[#4722] Ensure the whole certificate chain is used when creating SslContext for client mode and SslProvider.OPENSSL is used
Motivation: We incorrectly added the trustCertChain as certificate chain when OpenSslClientContext was created. We need to correctly add the keyCertChain. Modifications: Correctly add whole keyCertChain. Result: SSL client auth is working when usin OpenSslClientContext and more then one cert is contained in the certificate chain.
This commit is contained in:
parent
fd7df34d47
commit
3c254a7210
@ -191,17 +191,6 @@ public final class OpenSslClientContext extends OpenSslContext {
|
||||
"Either both keyCertChainFile and keyFile needs to be null or none of them");
|
||||
}
|
||||
synchronized (OpenSslContext.class) {
|
||||
if (trustCertChainFile != null) {
|
||||
/* Load the certificate chain. We must NOT skip the first cert when client mode */
|
||||
if (!SSLContext.setCertificateChainFile(ctx, trustCertChainFile.getPath(), false)) {
|
||||
long error = SSL.getLastErrorNumber();
|
||||
if (OpenSsl.isError(error)) {
|
||||
throw new SSLException(
|
||||
"failed to set certificate chain: "
|
||||
+ trustCertChainFile + " (" + SSL.getErrorString(error) + ')');
|
||||
}
|
||||
}
|
||||
}
|
||||
if (keyCertChainFile != null && keyFile != null) {
|
||||
/* Load the certificate file and private key. */
|
||||
try {
|
||||
@ -214,6 +203,16 @@ public final class OpenSslClientContext extends OpenSslContext {
|
||||
" (" + SSL.getErrorString(error) + ')');
|
||||
}
|
||||
}
|
||||
// We may have more then one cert in the chain so add all of them now. We must NOT skip the
|
||||
// first cert when client mode.
|
||||
if (!SSLContext.setCertificateChainFile(ctx, keyCertChainFile.getPath(), false)) {
|
||||
long error = SSL.getLastErrorNumber();
|
||||
if (OpenSsl.isError(error)) {
|
||||
throw new SSLException(
|
||||
"failed to set certificate chain: "
|
||||
+ keyCertChainFile + " (" + SSL.getErrorString(error) + ')');
|
||||
}
|
||||
}
|
||||
} catch (SSLException e) {
|
||||
throw e;
|
||||
} catch (Exception e) {
|
||||
@ -281,28 +280,6 @@ public final class OpenSslClientContext extends OpenSslContext {
|
||||
"Either both keyCertChain and key needs to be null or none of them");
|
||||
}
|
||||
synchronized (OpenSslContext.class) {
|
||||
if (trustCertChain != null) {
|
||||
long trustCertChainBio = 0;
|
||||
|
||||
try {
|
||||
trustCertChainBio = toBIO(trustCertChain);
|
||||
/* Load the certificate chain. We must NOT skip the first cert when client mode */
|
||||
if (!SSLContext.setCertificateChainBio(ctx, trustCertChainBio, false)) {
|
||||
long error = SSL.getLastErrorNumber();
|
||||
if (OpenSsl.isError(error)) {
|
||||
throw new SSLException(
|
||||
"failed to set certificate chain: " + SSL.getErrorString(error));
|
||||
}
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException(
|
||||
"failed to set certificate chain", e);
|
||||
} finally {
|
||||
if (trustCertChainBio != 0) {
|
||||
SSL.freeBIO(trustCertChainBio);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (keyCertChain != null && key != null) {
|
||||
/* Load the certificate file and private key. */
|
||||
long keyBio = 0;
|
||||
@ -321,6 +298,15 @@ public final class OpenSslClientContext extends OpenSslContext {
|
||||
+ SSL.getErrorString(error));
|
||||
}
|
||||
}
|
||||
// We may have more then one cert in the chain so add all of them now. We must NOT skip the
|
||||
// first cert when client mode.
|
||||
if (!SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false)) {
|
||||
long error = SSL.getLastErrorNumber();
|
||||
if (OpenSsl.isError(error)) {
|
||||
throw new SSLException(
|
||||
"failed to set certificate chain: " + SSL.getErrorString(error));
|
||||
}
|
||||
}
|
||||
} catch (SSLException e) {
|
||||
throw e;
|
||||
} catch (Exception e) {
|
||||
|
Loading…
x
Reference in New Issue
Block a user