io.netty.handler.ssl.OpenSslX509TrustManagerWrapper Maven / Gradle / Ivy
Go to download
This artifact provides a single jar that contains all classes required to use remote EJB and JMS, including
all dependencies. It is intended for use by those not using maven, maven users should just import the EJB and
JMS BOM's instead (shaded JAR's cause lots of problems with maven, as it is very easy to inadvertently end up
with different versions on classes on the class path).
/*
* Copyright 2018 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.SuppressJava6Requirement;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import java.lang.reflect.Field;
import java.security.AccessController;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivilegedAction;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Utility which allows to wrap {@link X509TrustManager} implementations with the internal implementation used by
* {@code SSLContextImpl} that provides extended verification.
*
* This is really a "hack" until there is an official API as requested on the in
* JDK-8210843.
*/
@SuppressJava6Requirement(reason = "Usage guarded by java version check")
final class OpenSslX509TrustManagerWrapper {
private static final InternalLogger LOGGER = InternalLoggerFactory
.getInstance(OpenSslX509TrustManagerWrapper.class);
private static final TrustManagerWrapper WRAPPER;
static {
// By default we will not do any wrapping but just return the passed in manager.
TrustManagerWrapper wrapper = new TrustManagerWrapper() {
@Override
public X509TrustManager wrapIfNeeded(X509TrustManager manager) {
return manager;
}
};
Throwable cause = null;
Throwable unsafeCause = PlatformDependent.getUnsafeUnavailabilityCause();
if (unsafeCause == null) {
SSLContext context;
try {
context = newSSLContext();
// Now init with an array that only holds a X509TrustManager. This should be wrapped into an
// AbstractTrustManagerWrapper which will delegate the TrustManager itself but also do extra
// validations.
//
// See:
// - https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/
// cadea780bc76/src/share/classes/sun/security/ssl/SSLContextImpl.java#l127
context.init(null, new TrustManager[] {
new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
throw new CertificateException();
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
throw new CertificateException();
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return EmptyArrays.EMPTY_X509_CERTIFICATES;
}
}
}, null);
} catch (Throwable error) {
context = null;
cause = error;
}
if (cause != null) {
LOGGER.debug("Unable to access wrapped TrustManager", cause);
} else {
final SSLContext finalContext = context;
Object maybeWrapper = AccessController.doPrivileged(new PrivilegedAction