Correctly throw SSLPeerUnverifiedException if peers identity has not been verified
Motivation: As stated in the SSLSession javadocs getPeer* methods need to throw a SSLPeerUnverifiedException if peers identity has not be verified. Modifications: - Correctly throw SSLPeerUnverifiedException - Add test for it. Result: Correctly behave like descripted in javadocs.
This commit is contained in:
Norman Maurer
parent
422a219e5d
commit
1a41e0154f
@ -1528,7 +1528,7 @@ public final class OpenSslEngine extends SSLEngine {
|
||||
@Override
|
||||
public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
|
||||
synchronized (OpenSslEngine.this) {
|
||||
if (peerCerts == null) {
|
||||
if (peerCerts == null || peerCerts.length == 0) {
|
||||
throw new SSLPeerUnverifiedException("peer not verified");
|
||||
}
|
||||
return peerCerts;
|
||||
@ -1544,7 +1544,7 @@ public final class OpenSslEngine extends SSLEngine {
|
||||
@Override
|
||||
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
|
||||
synchronized (OpenSslEngine.this) {
|
||||
if (x509PeerCerts == null) {
|
||||
if (x509PeerCerts == null || x509PeerCerts.length == 0) {
|
||||
throw new SSLPeerUnverifiedException("peer not verified");
|
||||
}
|
||||
return x509PeerCerts;
|
||||
@ -1554,9 +1554,8 @@ public final class OpenSslEngine extends SSLEngine {
|
||||
@Override
|
||||
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
|
||||
Certificate[] peer = getPeerCertificates();
|
||||
if (peer == null || peer.length == 0) {
|
||||
return null;
|
||||
}
|
||||
// No need for null or length > 0 is needed as this is done in getPeerCertificates()
|
||||
// already.
|
||||
return ((java.security.cert.X509Certificate) peer[0]).getSubjectX500Principal();
|
||||
}
|
||||
|
||||
|
||||
@ -29,6 +29,8 @@ import io.netty.handler.logging.LoggingHandler;
|
||||
import io.netty.handler.ssl.OpenSsl;
|
||||
import io.netty.handler.ssl.SslContext;
|
||||
import io.netty.handler.ssl.SslContextBuilder;
|
||||
import io.netty.handler.ssl.SslHandler;
|
||||
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
|
||||
import io.netty.handler.ssl.SslProvider;
|
||||
import io.netty.handler.ssl.util.SelfSignedCertificate;
|
||||
import io.netty.util.ReferenceCountUtil;
|
||||
@ -39,6 +41,8 @@ import org.junit.runner.RunWith;
|
||||
import org.junit.runners.Parameterized;
|
||||
import org.junit.runners.Parameterized.Parameters;
|
||||
|
||||
import javax.net.ssl.SSLPeerUnverifiedException;
|
||||
import javax.net.ssl.SSLSession;
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.security.cert.CertificateException;
|
||||
@ -209,5 +213,34 @@ public class SocketSslGreetingTest extends AbstractSocketTest {
|
||||
exception.compareAndSet(null, cause);
|
||||
ctx.close();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void userEventTriggered(final ChannelHandlerContext ctx, final Object evt) throws Exception {
|
||||
if (evt instanceof SslHandshakeCompletionEvent) {
|
||||
final SslHandshakeCompletionEvent event = (SslHandshakeCompletionEvent) evt;
|
||||
if (event.isSuccess()) {
|
||||
SSLSession session = ctx.pipeline().get(SslHandler.class).engine().getSession();
|
||||
try {
|
||||
session.getPeerCertificates();
|
||||
fail();
|
||||
} catch (SSLPeerUnverifiedException e) {
|
||||
// expected
|
||||
}
|
||||
try {
|
||||
session.getPeerCertificateChain();
|
||||
fail();
|
||||
} catch (SSLPeerUnverifiedException e) {
|
||||
// expected
|
||||
}
|
||||
try {
|
||||
session.getPeerPrincipal();
|
||||
fail();
|
||||
} catch (SSLPeerUnverifiedException e) {
|
||||
// expected
|
||||
}
|
||||
}
|
||||
}
|
||||
ctx.fireUserEventTriggered(evt);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user