ARTEMIS-3302 fix regression with OpenSSL

When using the OpenSSL provider on the broker the getPeerCertificates()
method does *not* return a X509Certificate[] so we need to convert the
Certificate[] that is returned. This code is inspired by Tomcat's
org.apache.tomcat.util.net.jsse.JSSESupport class.
This commit is contained in:
Justin Bertram 2021-08-03 22:29:37 -05:00 committed by Clebert Suconic
parent 9726476c36
commit 8799fe807e
1 changed files with 30 additions and 3 deletions

View File

@ -18,26 +18,53 @@
package org.apache.activemq.artemis.utils;
import javax.net.ssl.SSLPeerUnverifiedException;
import java.io.ByteArrayInputStream;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.handler.ssl.SslHandler;
import org.jboss.logging.Logger;
public class CertificateUtil {
private static final Logger logger = Logger.getLogger(CertificateUtil.class);
public static X509Certificate[] getCertsFromChannel(Channel channel) {
X509Certificate[] certificates = null;
Certificate[] plainCerts = null;
ChannelHandler channelHandler = channel.pipeline().get("ssl");
if (channelHandler != null && channelHandler instanceof SslHandler) {
SslHandler sslHandler = (SslHandler) channelHandler;
try {
certificates = (X509Certificate[]) sslHandler.engine().getSession().getPeerCertificates();
plainCerts = sslHandler.engine().getSession().getPeerCertificates();
} catch (SSLPeerUnverifiedException e) {
// ignore
}
}
return certificates;
X509Certificate[] x509Certs = null;
if (plainCerts != null && plainCerts.length > 0) {
x509Certs = new X509Certificate[plainCerts.length];
for (int i = 0; i < plainCerts.length; i++) {
if (plainCerts[i] instanceof X509Certificate) {
x509Certs[i] = (X509Certificate) plainCerts[i];
} else {
try {
x509Certs[i] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(plainCerts[i].getEncoded()));
} catch (Exception ex) {
if (logger.isTraceEnabled()) {
logger.trace("Failed to convert SSL cert", ex);
}
return null;
}
}
if (logger.isTraceEnabled()) {
logger.trace("Cert #" + i + " = " + x509Certs[i]);
}
}
}
return x509Certs;
}
}