andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[#4722] Ensure the whole certificate chain is used when creating SslContext for client mode and SslProvider.OPENSSL is used

Browse Source 
Motivation:

We incorrectly added the trustCertChain as certificate chain when OpenSslClientContext was created. We need to correctly add the keyCertChain.

Modifications:

Correctly add whole keyCertChain.

Result:

SSL client auth is working when usin OpenSslClientContext and more then one cert is contained in the certificate chain.
This commit is contained in:
Norman Maurer 2016-01-22 21:18:26 +01:00
parent fd7df34d47
commit 3c254a7210
1 changed files with 19 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
View File

@ -191,17 +191,6 @@ public final class OpenSslClientContext extends OpenSslContext {
"Either both keyCertChainFile and keyFile needs to be null or none of them"); "Either both keyCertChainFile and keyFile needs to be null or none of them");
} }
synchronized (OpenSslContext.class) { synchronized (OpenSslContext.class) {
if (trustCertChainFile != null) {
/* Load the certificate chain. We must NOT skip the first cert when client mode */
if (!SSLContext.setCertificateChainFile(ctx, trustCertChainFile.getPath(), false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: "
+ trustCertChainFile + " (" + SSL.getErrorString(error) + ')');
}
}
}
if (keyCertChainFile != null && keyFile != null) { if (keyCertChainFile != null && keyFile != null) {
/* Load the certificate file and private key. */ /* Load the certificate file and private key. */
try { try {
@ -214,6 +203,16 @@ public final class OpenSslClientContext extends OpenSslContext {
" (" + SSL.getErrorString(error) + ')'); " (" + SSL.getErrorString(error) + ')');
} }
} }
// We may have more then one cert in the chain so add all of them now. We must NOT skip the
// first cert when client mode.
if (!SSLContext.setCertificateChainFile(ctx, keyCertChainFile.getPath(), false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: "
+ keyCertChainFile + " (" + SSL.getErrorString(error) + ')');
}
}
} catch (SSLException e) { } catch (SSLException e) {
throw e; throw e;
} catch (Exception e) { } catch (Exception e) {
@ -281,28 +280,6 @@ public final class OpenSslClientContext extends OpenSslContext {
"Either both keyCertChain and key needs to be null or none of them"); "Either both keyCertChain and key needs to be null or none of them");
} }
synchronized (OpenSslContext.class) { synchronized (OpenSslContext.class) {
if (trustCertChain != null) {
long trustCertChainBio = 0;
try {
trustCertChainBio = toBIO(trustCertChain);
/* Load the certificate chain. We must NOT skip the first cert when client mode */
if (!SSLContext.setCertificateChainBio(ctx, trustCertChainBio, false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: " + SSL.getErrorString(error));
}
}
} catch (Exception e) {
throw new SSLException(
"failed to set certificate chain", e);
} finally {
if (trustCertChainBio != 0) {
SSL.freeBIO(trustCertChainBio);
}
}
}
if (keyCertChain != null && key != null) { if (keyCertChain != null && key != null) {
/* Load the certificate file and private key. */ /* Load the certificate file and private key. */
long keyBio = 0; long keyBio = 0;
@ -321,6 +298,15 @@ public final class OpenSslClientContext extends OpenSslContext {
+ SSL.getErrorString(error)); + SSL.getErrorString(error));
} }
} }
// We may have more then one cert in the chain so add all of them now. We must NOT skip the
// first cert when client mode.
if (!SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: " + SSL.getErrorString(error));
}
}
} catch (SSLException e) { } catch (SSLException e) {
throw e; throw e;
} catch (Exception e) { } catch (Exception e) {