From e2a874811be67245fe6d306bf106a3f851e6996b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Mat=C4=9Bj=C4=8Dek?= Date: Wed, 8 Dec 2021 19:59:50 +0100 Subject: [PATCH 1/2] Issue #2145 Removed deprecated calls, added new methods to SSLSupport MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - to maintain the backward compatibility I added two new methods consistent with SSLSession API and old were marked as deprecated. - note that if someone extendeds the interface, he still has to add those new methods OR better: rename and update his implementation. No changes should be required to just call grizzly's implementation. Signed-off-by: David Matějček --- .../org/glassfish/grizzly/ssl/SSLSupport.java | 30 ++++++++++-- .../glassfish/grizzly/ssl/SSLSupportImpl.java | 46 +++++++++---------- .../grizzly/http/server/Request.java | 2 +- 3 files changed, 48 insertions(+), 30 deletions(-) diff --git a/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupport.java b/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupport.java index 84a3baa314..bb96138207 100644 --- a/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupport.java +++ b/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupport.java @@ -18,6 +18,7 @@ package org.glassfish.grizzly.ssl; import java.io.IOException; +import java.security.cert.Certificate; /** * SSLSupport @@ -51,16 +52,35 @@ public interface SSLSupport { String getCipherSuite() throws IOException; /** - * The client certificate chain (if any). + * @return The client certificate chain (if any). + * @deprecated use {@link #getPeerCertificates()} instead. */ - Object[] getPeerCertificateChain() throws IOException; + @Deprecated(forRemoval = true) + default Object[] getPeerCertificateChain() throws IOException { + return getPeerCertificates(); + } + + /** + * @return The client certificate chain (if any). + * @throws IOException + */ + Certificate[] getPeerCertificates() throws IOException; + + /** + * @param force If true, then re-negotiate the connection if necessary. + * @return The client certificate chain (if any). + * @deprecated use {@link #getPeerCertificates(boolean)} instead. + */ + @Deprecated(forRemoval = true) + default Object[] getPeerCertificateChain(boolean force) throws IOException { + return getPeerCertificates(force); + } /** - * The client certificate chain (if any). - * * @param force If true, then re-negotiate the connection if necessary. + * @return The client certificate chain (if any). */ - Object[] getPeerCertificateChain(boolean force) throws IOException; + Certificate[] getPeerCertificates(boolean force) throws IOException; /** * Get the keysize. diff --git a/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupportImpl.java b/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupportImpl.java index 3ecbc0cf05..5d4d9f076f 100644 --- a/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupportImpl.java +++ b/modules/grizzly/src/main/java/org/glassfish/grizzly/ssl/SSLSupportImpl.java @@ -1,4 +1,5 @@ /* + * Copyright (c) 2021 Contributors to the Eclipse Foundation * Copyright (c) 2009, 2020 Oracle and/or its affiliates. All rights reserved. * Copyright 2004 The Apache Software Foundation * @@ -19,14 +20,14 @@ import java.io.ByteArrayInputStream; import java.io.IOException; +import java.security.cert.Certificate; import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; import java.util.logging.Level; import java.util.logging.Logger; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLSession; -import javax.security.cert.X509Certificate; - import org.glassfish.grizzly.Connection; import org.glassfish.grizzly.Grizzly; @@ -72,29 +73,29 @@ public String getCipherSuite() throws IOException { } @Override - public Object[] getPeerCertificateChain() throws IOException { - return getPeerCertificateChain(false); + public Certificate[] getPeerCertificates() throws IOException { + return getPeerCertificates(false); } - protected java.security.cert.X509Certificate[] getX509Certificates(SSLSession session) throws IOException { - X509Certificate jsseCerts[] = null; + protected Certificate[] getCertificates(SSLSession session) throws IOException { + Certificate jsseCerts[] = null; try { - jsseCerts = session.getPeerCertificateChain(); + jsseCerts = session.getPeerCertificates(); } catch (Throwable ex) { // Get rid of the warning in the logs when no Client-Cert is // available } if (jsseCerts == null) { - jsseCerts = new X509Certificate[0]; + jsseCerts = new Certificate[0]; } - java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[jsseCerts.length]; + X509Certificate[] x509Certs = new X509Certificate[jsseCerts.length]; for (int i = 0; i < x509Certs.length; i++) { try { byte buffer[] = jsseCerts[i].getEncoded(); CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream stream = new ByteArrayInputStream(buffer); - x509Certs[i] = (java.security.cert.X509Certificate) cf.generateCertificate(stream); + x509Certs[i] = (X509Certificate) cf.generateCertificate(stream); if (logger.isLoggable(Level.FINE)) { logger.log(Level.FINE, "Cert #" + i + " = " + x509Certs[i]); } @@ -111,7 +112,7 @@ protected java.security.cert.X509Certificate[] getX509Certificates(SSLSession se } @Override - public Object[] getPeerCertificateChain(boolean force) throws IOException { + public Certificate[] getPeerCertificates(boolean force) throws IOException { // Look up the current SSLSession /* * SJSAS 6439313 SSLSession session = ssl.getSession(); @@ -121,14 +122,14 @@ public Object[] getPeerCertificateChain(boolean force) throws IOException { } // Convert JSSE's certificate format to the ones we need - X509Certificate[] jsseCerts = null; + Certificate[] jsseCerts = null; try { - jsseCerts = session.getPeerCertificateChain(); + jsseCerts = session.getPeerCertificates(); } catch (Exception bex) { // ignore. } if (jsseCerts == null) { - jsseCerts = new X509Certificate[0]; + jsseCerts = new Certificate[0]; } if (jsseCerts.length <= 0 && force) { session.invalidate(); @@ -140,7 +141,7 @@ public Object[] getPeerCertificateChain(boolean force) throws IOException { session = engine.getSession(); // END SJSAS 6439313 } - return getX509Certificates(session); + return getCertificates(session); } /** @@ -149,10 +150,7 @@ public Object[] getPeerCertificateChain(boolean force) throws IOException { @Override public Integer getKeySize() throws IOException { // Look up the current SSLSession - /* - * SJSAS 6439313 SSLSession session = ssl.getSession(); - */ - SSLSupport.CipherData c_aux[] = ciphers; + // SJSAS 6439313 SSLSession session = ssl.getSession(); if (session == null) { return null; } @@ -161,9 +159,9 @@ public Integer getKeySize() throws IOException { int size = 0; String cipherSuite = session.getCipherSuite(); - for (int i = 0; i < c_aux.length; i++) { - if (cipherSuite.contains(c_aux[i].phrase)) { - size = c_aux[i].keySize; + for (CipherData element : ciphers) { + if (cipherSuite.contains(element.phrase)) { + size = element.keySize; break; } } @@ -188,8 +186,8 @@ public String getSessionId() throws IOException { return null; } StringBuilder buf = new StringBuilder(""); - for (int x = 0; x < ssl_session.length; x++) { - String digit = Integer.toHexString(ssl_session[x]); + for (byte element : ssl_session) { + String digit = Integer.toHexString(element); if (digit.length() < 2) { buf.append('0'); } diff --git a/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/Request.java b/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/Request.java index cd80e26a65..dcf2e98eb3 100755 --- a/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/Request.java +++ b/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/Request.java @@ -1779,7 +1779,7 @@ public static StringBuffer appendRequestURL(final Request request, final StringB public Principal getUserPrincipal() { if (userPrincipal == null) { if (getRequest().isSecure()) { - X509Certificate certs[] = (X509Certificate[]) getAttribute(Globals.CERTIFICATES_ATTR); + X509Certificate[] certs = (X509Certificate[]) getAttribute(Globals.CERTIFICATES_ATTR); if (FORCE_CLIENT_AUTH_ON_GET_USER_PRINCIPAL && (certs == null || certs.length < 1)) { // Force SSL re-handshake and request client auth certs = (X509Certificate[]) getAttribute(Globals.SSL_CERTIFICATE_ATTR); From 4219b55193addcdbe44b700185dbfd98c3036e07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Mat=C4=9Bj=C4=8Dek?= Date: Fri, 10 Dec 2021 20:44:03 +0100 Subject: [PATCH 2/2] Issue #2145 Minimal JDK required for grizzly 3 should be 11 --- boms/bom/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boms/bom/pom.xml b/boms/bom/pom.xml index 0c3b641f33..e708468214 100644 --- a/boms/bom/pom.xml +++ b/boms/bom/pom.xml @@ -212,7 +212,7 @@ - [1.8,) + [11,) 3.5.4