andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[#4722] Ensure the whole certificate chain is used when creating SslContext for client mode and SslProvider.OPENSSL is used

Browse Source 
Motivation:

We incorrectly added the trustCertChain as certificate chain when OpenSslClientContext was created. We need to correctly add the keyCertChain.

Modifications:

Correctly add whole keyCertChain.

Result:

SSL client auth is working when usin OpenSslClientContext and more then one cert is contained in the certificate chain.
This commit is contained in:
Norman Maurer 2016-01-22 21:18:26 +01:00
parent e8850072e2
commit ee2558bdf3
1 changed files with 19 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
View File

@ -191,17 +191,6 @@ public final class OpenSslClientContext extends OpenSslContext {
"Either both keyCertChainFile and keyFile needs to be null or none of them");
}
synchronized (OpenSslContext.class) {
if (trustCertChainFile != null) {
/* Load the certificate chain. We must NOT skip the first cert when client mode */
if (!SSLContext.setCertificateChainFile(ctx, trustCertChainFile.getPath(), false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: "
+ trustCertChainFile + " (" + SSL.getErrorString(error) + ')');
}
}
}
if (keyCertChainFile != null && keyFile != null) {
/* Load the certificate file and private key. */
try {
@ -214,6 +203,16 @@ public final class OpenSslClientContext extends OpenSslContext {
" (" + SSL.getErrorString(error) + ')');
}
}
// We may have more then one cert in the chain so add all of them now. We must NOT skip the
// first cert when client mode.
if (!SSLContext.setCertificateChainFile(ctx, keyCertChainFile.getPath(), false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: "
+ keyCertChainFile + " (" + SSL.getErrorString(error) + ')');
}
}
} catch (SSLException e) {
throw e;
} catch (Exception e) {
@ -281,28 +280,6 @@ public final class OpenSslClientContext extends OpenSslContext {
"Either both keyCertChain and key needs to be null or none of them");
}
synchronized (OpenSslContext.class) {
if (trustCertChain != null) {
long trustCertChainBio = 0;
try {
trustCertChainBio = toBIO(trustCertChain);
/* Load the certificate chain. We must NOT skip the first cert when client mode */
if (!SSLContext.setCertificateChainBio(ctx, trustCertChainBio, false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: " + SSL.getErrorString(error));
}
}
} catch (Exception e) {
throw new SSLException(
"failed to set certificate chain", e);
} finally {
if (trustCertChainBio != 0) {
SSL.freeBIO(trustCertChainBio);
}
}
}
if (keyCertChain != null && key != null) {
/* Load the certificate file and private key. */
long keyBio = 0;
@ -321,6 +298,15 @@ public final class OpenSslClientContext extends OpenSslContext {
+ SSL.getErrorString(error));
}
}
// We may have more then one cert in the chain so add all of them now. We must NOT skip the
// first cert when client mode.
if (!SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: " + SSL.getErrorString(error));
}
}
} catch (SSLException e) {
throw e;
} catch (Exception e) {