wolfJSSE fixes for FIPS test coverage

Author: JeremiahM37

src/java/com/wolfssl/WolfSSLCertManager.java

@@ -179,7 +179,8 @@ public synchronized int CertManagerLoadCAKeyStore(KeyStore ks)
                     cert = (X509Certificate) ks.getCertificate(name);
                 }
 
-                if (cert != null && cert.getBasicConstraints() >= 0) {
+                if (cert != null && (cert.getBasicConstraints() >= 0 ||
+                        WolfSSL.trustPeerCertEnabled())) {
                     ret = CertManagerLoadCABuffer(cert.getEncoded(),
                             cert.getEncoded().length,
                             WolfSSL.SSL_FILETYPE_ASN1);

src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java

@@ -762,10 +762,16 @@ protected void updateTimeouts(int in, int side) {
 
                     }
 
-                    if (in > 0 && diff > in) {
+                    if (in > 0 && diff >= in) {
+                        current.invalidate();
+                    }
+                    try {
+                        current.setNativeTimeout(in);
+                    } catch (IllegalStateException e) {
+                        /* Native WolfSSLSession has been freed,
+                         * invalidate this session entry */
                         current.invalidate();
                     }
-                    current.setNativeTimeout(in);
                 }
             }
         }

src/java/com/wolfssl/provider/jsse/WolfSSLContext.java

@@ -488,7 +488,7 @@ protected SSLEngine engineCreateSSLEngine()
         try {
             return new WolfSSLEngine(this.ctx, this.authStore, this.params);
         } catch (WolfSSLException ex) {
-            throw new IllegalStateException("Unable to create engine");
+            throw new IllegalStateException("Unable to create engine", ex);
         }
     }
 
@@ -516,7 +516,7 @@ protected SSLEngine engineCreateSSLEngine(String host, int port)
             return new WolfSSLEngine(this.ctx, this.authStore, this.params,
                 host, port);
         } catch (WolfSSLException ex) {
-            throw new IllegalStateException("Unable to create engine");
+            throw new IllegalStateException("Unable to create engine", ex);
         }
     }
 

src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java

@@ -475,6 +475,19 @@ protected synchronized WolfSSLImplementSSLSession getSession() {
         return this.session;
     }
 
+    /**
+     * Get the last exception from TrustManager certificate verification.
+     * Delegates to the internal verify callback if available.
+     *
+     * @return Exception from last failed verification, or null
+     */
+    protected synchronized Exception getLastVerifyException() {
+        if (this.wicb != null) {
+            return this.wicb.getVerifyException();
+        }
+        return null;
+    }
+
     /**
      * Get all supported cipher suites in native wolfSSL library, which
      * are also allowed by "wolfjsse.enabledCipherSuites" system Security
@@ -870,7 +883,7 @@ private void setLocalAuth(SSLSocket socket, SSLEngine engine) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                 () -> "Using checkClientTrusted/ServerTrusted() " +
                 "for verification");
-            this.verifyMask = WolfSSL.SSL_VERIFY_PEER;
+            this.verifyMask = mask;
         }
 
         this.ssl.setVerify(this.verifyMask, wicb);
@@ -916,7 +929,7 @@ private static boolean checkBooleanProperty(String prop,
      * name depending on what createSocket() API the user has called and with
      * what String.
      */
-    private void setLocalServerNames() {
+    private void setLocalServerNames(SSLEngine engine) {
         boolean autoSNI = this.wolfjsseAutoSni;
 
         /* Detect HttpsURLConnection usage by checking:
@@ -931,9 +944,16 @@ private void setLocalServerNames() {
                 this.peerAddr != null &&
                 this.params.getServerNames() == null;
 
-        /* Enable SNI if explicitly requested via property or if
-         * HttpsURLConnection is detected */
-        autoSNI = autoSNI || isHttpsConnection;
+        /* SSLEngine(host, port) should send SNI by default if no explicit
+         * server names were configured and SNI extension is enabled. */
+        boolean isEngineConnectionWithHost = this.clientMode &&
+                engine != null &&
+                this.hostname != null &&
+                this.params.getServerNames() == null;
+
+        /* Enable SNI if explicitly requested via property, if
+         * HttpsURLConnection is detected, or for SSLEngine(host, port). */
+        autoSNI = autoSNI || isHttpsConnection || isEngineConnectionWithHost;
 
         if (!this.jsseEnableSniExtension) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
@@ -1256,7 +1276,7 @@ private void setLocalParams(SSLSocket socket, SSLEngine engine)
             WolfSSLUtil.sanitizeProtocols(
                 this.params.getProtocols(), WolfSSL.TLS_VERSION.INVALID));
         this.setLocalAuth(socket, engine);
-        this.setLocalServerNames();
+        this.setLocalServerNames(engine);
         this.setLocalSessionTicket();
         this.setLocalAlpnProtocols();
         this.setLocalSecureRenegotiation();
@@ -1708,4 +1728,3 @@ protected synchronized void finalize() throws Throwable {
         super.finalize();
     }
 }
-

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -281,8 +281,12 @@ public WolfSSLImplementSSLSession (WolfSSLImplementSSLSession orig) {
         this.sesPtr = orig.sesPtr;
         this.sesPtrUpdatedAfterTable = false;
 
-        /* Not copying binding, not needed */
-        this.binding = null;
+        /* Copy binding HashMap so session values are preserved */
+        if (orig.binding != null) {
+            this.binding = new HashMap<String, Object>(orig.binding);
+        } else {
+            this.binding = new HashMap<String, Object>();
+        }
 
         WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
             () -> "created new session (WolfSSLImplementSSLSession)");
@@ -669,52 +673,14 @@ public Certificate[] getLocalCertificates() {
     public synchronized Principal getPeerPrincipal()
         throws SSLPeerUnverifiedException {
 
-        long peerX509 = 0;
-        Principal peerPrincipal = null;
-        WolfSSLX509 x509 = null;
-
-        if (ssl == null) {
-            throw new SSLPeerUnverifiedException("handshake not done");
-        }
-
-        /* Throw if server side with no client auth requested */
-        if (this.side == WolfSSL.WOLFSSL_SERVER_END &&
-            !this.clientAuthRequested) {
-            throw new SSLPeerUnverifiedException(
-                "peer not authenticated (no client auth requested)");
-        }
-
-        try {
-            peerX509 = this.ssl.getPeerCertificate();
-            if (peerX509 == 0) {
-                throw new SSLPeerUnverifiedException("No peer certificate");
-            }
-
-            /* wolfSSL starting with 5.3.0 returns a new WOLFSSL_X509
-             * structure from wolfSSL_get_peer_certificate(). In that case,
-             * we need to free the pointer when finished. Prior to 5.3.0,
-             * this memory was freed internally by wolfSSL since the API
-             * only returned a pointer to internal memory */
-            if (WolfSSL.getLibVersionHex() >= 0x05003000) {
-                x509 = new WolfSSLX509(peerX509, true);
-            }
-            else {
-                x509 = new WolfSSLX509(peerX509, false);
-            }
-
-            if (x509 != null) {
-                peerPrincipal = x509.getSubjectDN();
-                x509.free();
-            }
-
-            return peerPrincipal;
-
-        } catch (IllegalStateException | WolfSSLJNIException |
-                WolfSSLException ex) {
-            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-                () -> "Error getting peer principal: " + ex.getMessage());
+        /* Use standard Java X509Certificate.getSubjectDN()
+         * for X500Name equals() compatibility */
+        Certificate[] certs = getPeerCertificates();
+        if (certs != null && certs.length > 0 &&
+            certs[0] instanceof X509Certificate) {
+            return ((X509Certificate) certs[0]).getSubjectDN();
         }
-        return null;
+        throw new SSLPeerUnverifiedException("No peer certificate");
     }
 
     @Override