKeyAndCertChain(this, null);
+                        EngineHelper.loadKeyAndCertChain(this, null);
                     }
                 } else {
                     throw new WolfSSLException(