From 987c443888ce2c47144ce0130c25b356416e2925 Mon Sep 17 00:00:00 2001 From: Norman Maurer Date: Fri, 18 May 2018 19:36:57 +0200 Subject: [PATCH] Use ByteBufAllocator used by the ReferenceCountedOpenSslEngine when build key-material. (#7952) Motivation: When we build the key-material we should use the ByteBufAllocator used by the ReferenceCountedOpenSslEngine when possible. Modifications: Whenever we have access to the ReferenceCountedOpenSslEngine we use its allocator. Result: Use correct allocator --- .../main/java/io/netty/handler/ssl/OpenSsl.java | 4 ++-- .../handler/ssl/OpenSslKeyMaterialManager.java | 16 ++++++++-------- .../ssl/ReferenceCountedOpenSslContext.java | 8 +++----- .../ssl/ReferenceCountedOpenSslEngine.java | 2 +- .../ReferenceCountedOpenSslServerContext.java | 3 ++- 5 files changed, 16 insertions(+), 17 deletions(-) diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java index 6ad934fbc6..27753d2284 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java @@ -17,6 +17,7 @@ package io.netty.handler.ssl; import io.netty.buffer.ByteBuf; +import io.netty.buffer.ByteBufAllocator; import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.internal.tcnative.Buffer; import io.netty.internal.tcnative.Library; @@ -33,7 +34,6 @@ import io.netty.util.internal.logging.InternalLoggerFactory; import java.security.AccessController; import java.security.PrivilegedAction; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; import java.util.LinkedHashSet; import java.util.List; @@ -157,7 +157,7 @@ public final class OpenSsl { } try { cert = new SelfSignedCertificate(); - certBio = ReferenceCountedOpenSslContext.toBIO(cert.cert()); + certBio = ReferenceCountedOpenSslContext.toBIO(ByteBufAllocator.DEFAULT, cert.cert()); SSL.setCertificateChainBio(ssl, certBio, false); supportsKeyManagerFactory = true; try { diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslKeyMaterialManager.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslKeyMaterialManager.java index 2e48e8b04b..fd2a7ee8b8 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSslKeyMaterialManager.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslKeyMaterialManager.java @@ -79,7 +79,7 @@ class OpenSslKeyMaterialManager { if (type != null) { String alias = chooseServerAlias(engine, type); if (alias != null && aliases.add(alias)) { - setKeyMaterial(ssl, alias); + setKeyMaterial(ssl, alias, engine.alloc); } } } @@ -101,10 +101,10 @@ class OpenSslKeyMaterialManager { } PrivateKey key = keyManager.getPrivateKey(alias); - keyCertChainBio = toBIO(certificates); + keyCertChainBio = toBIO(engine.alloc, certificates); certChain = SSL.parseX509Chain(keyCertChainBio); if (key != null) { - keyBio = toBIO(key); + keyBio = toBIO(engine.alloc, key); pkey = SSL.parsePrivateKey(keyBio, password); } CertificateRequestedCallback.KeyMaterial material = new CertificateRequestedCallback.KeyMaterial( @@ -127,7 +127,7 @@ class OpenSslKeyMaterialManager { } } - private void setKeyMaterial(long ssl, String alias) throws SSLException { + private void setKeyMaterial(long ssl, String alias, ByteBufAllocator allocator) throws SSLException { long keyBio = 0; long keyCertChainBio = 0; long keyCertChainBio2 = 0; @@ -142,13 +142,13 @@ class OpenSslKeyMaterialManager { PrivateKey key = keyManager.getPrivateKey(alias); // Only encode one time - PemEncoded encoded = PemX509Certificate.toPEM(ByteBufAllocator.DEFAULT, true, certificates); + PemEncoded encoded = PemX509Certificate.toPEM(allocator, true, certificates); try { - keyCertChainBio = toBIO(ByteBufAllocator.DEFAULT, encoded.retain()); - keyCertChainBio2 = toBIO(ByteBufAllocator.DEFAULT, encoded.retain()); + keyCertChainBio = toBIO(allocator, encoded.retain()); + keyCertChainBio2 = toBIO(allocator, encoded.retain()); if (key != null) { - keyBio = toBIO(key); + keyBio = toBIO(allocator, key); } SSL.setCertificateBio(ssl, keyCertChainBio, keyBio, password); diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java index a695d2d689..84cf6da0a7 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java @@ -710,7 +710,7 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen keyCertChainBio2 = toBIO(ByteBufAllocator.DEFAULT, encoded.retain()); if (key != null) { - keyBio = toBIO(key); + keyBio = toBIO(ByteBufAllocator.DEFAULT, key); } SSLContext.setCertificateBio( @@ -742,12 +742,11 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen * Return the pointer to a in-memory BIO * or {@code 0} if the {@code key} is {@code null}. The BIO contains the content of the {@code key}. */ - static long toBIO(PrivateKey key) throws Exception { + static long toBIO(ByteBufAllocator allocator, PrivateKey key) throws Exception { if (key == null) { return 0; } - ByteBufAllocator allocator = ByteBufAllocator.DEFAULT; PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key); try { return toBIO(allocator, pem.retain()); @@ -760,7 +759,7 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen * Return the pointer to a in-memory BIO * or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}. */ - static long toBIO(X509Certificate... certChain) throws Exception { + static long toBIO(ByteBufAllocator allocator, X509Certificate... certChain) throws Exception { if (certChain == null) { return 0; } @@ -769,7 +768,6 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen throw new IllegalArgumentException("certChain can't be empty"); } - ByteBufAllocator allocator = ByteBufAllocator.DEFAULT; PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain); try { return toBIO(allocator, pem.retain()); diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java index 21770f128c..788a620f91 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java @@ -209,7 +209,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc final boolean jdkCompatibilityMode; private final boolean clientMode; - private final ByteBufAllocator alloc; + final ByteBufAllocator alloc; private final OpenSslEngineMap engineMap; private final OpenSslApplicationProtocolNegotiator apn; private final OpenSslSession session; diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java index 4c9df3148c..8eb4940c40 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java @@ -15,6 +15,7 @@ */ package io.netty.handler.ssl; +import io.netty.buffer.ByteBufAllocator; import io.netty.internal.tcnative.SSL; import io.netty.internal.tcnative.SSLContext; import io.netty.internal.tcnative.SniHostNameMatcher; @@ -162,7 +163,7 @@ public final class ReferenceCountedOpenSslServerContext extends ReferenceCounted if (issuers != null && issuers.length > 0) { long bio = 0; try { - bio = toBIO(issuers); + bio = toBIO(ByteBufAllocator.DEFAULT, issuers); if (!SSLContext.setCACertificateBio(ctx, bio)) { throw new SSLException("unable to setup accepted issuers for trustmanager " + manager); }