diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java index e4a0f17238..2a018e3ddf 100644 --- a/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java @@ -286,7 +286,8 @@ public final class JdkSslClientContext extends JdkSslContext { trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory, keyStore); } if (keyCertChain != null) { - keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory, keyStore); + keyManagerFactory = buildKeyManagerFactory(keyCertChain, null, + key, keyPassword, keyManagerFactory, keyStore); } SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL) : SSLContext.getInstance(PROTOCOL, sslContextProvider); diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java index d6c6e3b260..4ae885a106 100644 --- a/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java @@ -263,7 +263,8 @@ public final class JdkSslServerContext extends JdkSslContext { trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory, keyStore); } if (key != null) { - keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory, null); + keyManagerFactory = buildKeyManagerFactory(keyCertChain, null, + key, keyPassword, keyManagerFactory, null); } // Initialize the SSLContext to work with our key managers. diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java index 9f62e934ae..3a050cfd06 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java @@ -49,8 +49,7 @@ import javax.security.auth.x500.X500Principal; * {@link ReferenceCountedOpenSslEngine} is called which uses this class's JNI resources the JVM may crash. */ public final class ReferenceCountedOpenSslClientContext extends ReferenceCountedOpenSslContext { - private static final InternalLogger logger = - InternalLoggerFactory.getInstance(ReferenceCountedOpenSslClientContext.class); + private static final Set SUPPORTED_KEY_TYPES = Collections.unmodifiableSet(new LinkedHashSet( Arrays.asList(OpenSslKeyMaterialManager.KEY_TYPE_RSA, OpenSslKeyMaterialManager.KEY_TYPE_DH_RSA, diff --git a/handler/src/main/java/io/netty/handler/ssl/SslContext.java b/handler/src/main/java/io/netty/handler/ssl/SslContext.java index 599afeed90..445f4424fd 100644 --- a/handler/src/main/java/io/netty/handler/ssl/SslContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/SslContext.java @@ -1061,6 +1061,7 @@ public abstract class SslContext { * {@code key} * @throws InvalidAlgorithmParameterException if decryption algorithm parameters are somehow faulty */ + @Deprecated protected static PKCS8EncodedKeySpec generateKeySpec(char[] password, byte[] key) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException, InvalidKeyException, InvalidAlgorithmParameterException { @@ -1090,7 +1091,7 @@ public abstract class SslContext { * @param keyStoreType The KeyStore Type you want to use * @return generated {@link KeyStore}. */ - static KeyStore buildKeyStore(X509Certificate[] certChain, PrivateKey key, + protected static KeyStore buildKeyStore(X509Certificate[] certChain, PrivateKey key, char[] keyPasswordChars, String keyStoreType) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { @@ -1103,7 +1104,7 @@ public abstract class SslContext { return ks; } - static PrivateKey toPrivateKey(File keyFile, String keyPassword) throws NoSuchAlgorithmException, + protected static PrivateKey toPrivateKey(File keyFile, String keyPassword) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException, InvalidAlgorithmParameterException, KeyException, IOException { @@ -1113,7 +1114,8 @@ public abstract class SslContext { return getPrivateKeyFromByteBuffer(PemReader.readPrivateKey(keyFile), keyPassword); } - static PrivateKey toPrivateKey(InputStream keyInputStream, String keyPassword) throws NoSuchAlgorithmException, + protected static PrivateKey toPrivateKey(InputStream keyInputStream, String keyPassword) + throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException, InvalidAlgorithmParameterException, KeyException, IOException { @@ -1157,7 +1159,7 @@ public abstract class SslContext { protected static TrustManagerFactory buildTrustManagerFactory( File certChainFile, TrustManagerFactory trustManagerFactory) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException { - return buildTrustManagerFactory(certChainFile, trustManagerFactory, KeyStore.getDefaultType()); + return buildTrustManagerFactory(certChainFile, trustManagerFactory, null); } /** @@ -1167,7 +1169,7 @@ public abstract class SslContext { * @param keyType The KeyStore Type you want to use * @return A {@link TrustManagerFactory} which contains the certificates in {@code certChainFile} */ - static TrustManagerFactory buildTrustManagerFactory( + protected static TrustManagerFactory buildTrustManagerFactory( File certChainFile, TrustManagerFactory trustManagerFactory, String keyType) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException { X509Certificate[] x509Certs = toX509Certificates(certChainFile); @@ -1175,14 +1177,14 @@ public abstract class SslContext { return buildTrustManagerFactory(x509Certs, trustManagerFactory, keyType); } - static X509Certificate[] toX509Certificates(File file) throws CertificateException { + protected static X509Certificate[] toX509Certificates(File file) throws CertificateException { if (file == null) { return null; } return getCertificatesFromBuffers(PemReader.readCertificates(file)); } - static X509Certificate[] toX509Certificates(InputStream in) throws CertificateException { + protected static X509Certificate[] toX509Certificates(InputStream in) throws CertificateException { if (in == null) { return null; } @@ -1215,7 +1217,7 @@ public abstract class SslContext { return x509Certs; } - static TrustManagerFactory buildTrustManagerFactory( + protected static TrustManagerFactory buildTrustManagerFactory( X509Certificate[] certCollection, TrustManagerFactory trustManagerFactory, String keyStoreType) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException { if (keyStoreType == null) { @@ -1256,41 +1258,29 @@ public abstract class SslContext { } } - static KeyManagerFactory buildKeyManagerFactory(X509Certificate[] certChain, PrivateKey key, String keyPassword, - KeyManagerFactory kmf, String keyStoreType) - throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException, - CertificateException, IOException { - return buildKeyManagerFactory(certChain, KeyManagerFactory.getDefaultAlgorithm(), key, - keyPassword, kmf, keyStoreType); - } - - static KeyManagerFactory buildKeyManagerFactory(X509Certificate[] certChainFile, + protected static KeyManagerFactory buildKeyManagerFactory(X509Certificate[] certChainFile, String keyAlgorithm, PrivateKey key, String keyPassword, KeyManagerFactory kmf, String keyStore) throws KeyStoreException, NoSuchAlgorithmException, IOException, CertificateException, UnrecoverableKeyException { + if (keyAlgorithm == null) { + keyAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); + } char[] keyPasswordChars = keyStorePassword(keyPassword); KeyStore ks = buildKeyStore(certChainFile, key, keyPasswordChars, keyStore); return buildKeyManagerFactory(ks, keyAlgorithm, keyPasswordChars, kmf); } - static KeyManagerFactory buildKeyManagerFactory(X509Certificate[] certChainFile, - String keyAlgorithm, PrivateKey key, - String keyPassword, KeyManagerFactory kmf) - throws KeyStoreException, NoSuchAlgorithmException, IOException, - CertificateException, UnrecoverableKeyException { - char[] keyPasswordChars = keyStorePassword(keyPassword); - KeyStore ks = buildKeyStore(certChainFile, key, keyPasswordChars, KeyStore.getDefaultType()); - return buildKeyManagerFactory(ks, keyAlgorithm, keyPasswordChars, kmf); - } - static KeyManagerFactory buildKeyManagerFactory(KeyStore ks, String keyAlgorithm, char[] keyPasswordChars, KeyManagerFactory kmf) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException { // Set up key manager factory to use our key store if (kmf == null) { + if (keyAlgorithm == null) { + keyAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); + } kmf = KeyManagerFactory.getInstance(keyAlgorithm); } kmf.init(ks, keyPasswordChars); diff --git a/handler/src/main/java/io/netty/handler/ssl/SslContextBuilder.java b/handler/src/main/java/io/netty/handler/ssl/SslContextBuilder.java index 4a6695000b..42265943ce 100644 --- a/handler/src/main/java/io/netty/handler/ssl/SslContextBuilder.java +++ b/handler/src/main/java/io/netty/handler/ssl/SslContextBuilder.java @@ -16,6 +16,8 @@ package io.netty.handler.ssl; +import io.netty.handler.ssl.util.KeyManagerFactoryWrapper; +import io.netty.handler.ssl.util.TrustManagerFactoryWrapper; import io.netty.util.internal.UnstableApi; import javax.net.ssl.KeyManager; diff --git a/handler/src/main/java/io/netty/handler/ssl/KeyManagerFactoryWrapper.java b/handler/src/main/java/io/netty/handler/ssl/util/KeyManagerFactoryWrapper.java similarity index 85% rename from handler/src/main/java/io/netty/handler/ssl/KeyManagerFactoryWrapper.java rename to handler/src/main/java/io/netty/handler/ssl/util/KeyManagerFactoryWrapper.java index bd66192aa6..3ec20560e9 100644 --- a/handler/src/main/java/io/netty/handler/ssl/KeyManagerFactoryWrapper.java +++ b/handler/src/main/java/io/netty/handler/ssl/util/KeyManagerFactoryWrapper.java @@ -14,19 +14,18 @@ * under the License. */ -package io.netty.handler.ssl; +package io.netty.handler.ssl.util; -import io.netty.handler.ssl.util.SimpleKeyManagerFactory; import io.netty.util.internal.ObjectUtil; import java.security.KeyStore; import javax.net.ssl.KeyManager; import javax.net.ssl.ManagerFactoryParameters; -final class KeyManagerFactoryWrapper extends SimpleKeyManagerFactory { +public final class KeyManagerFactoryWrapper extends SimpleKeyManagerFactory { private final KeyManager km; - KeyManagerFactoryWrapper(KeyManager km) { + public KeyManagerFactoryWrapper(KeyManager km) { this.km = ObjectUtil.checkNotNull(km, "km"); } diff --git a/handler/src/main/java/io/netty/handler/ssl/TrustManagerFactoryWrapper.java b/handler/src/main/java/io/netty/handler/ssl/util/TrustManagerFactoryWrapper.java similarity index 85% rename from handler/src/main/java/io/netty/handler/ssl/TrustManagerFactoryWrapper.java rename to handler/src/main/java/io/netty/handler/ssl/util/TrustManagerFactoryWrapper.java index ca85836f7c..e28df7fb79 100644 --- a/handler/src/main/java/io/netty/handler/ssl/TrustManagerFactoryWrapper.java +++ b/handler/src/main/java/io/netty/handler/ssl/util/TrustManagerFactoryWrapper.java @@ -14,19 +14,18 @@ * under the License. */ -package io.netty.handler.ssl; +package io.netty.handler.ssl.util; -import io.netty.handler.ssl.util.SimpleTrustManagerFactory; import io.netty.util.internal.ObjectUtil; import java.security.KeyStore; import javax.net.ssl.ManagerFactoryParameters; import javax.net.ssl.TrustManager; -final class TrustManagerFactoryWrapper extends SimpleTrustManagerFactory { +public final class TrustManagerFactoryWrapper extends SimpleTrustManagerFactory { private final TrustManager tm; - TrustManagerFactoryWrapper(TrustManager tm) { + public TrustManagerFactoryWrapper(TrustManager tm) { this.tm = ObjectUtil.checkNotNull(tm, "tm"); } diff --git a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java index 7c6e66babf..005f07bbeb 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java @@ -2947,7 +2947,8 @@ public abstract class SSLEngineTest { SelfSignedCertificate ssc = new SelfSignedCertificate(); KeyManagerFactory kmf = useKeyManagerFactory ? SslContext.buildKeyManagerFactory( - new java.security.cert.X509Certificate[] { ssc.cert()}, ssc.key(), null, null, null) : null; + new java.security.cert.X509Certificate[] { ssc.cert()}, null, + ssc.key(), null, null, null) : null; SslContextBuilder clientContextBuilder = SslContextBuilder.forClient(); if (mutualAuth) { @@ -3509,7 +3510,7 @@ public abstract class SSLEngineTest { throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { return SslContext.buildKeyManagerFactory( - new java.security.cert.X509Certificate[] { ssc.cert() }, ssc.key(), null, null, null); + new java.security.cert.X509Certificate[] { ssc.cert() }, null, ssc.key(), null, null, null); } private final class TestTrustManagerFactory extends X509ExtendedTrustManager { diff --git a/handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java b/handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java index 824f2d4316..f809b116be 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java +++ b/handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java @@ -260,7 +260,7 @@ final class SniClientJava8TestUtil { IOException, CertificateException { return new SniX509KeyManagerFactory( new SNIHostName(hostname), SslContext.buildKeyManagerFactory( - new X509Certificate[] { cert.cert() }, cert.key(), null, null, null)); + new X509Certificate[] { cert.cert() }, null, cert.key(), null, null, null)); } private static final class SniX509KeyManagerFactory extends KeyManagerFactory { diff --git a/handler/src/test/java/io/netty/handler/ssl/SniClientTest.java b/handler/src/test/java/io/netty/handler/ssl/SniClientTest.java index 604eeb22c0..e00a699340 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SniClientTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SniClientTest.java @@ -113,7 +113,8 @@ public class SniClientTest { KeyManagerFactory kmf = PlatformDependent.javaVersion() >= 8 ? SniClientJava8TestUtil.newSniX509KeyManagerFactory(cert, sniHostName) : SslContext.buildKeyManagerFactory( - new X509Certificate[] { cert.cert() }, cert.key(), null, null, null); + new X509Certificate[] { cert.cert() }, null, + cert.key(), null, null, null); sslServerContext = SslContextBuilder.forServer(kmf) .sslProvider(sslServerProvider)