Use ByteBufAllocator used by the ReferenceCountedOpenSslEngine when build key-material. (#7952)
Motivation: When we build the key-material we should use the ByteBufAllocator used by the ReferenceCountedOpenSslEngine when possible. Modifications: Whenever we have access to the ReferenceCountedOpenSslEngine we use its allocator. Result: Use correct allocator
This commit is contained in:
Norman Maurer
GitHub
parent
7727649b2c
commit
987c443888
@ -17,6 +17,7 @@
|
|||||||
package io.netty.handler.ssl;
|
package io.netty.handler.ssl;
|
||||||
|
|
||||||
import io.netty.buffer.ByteBuf;
|
import io.netty.buffer.ByteBuf;
|
||||||
|
import io.netty.buffer.ByteBufAllocator;
|
||||||
import io.netty.handler.ssl.util.SelfSignedCertificate;
|
import io.netty.handler.ssl.util.SelfSignedCertificate;
|
||||||
import io.netty.internal.tcnative.Buffer;
|
import io.netty.internal.tcnative.Buffer;
|
||||||
import io.netty.internal.tcnative.Library;
|
import io.netty.internal.tcnative.Library;
|
||||||
@ -33,7 +34,6 @@ import io.netty.util.internal.logging.InternalLoggerFactory;
|
|||||||
import java.security.AccessController;
|
import java.security.AccessController;
|
||||||
import java.security.PrivilegedAction;
|
import java.security.PrivilegedAction;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.LinkedHashSet;
|
import java.util.LinkedHashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
@ -157,7 +157,7 @@ public final class OpenSsl {
|
|||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
cert = new SelfSignedCertificate();
|
cert = new SelfSignedCertificate();
|
||||||
certBio = ReferenceCountedOpenSslContext.toBIO(cert.cert());
|
certBio = ReferenceCountedOpenSslContext.toBIO(ByteBufAllocator.DEFAULT, cert.cert());
|
||||||
SSL.setCertificateChainBio(ssl, certBio, false);
|
SSL.setCertificateChainBio(ssl, certBio, false);
|
||||||
supportsKeyManagerFactory = true;
|
supportsKeyManagerFactory = true;
|
||||||
try {
|
try {
|
||||||
|
|||||||
@ -79,7 +79,7 @@ class OpenSslKeyMaterialManager {
|
|||||||
if (type != null) {
|
if (type != null) {
|
||||||
String alias = chooseServerAlias(engine, type);
|
String alias = chooseServerAlias(engine, type);
|
||||||
if (alias != null && aliases.add(alias)) {
|
if (alias != null && aliases.add(alias)) {
|
||||||
setKeyMaterial(ssl, alias);
|
setKeyMaterial(ssl, alias, engine.alloc);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -101,10 +101,10 @@ class OpenSslKeyMaterialManager {
|
|||||||
}
|
}
|
||||||
|
|
||||||
PrivateKey key = keyManager.getPrivateKey(alias);
|
PrivateKey key = keyManager.getPrivateKey(alias);
|
||||||
keyCertChainBio = toBIO(certificates);
|
keyCertChainBio = toBIO(engine.alloc, certificates);
|
||||||
certChain = SSL.parseX509Chain(keyCertChainBio);
|
certChain = SSL.parseX509Chain(keyCertChainBio);
|
||||||
if (key != null) {
|
if (key != null) {
|
||||||
keyBio = toBIO(key);
|
keyBio = toBIO(engine.alloc, key);
|
||||||
pkey = SSL.parsePrivateKey(keyBio, password);
|
pkey = SSL.parsePrivateKey(keyBio, password);
|
||||||
}
|
}
|
||||||
CertificateRequestedCallback.KeyMaterial material = new CertificateRequestedCallback.KeyMaterial(
|
CertificateRequestedCallback.KeyMaterial material = new CertificateRequestedCallback.KeyMaterial(
|
||||||
@ -127,7 +127,7 @@ class OpenSslKeyMaterialManager {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void setKeyMaterial(long ssl, String alias) throws SSLException {
|
private void setKeyMaterial(long ssl, String alias, ByteBufAllocator allocator) throws SSLException {
|
||||||
long keyBio = 0;
|
long keyBio = 0;
|
||||||
long keyCertChainBio = 0;
|
long keyCertChainBio = 0;
|
||||||
long keyCertChainBio2 = 0;
|
long keyCertChainBio2 = 0;
|
||||||
@ -142,13 +142,13 @@ class OpenSslKeyMaterialManager {
|
|||||||
PrivateKey key = keyManager.getPrivateKey(alias);
|
PrivateKey key = keyManager.getPrivateKey(alias);
|
||||||
|
|
||||||
// Only encode one time
|
// Only encode one time
|
||||||
PemEncoded encoded = PemX509Certificate.toPEM(ByteBufAllocator.DEFAULT, true, certificates);
|
PemEncoded encoded = PemX509Certificate.toPEM(allocator, true, certificates);
|
||||||
try {
|
try {
|
||||||
keyCertChainBio = toBIO(ByteBufAllocator.DEFAULT, encoded.retain());
|
keyCertChainBio = toBIO(allocator, encoded.retain());
|
||||||
keyCertChainBio2 = toBIO(ByteBufAllocator.DEFAULT, encoded.retain());
|
keyCertChainBio2 = toBIO(allocator, encoded.retain());
|
||||||
|
|
||||||
if (key != null) {
|
if (key != null) {
|
||||||
keyBio = toBIO(key);
|
keyBio = toBIO(allocator, key);
|
||||||
}
|
}
|
||||||
SSL.setCertificateBio(ssl, keyCertChainBio, keyBio, password);
|
SSL.setCertificateBio(ssl, keyCertChainBio, keyBio, password);
|
||||||
|
|
||||||
|
|||||||
@ -710,7 +710,7 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
|||||||
keyCertChainBio2 = toBIO(ByteBufAllocator.DEFAULT, encoded.retain());
|
keyCertChainBio2 = toBIO(ByteBufAllocator.DEFAULT, encoded.retain());
|
||||||
|
|
||||||
if (key != null) {
|
if (key != null) {
|
||||||
keyBio = toBIO(key);
|
keyBio = toBIO(ByteBufAllocator.DEFAULT, key);
|
||||||
}
|
}
|
||||||
|
|
||||||
SSLContext.setCertificateBio(
|
SSLContext.setCertificateBio(
|
||||||
@ -742,12 +742,11 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
|||||||
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
|
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
|
||||||
* or {@code 0} if the {@code key} is {@code null}. The BIO contains the content of the {@code key}.
|
* or {@code 0} if the {@code key} is {@code null}. The BIO contains the content of the {@code key}.
|
||||||
*/
|
*/
|
||||||
static long toBIO(PrivateKey key) throws Exception {
|
static long toBIO(ByteBufAllocator allocator, PrivateKey key) throws Exception {
|
||||||
if (key == null) {
|
if (key == null) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
|
|
||||||
PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key);
|
PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key);
|
||||||
try {
|
try {
|
||||||
return toBIO(allocator, pem.retain());
|
return toBIO(allocator, pem.retain());
|
||||||
@ -760,7 +759,7 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
|||||||
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
|
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
|
||||||
* or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.
|
* or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.
|
||||||
*/
|
*/
|
||||||
static long toBIO(X509Certificate... certChain) throws Exception {
|
static long toBIO(ByteBufAllocator allocator, X509Certificate... certChain) throws Exception {
|
||||||
if (certChain == null) {
|
if (certChain == null) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -769,7 +768,6 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
|||||||
throw new IllegalArgumentException("certChain can't be empty");
|
throw new IllegalArgumentException("certChain can't be empty");
|
||||||
}
|
}
|
||||||
|
|
||||||
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
|
|
||||||
PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain);
|
PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain);
|
||||||
try {
|
try {
|
||||||
return toBIO(allocator, pem.retain());
|
return toBIO(allocator, pem.retain());
|
||||||
|
|||||||
@ -209,7 +209,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
|
|||||||
|
|
||||||
final boolean jdkCompatibilityMode;
|
final boolean jdkCompatibilityMode;
|
||||||
private final boolean clientMode;
|
private final boolean clientMode;
|
||||||
private final ByteBufAllocator alloc;
|
final ByteBufAllocator alloc;
|
||||||
private final OpenSslEngineMap engineMap;
|
private final OpenSslEngineMap engineMap;
|
||||||
private final OpenSslApplicationProtocolNegotiator apn;
|
private final OpenSslApplicationProtocolNegotiator apn;
|
||||||
private final OpenSslSession session;
|
private final OpenSslSession session;
|
||||||
|
|||||||
@ -15,6 +15,7 @@
|
|||||||
*/
|
*/
|
||||||
package io.netty.handler.ssl;
|
package io.netty.handler.ssl;
|
||||||
|
|
||||||
|
import io.netty.buffer.ByteBufAllocator;
|
||||||
import io.netty.internal.tcnative.SSL;
|
import io.netty.internal.tcnative.SSL;
|
||||||
import io.netty.internal.tcnative.SSLContext;
|
import io.netty.internal.tcnative.SSLContext;
|
||||||
import io.netty.internal.tcnative.SniHostNameMatcher;
|
import io.netty.internal.tcnative.SniHostNameMatcher;
|
||||||
@ -162,7 +163,7 @@ public final class ReferenceCountedOpenSslServerContext extends ReferenceCounted
|
|||||||
if (issuers != null && issuers.length > 0) {
|
if (issuers != null && issuers.length > 0) {
|
||||||
long bio = 0;
|
long bio = 0;
|
||||||
try {
|
try {
|
||||||
bio = toBIO(issuers);
|
bio = toBIO(ByteBufAllocator.DEFAULT, issuers);
|
||||||
if (!SSLContext.setCACertificateBio(ctx, bio)) {
|
if (!SSLContext.setCACertificateBio(ctx, bio)) {
|
||||||
throw new SSLException("unable to setup accepted issuers for trustmanager " + manager);
|
throw new SSLException("unable to setup accepted issuers for trustmanager " + manager);
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user