From 6e9d2bf13c33757b5d1d44e1fbe20f4257239885 Mon Sep 17 00:00:00 2001
From: Norman Maurer <norman_maurer@apple.com>
Date: Wed, 17 Feb 2016 19:50:53 -0800
Subject: [PATCH] Correctly set the alert type depending of the
 CertificateException

Motivation:

Depending on the actual CertificateException we should set the correct alert type so it will be sent back to the remote peer and so make it easier for them to fix it.

Modification:

Correctly set the alert and not always just use a general alert.

Result:

It's easier for the remote peer to fix the problems.
---
 .../ssl/OpenSslCertificateException.java      | 80 +++++++++++++++++++
 .../io/netty/handler/ssl/OpenSslContext.java  | 22 ++++-
 pom.xml                                       |  3 +-
 3 files changed, 101 insertions(+), 4 deletions(-)
 create mode 100644 handler/src/main/java/io/netty/handler/ssl/OpenSslCertificateException.java

diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslCertificateException.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslCertificateException.java
new file mode 100644
index 0000000000..5d9bce0f0d
--- /dev/null
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslCertificateException.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2016 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.ssl;
+
+import org.apache.tomcat.jni.CertificateVerifier;
+
+import java.security.cert.CertificateException;
+
+/**
+ * A special {@link CertificateException} which allows to specify which error code is included in the
+ * SSL Record. This only work when {@link SslProvider#OPENSSL} is used.
+ */
+public final class OpenSslCertificateException extends CertificateException {
+    private static final long serialVersionUID = 5542675253797129798L;
+
+    private final int errorCode;
+
+    /**
+     * Construct a new exception with the
+     * <a href="https://www.openssl.org/docs/manmaster/apps/verify.html">error code</a>.
+     */
+    public OpenSslCertificateException(int errorCode) {
+        this((String) null, errorCode);
+    }
+
+    /**
+     * Construct a new exception with the msg and
+     * <a href="https://www.openssl.org/docs/manmaster/apps/verify.html">error code</a> .
+     */
+    public OpenSslCertificateException(String msg, int errorCode) {
+        super(msg);
+        this.errorCode = checkErrorCode(errorCode);
+    }
+
+    /**
+     * Construct a new exception with the msg, cause and
+     * <a href="https://www.openssl.org/docs/manmaster/apps/verify.html">error code</a> .
+     */
+    public OpenSslCertificateException(String message, Throwable cause, int errorCode) {
+        super(message, cause);
+        this.errorCode = checkErrorCode(errorCode);
+    }
+
+    /**
+     * Construct a new exception with the cause and
+     * <a href="https://www.openssl.org/docs/manmaster/apps/verify.html">error code</a> .
+     */
+    public OpenSslCertificateException(Throwable cause, int errorCode) {
+        this(null, cause, errorCode);
+    }
+
+    /**
+     * Return the <a href="https://www.openssl.org/docs/manmaster/apps/verify.html">error code</a> to use.
+     */
+    public int errorCode() {
+        return errorCode;
+    }
+
+    private static int checkErrorCode(int errorCode) {
+        if (errorCode < CertificateVerifier.X509_V_OK || errorCode > CertificateVerifier.X509_V_ERR_DANE_NO_MATCH) {
+            throw new IllegalArgumentException("errorCode must be " + CertificateVerifier.X509_V_OK + " => "
+                    + CertificateVerifier.X509_V_ERR_DANE_NO_MATCH +
+                    ". See https://www.openssl.org/docs/manmaster/apps/verify.html .");
+        }
+        return errorCode;
+    }
+}
diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
index 8b3c7ea656..1dceb7885e 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
@@ -37,6 +37,9 @@ import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509TrustManager;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CertificateRevokedException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -449,19 +452,32 @@ public abstract class OpenSslContext extends SslContext {
 
     abstract class AbstractCertificateVerifier implements CertificateVerifier {
         @Override
-        public final boolean verify(long ssl, byte[][] chain, String auth) {
+        public final int verify(long ssl, byte[][] chain, String auth) {
             X509Certificate[] peerCerts = certificates(chain);
             final OpenSslEngine engine = engineMap.remove(ssl);
             try {
                 verify(engine, peerCerts, auth);
-                return true;
+                return CertificateVerifier.X509_V_OK;
             } catch (Throwable cause) {
                 logger.debug("verification of certificate failed", cause);
                 SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
                 e.initCause(cause);
                 engine.handshakeException = e;
+
+                if (cause instanceof OpenSslCertificateException) {
+                    return ((OpenSslCertificateException) cause).errorCode();
+                }
+                if (cause instanceof CertificateExpiredException) {
+                    return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
+                }
+                if (cause instanceof CertificateNotYetValidException) {
+                    return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
+                }
+                if (PlatformDependent.javaVersion() >= 7 && cause instanceof CertificateRevokedException) {
+                    return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
+                }
+                return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
             }
-            return false;
         }
 
         abstract void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth) throws Exception;
diff --git a/pom.xml b/pom.xml
index db10f66126..de9bdc0321 100644
--- a/pom.xml
+++ b/pom.xml
@@ -223,7 +223,7 @@
     <!-- Fedora-"like" systems. This is currently only used for the netty-tcnative dependency -->
     <os.detection.classifierWithLikes>fedora</os.detection.classifierWithLikes>
     <tcnative.artifactId>netty-tcnative</tcnative.artifactId>
-    <tcnative.version>1.1.33.Fork13</tcnative.version>
+    <tcnative.version>1.1.33.Fork14</tcnative.version>
     <tcnative.classifier>${os.detected.classifier}</tcnative.classifier>
     <epoll.classifier>${os.detected.name}-${os.detected.arch}</epoll.classifier>
   </properties>
@@ -676,6 +676,7 @@
             <ignore>javax.net.ssl.X509ExtendedTrustManager</ignore>
             <ignore>javax.net.ssl.SSLParameters</ignore>
             <ignore>java.security.AlgorithmConstraints</ignore>
+            <ignore>java.security.cert.CertificateRevokedException</ignore>
 
             <ignore>java.util.concurrent.ConcurrentLinkedDeque</ignore>
           </ignores>