Update to netty-tcnative 2.0.31.Final and make SslErrorTest more robust (#10392)

Motivation:

There was a new netty-tcnative release which we should use. Beside this the SSLErrorTest was quite fragile and so should be adjusted.

Modifications:

Update netty-tcnative and adjust test

Result:

Use latest netty-tcnative release
This commit is contained in:
Norman Maurer 2020-07-07 10:50:03 +02:00
parent f7fa9fce72
commit 0c79863db5
2 changed files with 27 additions and 27 deletions

View File

@ -54,6 +54,7 @@ import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
@ -255,28 +256,20 @@ public class SslErrorTest {
CertPathValidatorException.Reason reason =
((CertPathValidatorException) exception.getCause()).getReason();
if (reason == CertPathValidatorException.BasicReason.EXPIRED) {
verifyException(unwrappedCause, "expired", promise);
verifyException(unwrappedCause, promise, "expired");
} else if (reason == CertPathValidatorException.BasicReason.NOT_YET_VALID) {
// BoringSSL uses "expired" in this case while others use "bad"
if (OpenSsl.isBoringSSL()) {
verifyException(unwrappedCause, "expired", promise);
} else {
verifyException(unwrappedCause, "bad", promise);
}
// BoringSSL may use "expired" in this case while others use "bad"
verifyException(unwrappedCause, promise, "expired", "bad");
} else if (reason == CertPathValidatorException.BasicReason.REVOKED) {
verifyException(unwrappedCause, "revoked", promise);
verifyException(unwrappedCause, promise, "revoked");
}
} else if (exception instanceof CertificateExpiredException) {
verifyException(unwrappedCause, "expired", promise);
verifyException(unwrappedCause, promise, "expired");
} else if (exception instanceof CertificateNotYetValidException) {
// BoringSSL uses "expired" in this case while others use "bad"
if (OpenSsl.isBoringSSL()) {
verifyException(unwrappedCause, "expired", promise);
} else {
verifyException(unwrappedCause, "bad", promise);
}
// BoringSSL may use "expired" in this case while others use "bad"
verifyException(unwrappedCause, promise, "expired", "bad");
} else if (exception instanceof CertificateRevokedException) {
verifyException(unwrappedCause, "revoked", promise);
verifyException(unwrappedCause, promise, "revoked");
}
}
}
@ -284,19 +277,26 @@ public class SslErrorTest {
// Its a bit hacky to verify against the message that is part of the exception but there is no other way
// at the moment as there are no different exceptions for the different alerts.
private void verifyException(Throwable cause, String messagePart, Promise<Void> promise) {
private void verifyException(Throwable cause, Promise<Void> promise, String... messageParts) {
String message = cause.getMessage();
if (message.toLowerCase(Locale.UK).contains(messagePart.toLowerCase(Locale.UK)) ||
// When the error is produced on the client side and the client side uses JDK as provider it will always
// use "certificate unknown".
!serverProduceError && clientProvider == SslProvider.JDK &&
message.toLowerCase(Locale.UK).contains("unknown")) {
// When the error is produced on the client side and the client side uses JDK as provider it will always
// use "certificate unknown".
if (!serverProduceError && clientProvider == SslProvider.JDK &&
message.toLowerCase(Locale.UK).contains("unknown")) {
promise.setSuccess(null);
} else {
Throwable error = new AssertionError("message not contains '" + messagePart + "': " + message);
error.initCause(cause);
promise.setFailure(error);
return;
}
for (String m: messageParts) {
if (message.toLowerCase(Locale.UK).contains(m.toLowerCase(Locale.UK))) {
promise.setSuccess(null);
return;
}
}
Throwable error = new AssertionError("message not contains any of '"
+ Arrays.toString(messageParts) + "': " + message);
error.initCause(cause);
promise.setFailure(error);
}
private static final class TestCertificateException extends CertificateException {

View File

@ -346,7 +346,7 @@
<!-- keep in sync with PlatformDependent#ALLOWED_LINUX_OS_CLASSIFIERS -->
<os.detection.classifierWithLikes>fedora,suse,arch</os.detection.classifierWithLikes>
<tcnative.artifactId>netty-tcnative</tcnative.artifactId>
<tcnative.version>2.0.29.Final</tcnative.version>
<tcnative.version>2.0.31.Final</tcnative.version>
<tcnative.classifier>${os.detected.classifier}</tcnative.classifier>
<conscrypt.groupId>org.conscrypt</conscrypt.groupId>
<conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId>