Do not try to init TrustManagerFactory if trustCertChainFile is null.

Motivation: We called TrustManagerFactory.init(...) even when the trustCertChainFile is null. This could lead to exceptions during the handshake. Modifications: Correctly only call TurstManagerFactory.init() if trustCertcChainFail is not null. Result: Correct behavior.
2015-05-20 16:28:26 +02:00 · 2015-05-20 16:28:26 +02:00 · 0b58e92bce
commit 0b58e92bce
parent 43ad8df741
1 changed files with 4 additions and 32 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
@ -15,8 +15,6 @@
 */
 package io.netty.handler.ssl;
 import io.netty.buffer.ByteBuf;
 import io.netty.buffer.ByteBufInputStream;
 import org.apache.tomcat.jni.SSL;
 import org.apache.tomcat.jni.SSLContext;
@ -26,13 +24,8 @@ import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509TrustManager;
 import javax.security.auth.x500.X500Principal;
 import java.io.File;
 import java.io.IOException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 /**
@ -223,12 +216,13 @@ public final class OpenSslClientContext extends OpenSslContext {
                SSLContext.setVerify(ctx, SSL.SSL_VERIFY_NONE, VERIFY_DEPTH);
                try {
-                    // Set up trust manager factory to use our key store.
+                    if (trustCertChainFile != null) {
-                    if (trustManagerFactory == null) {
+                        trustManagerFactory = buildTrustManagerFactory(trustCertChainFile, trustManagerFactory);
                    } else if (trustManagerFactory == null) {
                        trustManagerFactory = TrustManagerFactory.getInstance(
                                TrustManagerFactory.getDefaultAlgorithm());
                        trustManagerFactory.init((KeyStore) null);
                    }
                    initTrustManagerFactory(trustCertChainFile, trustManagerFactory);
                    final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
                    // Use this to prevent an error when running on java < 7
@ -263,28 +257,6 @@ public final class OpenSslClientContext extends OpenSslContext {
        }
    }
    private static void initTrustManagerFactory(File certChainFile, TrustManagerFactory trustManagerFactory)
            throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(null, null);
        if (certChainFile != null) {
            ByteBuf[] certs = PemReader.readCertificates(certChainFile);
            try {
                for (ByteBuf buf: certs) {
                    X509Certificate cert = (X509Certificate) X509_CERT_FACTORY.generateCertificate(
                            new ByteBufInputStream(buf));
                    X500Principal principal = cert.getSubjectX500Principal();
                    ks.setCertificateEntry(principal.getName("RFC2253"), cert);
                }
            } finally {
                for (ByteBuf buf: certs) {
                    buf.release();
                }
            }
        }
        trustManagerFactory.init(ks);
    }
    @Override
    public OpenSslSessionContext sessionContext() {
        return sessionContext;