Correctly throw SSLPeerUnverifiedException if peers identity has not been verified

Motivation:

As stated in the SSLSession javadocs getPeer* methods need to throw a SSLPeerUnverifiedException if peers identity has not be verified.

Modifications:

- Correctly throw SSLPeerUnverifiedException
- Add test for it.

Result:

Correctly behave like descripted in javadocs.
This commit is contained in:
Norman Maurer 2015-09-09 10:05:55 +02:00
parent 2dde3a386b
commit 6e3acfeb06
2 changed files with 37 additions and 5 deletions

View File

@ -1528,7 +1528,7 @@ public final class OpenSslEngine extends SSLEngine {
@Override
public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
synchronized (OpenSslEngine.this) {
if (peerCerts == null) {
if (peerCerts == null || peerCerts.length == 0) {
throw new SSLPeerUnverifiedException("peer not verified");
}
return peerCerts;
@ -1544,7 +1544,7 @@ public final class OpenSslEngine extends SSLEngine {
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
synchronized (OpenSslEngine.this) {
if (x509PeerCerts == null) {
if (x509PeerCerts == null || x509PeerCerts.length == 0) {
throw new SSLPeerUnverifiedException("peer not verified");
}
return x509PeerCerts;
@ -1554,9 +1554,8 @@ public final class OpenSslEngine extends SSLEngine {
@Override
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
Certificate[] peer = getPeerCertificates();
if (peer == null || peer.length == 0) {
return null;
}
// No need for null or length > 0 is needed as this is done in getPeerCertificates()
// already.
return ((java.security.cert.X509Certificate) peer[0]).getSubjectX500Principal();
}

View File

@ -29,6 +29,8 @@ import io.netty.handler.logging.LoggingHandler;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.netty.util.ReferenceCountUtil;
@ -39,6 +41,8 @@ import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.junit.runners.Parameterized.Parameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import java.io.File;
import java.io.IOException;
import java.security.cert.CertificateException;
@ -209,5 +213,34 @@ public class SocketSslGreetingTest extends AbstractSocketTest {
exception.compareAndSet(null, cause);
ctx.close();
}
@Override
public void userEventTriggered(final ChannelHandlerContext ctx, final Object evt) throws Exception {
if (evt instanceof SslHandshakeCompletionEvent) {
final SslHandshakeCompletionEvent event = (SslHandshakeCompletionEvent) evt;
if (event.isSuccess()) {
SSLSession session = ctx.pipeline().get(SslHandler.class).engine().getSession();
try {
session.getPeerCertificates();
fail();
} catch (SSLPeerUnverifiedException e) {
// expected
}
try {
session.getPeerCertificateChain();
fail();
} catch (SSLPeerUnverifiedException e) {
// expected
}
try {
session.getPeerPrincipal();
fail();
} catch (SSLPeerUnverifiedException e) {
// expected
}
}
}
ctx.fireUserEventTriggered(evt);
}
}
}