Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix #6076 Protect from null local certificates (#6078) 

Fix #6076 Protect from null local certificates
cache resulting X509 in session

Signed-off-by: Greg Wilkins <gregw@webtide.com>
This commit is contained in:
Greg Wilkins 2021-03-24 05:17:40 +08:00 committed by GitHub
parent 96f707f74b
commit 0d91f33b79
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
View File

@ -13,6 +13,7 @@
package org.eclipse.jetty.server;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Set;
@ -52,6 +53,7 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer
public static final String JAVAX_SERVLET_REQUEST_CIPHER_SUITE = "javax.servlet.request.cipher_suite";
public static final String JAVAX_SERVLET_REQUEST_KEY_SIZE = "javax.servlet.request.key_size";
public static final String JAVAX_SERVLET_REQUEST_SSL_SESSION_ID = "javax.servlet.request.ssl_session_id";
public static final String X509_CERT = "org.eclipse.jetty.server.x509_cert";
private String sslSessionAttribute = "org.eclipse.jetty.servlet.request.ssl_session";
@ -244,24 +246,24 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer
if (isSniRequired() || isSniHostCheck())
{
String sniHost = (String)sslSession.getValue(SslContextFactory.Server.SNI_HOST);
X509 cert = new X509(null, (X509Certificate)sslSession.getLocalCertificates()[0]);
X509 x509 = (X509)sslSession.getValue(X509_CERT);
if (x509 == null)
{
Certificate[] certificates = sslSession.getLocalCertificates();
if (certificates == null || certificates.length == 0 || !(certificates[0] instanceof X509Certificate))
throw new BadMessageException(400, "Invalid SNI");
x509 = new X509(null, (X509Certificate)certificates[0]);
sslSession.putValue(X509_CERT, x509);
}
String serverName = request.getServerName();
if (LOG.isDebugEnabled())
LOG.debug("Host={}, SNI={}, SNI Certificate={}", serverName, sniHost, cert);
LOG.debug("Host={}, SNI={}, SNI Certificate={}", serverName, sniHost, x509);
if (isSniRequired())
{
if (sniHost == null)
throw new BadMessageException(400, "Invalid SNI");
if (!cert.matches(sniHost))
throw new BadMessageException(400, "Invalid SNI");
}
if (isSniRequired() && (sniHost == null || !x509.matches(sniHost)))
throw new BadMessageException(400, "Invalid SNI");
if (isSniHostCheck())
{
if (!cert.matches(serverName))
throw new BadMessageException(400, "Invalid SNI");
}
if (isSniHostCheck() && !x509.matches(serverName))
throw new BadMessageException(400, "Invalid SNI");
}
request.setAttributes(new SslAttributes(request, sslSession));