diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java index bd4647cb62..05296723b1 100644 --- a/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java @@ -123,10 +123,17 @@ public final class JdkSslClientContext extends JdkSslContext { ks.load(null, null); CertificateFactory cf = CertificateFactory.getInstance("X.509"); - for (ByteBuf buf: PemReader.readCertificates(certChainFile)) { - X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteBufInputStream(buf)); - X500Principal principal = cert.getSubjectX500Principal(); - ks.setCertificateEntry(principal.getName("RFC2253"), cert); + ByteBuf[] certs = PemReader.readCertificates(certChainFile); + try { + for (ByteBuf buf: certs) { + X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteBufInputStream(buf)); + X500Principal principal = cert.getSubjectX500Principal(); + ks.setCertificateEntry(principal.getName("RFC2253"), cert); + } + } finally { + for (ByteBuf buf: certs) { + buf.release(); + } } // Set up trust manager factory to use our key store. diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java index 236d334374..30f836385f 100644 --- a/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java @@ -117,7 +117,7 @@ public final class JdkSslServerContext extends JdkSslContext { ByteBuf encodedKeyBuf = PemReader.readPrivateKey(keyFile); byte[] encodedKey = new byte[encodedKeyBuf.readableBytes()]; - encodedKeyBuf.readBytes(encodedKey); + encodedKeyBuf.readBytes(encodedKey).release(); PKCS8EncodedKeySpec encodedKeySpec = new PKCS8EncodedKeySpec(encodedKey); PrivateKey key; @@ -128,8 +128,15 @@ public final class JdkSslServerContext extends JdkSslContext { } List certChain = new ArrayList(); - for (ByteBuf buf: PemReader.readCertificates(certChainFile)) { - certChain.add(cf.generateCertificate(new ByteBufInputStream(buf))); + ByteBuf[] certs = PemReader.readCertificates(certChainFile); + try { + for (ByteBuf buf: certs) { + certChain.add(cf.generateCertificate(new ByteBufInputStream(buf))); + } + } finally { + for (ByteBuf buf: certs) { + buf.release(); + } } ks.setKeyEntry("key", key, keyPassword.toCharArray(), certChain.toArray(new Certificate[certChain.size()])); diff --git a/handler/src/main/java/io/netty/handler/ssl/PemReader.java b/handler/src/main/java/io/netty/handler/ssl/PemReader.java index 491359fe22..ee606000bf 100644 --- a/handler/src/main/java/io/netty/handler/ssl/PemReader.java +++ b/handler/src/main/java/io/netty/handler/ssl/PemReader.java @@ -71,7 +71,11 @@ final class PemReader { break; } - certs.add(Base64.decode(Unpooled.copiedBuffer(m.group(1), CharsetUtil.US_ASCII))); + ByteBuf base64 = Unpooled.copiedBuffer(m.group(1), CharsetUtil.US_ASCII); + ByteBuf der = Base64.decode(base64); + base64.release(); + certs.add(der); + start = m.end(); } @@ -95,7 +99,10 @@ final class PemReader { throw new KeyException("found no private key: " + file); } - return Base64.decode(Unpooled.copiedBuffer(m.group(1), CharsetUtil.US_ASCII)); + ByteBuf base64 = Unpooled.copiedBuffer(m.group(1), CharsetUtil.US_ASCII); + ByteBuf der = Base64.decode(base64); + base64.release(); + return der; } private static String readContent(File file) throws IOException {