Ensure X509KeyManager methods are called on the correct time when using server-side and support more methods of ExtendedSSLSession.#8283
Conversation
normanmaurer
commented
Sep 12, 2018
|
This depends on netty/netty-tcnative#388 and #8281 |
d867eff to
23fcb7e
Compare
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
Show resolved
Hide resolved
|
|
||
| private SignatureAlgorithmConverter() { } | ||
|
|
||
| // OpenSSL has 3 different formats it uses at the moment we will match against all of these. |
There was a problem hiding this comment.
Why not just enumerate them in the regex then?
There was a problem hiding this comment.
@carl-mastrangelo not sure I understand... Can you show me some code ?
There was a problem hiding this comment.
Make the regex "^(SHA256withECDSA|SHA512withRSA|SHA256withDSA)$"
There was a problem hiding this comment.
Ah ok... maybe the comment is misleading. It supports more then 3 algorithms. It has just 3 different way to format the supported algorithms
There was a problem hiding this comment.
I guess the comment is correct - it says 'formats' which is not 'algorithms', but it's probably better giving some examples in the comment.
| if (matcher.matches()) { | ||
| String group2 = matcher.group(2); | ||
| if (group2 != null) { | ||
| return group2.toUpperCase(Locale.US) + "with" + matcher.group(3).toUpperCase(Locale.US); |
There was a problem hiding this comment.
You probably want Locale.ROOT I think
There was a problem hiding this comment.
addressed and rebased.
23fcb7e to
f24e5cf
Compare
|
@carl-mastrangelo PTAL again |
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
Show resolved
Hide resolved
f24e5cf to
239dc86
Compare
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
nit: Better leaving this as is?
| try { | ||
| ServerContext context = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory, | ||
| sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory, | ||
| keyCertChain, key, keyPassword, keyManagerFactory); |
| @Override | ||
| public String[] getPeerSupportedSignatureAlgorithms() { | ||
| synchronized (ReferenceCountedOpenSslEngine.this) { | ||
| if (peerSupportedSignatureAlgorithms == null) { |
There was a problem hiding this comment.
More readable by returning early when peerSupportedSignatureAlgorithms != null?
| synchronized (ReferenceCountedOpenSslEngine.this) { | ||
| if (peerSupportedSignatureAlgorithms == null) { | ||
| if (isDestroyed()) { | ||
| peerSupportedSignatureAlgorithms = EmptyArrays.EMPTY_STRINGS; |
There was a problem hiding this comment.
| } else { | ||
| String[] algs = SSL.getSigAlgs(ssl); | ||
| if (algs == null) { | ||
| peerSupportedSignatureAlgorithms = EmptyArrays.EMPTY_STRINGS; |
There was a problem hiding this comment.
No need to clone since the array is empty
There was a problem hiding this comment.
cloning an empty array is super cheap and it simplifies the flow of the method so let me leave the method like it is.
| // OpenJDK SSLEngineImpl does. | ||
| keyManagerHolder.setKeyMaterialServerSide(engine); | ||
| } catch (Throwable cause) { | ||
| logger.debug("request of key failed", cause); |
There was a problem hiding this comment.
How about: `"Failed to set the server-side key material:", cause
|
|
||
| private SignatureAlgorithmConverter() { } | ||
|
|
||
| // OpenSSL has 3 different formats it uses at the moment we will match against all of these. |
There was a problem hiding this comment.
I guess the comment is correct - it says 'formats' which is not 'algorithms', but it's probably better giving some examples in the comment.
| if (matcher.matches()) { | ||
| String group2 = matcher.group(2); | ||
| if (group2 != null) { | ||
| return group2.toUpperCase(Locale.ROOT) + "with" + matcher.group(3).toUpperCase(Locale.ROOT); |
There was a problem hiding this comment.
Learned Locale.ROOT just today. 👍
| } | ||
|
|
||
| static boolean isBoringSSL() { | ||
| return "BoringSSL".equals(OpenSsl.versionString()); |
There was a problem hiding this comment.
Curious if we should be case-insensitive here.
There was a problem hiding this comment.
I think its fine ...
|
|
||
| @Test | ||
| public void testInvalid() { | ||
| assertNull(SignatureAlgorithmConverter.toJavaName("ThisIsSomeThingInvalid")); |
…ng server-side and support more methods of ExtendedSSLSession. Motivation: Before when on server-side we just called the X509KeyManager methods when handshake() was called the first time which is not quite correct as we may not have received the full SSL hello / handshake and so could not extra for example the SNI hostname that was requested. OpenSSL exposes the SSL_CTX_set_cert_cb function which allows to set a callback which is executed at the correct moment, so we should use it. This also allows us to support more methods of ExtendedSSLSession easily. Modifications: - Make use of new methods exposed by netty-tcnative since netty/netty-tcnative#388 to ensure we select the key material at the correct time. - Implement more methods of ExtendedOpenSslSession - Add unit tests to ensure we are able to retrieve various things on server-side in the X509KeyManager and so verify it is called at the correct time. - Simplify code by using new netty-tcnative methods. Result: More correct implementation for server-side usage and more complete implemented of ExtendedSSLSession.
239dc86 to
00ca995
Compare
|
I will merge this once the CI is done |