Skip to content

Commit

Permalink
[netty#4722] Ensure the whole certificate chain is used when creating…
Browse files Browse the repository at this point in the history 
… SslContext for client mode and SslProvider.OPENSSL is used

Motivation:

We incorrectly added the trustCertChain as certificate chain when OpenSslClientContext was created. We need to correctly add the keyCertChain.

Modifications:

Correctly add whole keyCertChain.

Result:

SSL client auth is working when usin OpenSslClientContext and more then one cert is contained in the certificate chain.
  • Loading branch information
@normanmaurer
normanmaurer committed Jan 28, 2016
1 parent e885007 commit ee2558b
Showing 1 changed file with 19 additions and 33 deletions.
52 changes: 19 additions & 33 deletions handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,17 +191,6 @@ public OpenSslClientContext(File trustCertChainFile, TrustManagerFactory trustMa
"Either both keyCertChainFile and keyFile needs to be null or none of them");
}
synchronized (OpenSslContext.class) {
if (trustCertChainFile != null) {
/* Load the certificate chain. We must NOT skip the first cert when client mode */
if (!SSLContext.setCertificateChainFile(ctx, trustCertChainFile.getPath(), false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: "
+ trustCertChainFile + " (" + SSL.getErrorString(error) + ')');
}
}
}
if (keyCertChainFile != null && keyFile != null) {
/* Load the certificate file and private key. */
try {
Expand All @@ -214,6 +203,16 @@ public OpenSslClientContext(File trustCertChainFile, TrustManagerFactory trustMa
" (" + SSL.getErrorString(error) + ')');
}
}
// We may have more then one cert in the chain so add all of them now. We must NOT skip the
// first cert when client mode.
if (!SSLContext.setCertificateChainFile(ctx, keyCertChainFile.getPath(), false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: "
+ keyCertChainFile + " (" + SSL.getErrorString(error) + ')');
}
}
} catch (SSLException e) {
throw e;
} catch (Exception e) {
Expand Down Expand Up @@ -281,28 +280,6 @@ void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
"Either both keyCertChain and key needs to be null or none of them");
}
synchronized (OpenSslContext.class) {
if (trustCertChain != null) {
long trustCertChainBio = 0;

try {
trustCertChainBio = toBIO(trustCertChain);
/* Load the certificate chain. We must NOT skip the first cert when client mode */
if (!SSLContext.setCertificateChainBio(ctx, trustCertChainBio, false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: " + SSL.getErrorString(error));
}
}
} catch (Exception e) {
throw new SSLException(
"failed to set certificate chain", e);
} finally {
if (trustCertChainBio != 0) {
SSL.freeBIO(trustCertChainBio);
}
}
}
if (keyCertChain != null && key != null) {
/* Load the certificate file and private key. */
long keyBio = 0;
Expand All @@ -321,6 +298,15 @@ void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
+ SSL.getErrorString(error));
}
}
// We may have more then one cert in the chain so add all of them now. We must NOT skip the
// first cert when client mode.
if (!SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false)) {
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
throw new SSLException(
"failed to set certificate chain: " + SSL.getErrorString(error));
}
}
} catch (SSLException e) {
throw e;
} catch (Exception e) {
Expand Down

0 comments on commit ee2558b

Please sign in to comment.