Allow to use custom TrustManagerFactory for JdkSslServerContent and OpenSslServerContext

Motivation: When using client auth it is sometimes needed to use a custom TrustManagerFactory. Modifications: Allow to pass in TrustManagerFactory Result: It's now possible to use custom TrustManagerFactories for JdkSslServerContext and OpenSslServerContext
2014-10-22 11:18:00 +02:00 · 2014-10-22 11:18:00 +02:00 · 0f152cfbc4
commit 0f152cfbc4
parent 8eddeb1ddd
2 changed files with 27 additions and 29 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
@ -67,7 +67,8 @@ public final class OpenSslServerContext extends OpenSslContext {
     *                    {@code null} if it's not password-protected.
     */
    public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
-        this(certChainFile, keyFile, keyPassword, null, OpenSslDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
+        this(certChainFile, keyFile, keyPassword, null, null,
+            OpenSslDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
    }

    /**
@ -89,7 +90,8 @@ public final class OpenSslServerContext extends OpenSslContext {
            File certChainFile, File keyFile, String keyPassword,
            Iterable<String> ciphers, ApplicationProtocolConfig apn,
            long sessionCacheSize, long sessionTimeout) throws SSLException {
-        this(certChainFile, keyFile, keyPassword, ciphers, toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
+        this(certChainFile, keyFile, keyPassword, null, ciphers,
+            toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
    }

    /**
@ -108,7 +110,7 @@ public final class OpenSslServerContext extends OpenSslContext {
     *                       {@code 0} to use the default value.
     */
    public OpenSslServerContext(
-            File certChainFile, File keyFile, String keyPassword,
+            File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
            Iterable<String> ciphers, OpenSslApplicationProtocolNegotiator apn,
            long sessionCacheSize, long sessionTimeout) throws SSLException {

@ -190,11 +192,16 @@ public final class OpenSslServerContext extends OpenSslContext {

                    ks.setKeyEntry("key", key, keyPasswordChars, certChain.toArray(new Certificate[certChain.size()]));

-                    // This mimics the behavior of using SSLContext.init(...);
-                    TrustManagerFactory factory = TrustManagerFactory.getInstance(
+                    if (trustManagerFactory == null) {
+                        // Mimic the way SSLContext.getInstance(KeyManager[], null, null) works
+                        trustManagerFactory = TrustManagerFactory.getInstance(
                                TrustManagerFactory.getDefaultAlgorithm());
-                    factory.init((KeyStore) null);
-                    final X509TrustManager manager = chooseTrustManager(factory.getTrustManagers());
+                        trustManagerFactory.init((KeyStore) null);
+                    } else {
+                        trustManagerFactory.init(ks);
+                    }
+
+                    final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
                    SSLContext.setCertVerifyCallback(ctx, new CertificateVerifier() {
                        @Override
                        public boolean verify(long ssl, byte[][] chain, String auth) {
--- a/handler/src/main/java/io/netty/handler/ssl/SslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/SslContext.java
@ -16,9 +16,7 @@

 package io.netty.handler.ssl;

-import io.netty.buffer.ByteBuf;
 import io.netty.buffer.ByteBufAllocator;
-import io.netty.buffer.ByteBufInputStream;
 import io.netty.channel.ChannelInitializer;
 import io.netty.channel.ChannelPipeline;

@ -35,17 +33,13 @@ import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
-import javax.security.auth.x500.X500Principal;
 import java.io.File;
 import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.List;
@ -261,9 +255,6 @@ public abstract class SslContext {
                    trustCertChainFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword,
                    keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
        case OPENSSL:
-                if (trustCertChainFile != null) {
-                    throw new UnsupportedOperationException("OpenSSL provider does not support mutual authentication");
-                }
            return new OpenSslServerContext(
                    keyCertChainFile, keyFile, keyPassword,
                    ciphers, apn, sessionCacheSize, sessionTimeout);