From 0b58e92bce2568070bd0037c2bba6dfaa16fc88d Mon Sep 17 00:00:00 2001 From: Norman Maurer Date: Wed, 20 May 2015 16:28:26 +0200 Subject: [PATCH] Do not try to init TrustManagerFactory if trustCertChainFile is null. Motivation: We called TrustManagerFactory.init(...) even when the trustCertChainFile is null. This could lead to exceptions during the handshake. Modifications: Correctly only call TurstManagerFactory.init() if trustCertcChainFail is not null. Result: Correct behavior. --- .../handler/ssl/OpenSslClientContext.java | 36 +++---------------- 1 file changed, 4 insertions(+), 32 deletions(-) diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java index 85f15d103b..a21bfa9106 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java @@ -15,8 +15,6 @@ */ package io.netty.handler.ssl; -import io.netty.buffer.ByteBuf; -import io.netty.buffer.ByteBufInputStream; import org.apache.tomcat.jni.SSL; import org.apache.tomcat.jni.SSLContext; @@ -26,13 +24,8 @@ import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509TrustManager; -import javax.security.auth.x500.X500Principal; import java.io.File; -import java.io.IOException; import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; import java.security.cert.X509Certificate; /** @@ -223,12 +216,13 @@ public final class OpenSslClientContext extends OpenSslContext { SSLContext.setVerify(ctx, SSL.SSL_VERIFY_NONE, VERIFY_DEPTH); try { - // Set up trust manager factory to use our key store. - if (trustManagerFactory == null) { + if (trustCertChainFile != null) { + trustManagerFactory = buildTrustManagerFactory(trustCertChainFile, trustManagerFactory); + } else if (trustManagerFactory == null) { trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); + trustManagerFactory.init((KeyStore) null); } - initTrustManagerFactory(trustCertChainFile, trustManagerFactory); final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers()); // Use this to prevent an error when running on java < 7 @@ -263,28 +257,6 @@ public final class OpenSslClientContext extends OpenSslContext { } } - private static void initTrustManagerFactory(File certChainFile, TrustManagerFactory trustManagerFactory) - throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { - KeyStore ks = KeyStore.getInstance("JKS"); - ks.load(null, null); - if (certChainFile != null) { - ByteBuf[] certs = PemReader.readCertificates(certChainFile); - try { - for (ByteBuf buf: certs) { - X509Certificate cert = (X509Certificate) X509_CERT_FACTORY.generateCertificate( - new ByteBufInputStream(buf)); - X500Principal principal = cert.getSubjectX500Principal(); - ks.setCertificateEntry(principal.getName("RFC2253"), cert); - } - } finally { - for (ByteBuf buf: certs) { - buf.release(); - } - } - } - trustManagerFactory.init(ks); - } - @Override public OpenSslSessionContext sessionContext() { return sessionContext;