Merge pull request #4404 from eclipse/jetty-9.4.x-4385-restore-unsupported-exception-base-sni

Issue #4385 - Reverting WARN log in favor of IllegalStateException
2019-12-07 12:44:05 +01:00 · 2019-12-07 12:44:05 +01:00 · 2052b6e390
parent 364ded9f73 53073ca257
commit 2052b6e390
2 changed files with 68 additions and 61 deletions
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@ -1249,18 +1249,13 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
                // Is SNI needed to select a certificate?
                if (!_certWilds.isEmpty() || _certHosts.size() > 1 || (_certHosts.size() == 1 && _aliasX509.size() > 1))
                {
-                    if (this instanceof SslContextFactory.Server)
+                    for (int idx = 0; idx < managers.length; idx++)
                    {
-                        for (int idx = 0; idx < managers.length; idx++)
+                        if (managers[idx] instanceof X509ExtendedKeyManager)
                        {
-                            if (managers[idx] instanceof X509ExtendedKeyManager)
-                                managers[idx] = newSniX509ExtendedKeyManager((X509ExtendedKeyManager)managers[idx]);
+                            managers[idx] = newSniX509ExtendedKeyManager((X509ExtendedKeyManager)managers[idx]);
                        }
                    }
-                    else
-                    {
-                        LOG.warn("Unable to support SNI on {} (expecting {})", this.getClass().getName(), SslContextFactory.Server.class.getName());
-                    }
                }
            }
        }
@ -1277,7 +1272,11 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
    @Deprecated
    protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)
    {
-        throw new UnsupportedOperationException("X509ExtendedKeyManager only supported on " + SslContextFactory.Server.class.getName());
+        throw new IllegalStateException(String.format(
+            "KeyStores with multiple certificates are not supported on the base class %s. (Use %s or %s instead)",
+            SslContextFactory.class.getName(),
+            Server.class.getName(),
+            Client.class.getName()));
    }

    protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
@ -2185,6 +2184,13 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
            checkEndPointIdentificationAlgorithm();
            super.checkConfiguration();
        }
+
+        @Override
+        protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)
+        {
+            // Client has no SNI functionality.
+            return keyManager;
+        }
    }

    @ManagedObject
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/X509Test.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/X509Test.java
@ -20,8 +20,6 @@ package org.eclipse.jetty.util.ssl;

 import java.nio.file.Path;
 import java.security.cert.X509Certificate;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.X509ExtendedKeyManager;

 import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
 import org.eclipse.jetty.util.resource.PathResource;
@ -31,7 +29,6 @@ import org.junit.jupiter.api.Test;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.notNullValue;
 import static org.junit.jupiter.api.Assertions.assertThrows;

 public class X509Test
@ -133,66 +130,70 @@ public class X509Test
        assertThat("Normal X509", X509.isCertSign(bogusX509), is(false));
    }

-    private X509ExtendedKeyManager getX509ExtendedKeyManager(SslContextFactory sslContextFactory) throws Exception
-    {
-        Resource keystoreResource = Resource.newSystemResource("keystore");
-        Resource truststoreResource = Resource.newSystemResource("keystore");
-        sslContextFactory.setKeyStoreResource(keystoreResource);
-        sslContextFactory.setTrustStoreResource(truststoreResource);
-        sslContextFactory.setKeyStorePassword("storepwd");
-        sslContextFactory.setKeyManagerPassword("keypwd");
-        sslContextFactory.setTrustStorePassword("storepwd");
-        sslContextFactory.start();
-
-        KeyManager[] keyManagers = sslContextFactory.getKeyManagers(sslContextFactory.getKeyStore());
-        X509ExtendedKeyManager x509ExtendedKeyManager = null;
-
-        for (KeyManager keyManager : keyManagers)
-        {
-            if (keyManager instanceof X509ExtendedKeyManager)
-            {
-                x509ExtendedKeyManager = (X509ExtendedKeyManager)keyManager;
-                break;
-            }
-        }
-        assertThat("Found X509ExtendedKeyManager", x509ExtendedKeyManager, is(notNullValue()));
-        return x509ExtendedKeyManager;
-    }
-
    @Test
-    public void testSniX509ExtendedKeyManager_BaseClass() throws Exception
-    {
-        SslContextFactory baseSsl = new SslContextFactory();
-        X509ExtendedKeyManager x509ExtendedKeyManager = getX509ExtendedKeyManager(baseSsl);
-        UnsupportedOperationException ex = assertThrows(UnsupportedOperationException.class, () -> baseSsl.newSniX509ExtendedKeyManager(x509ExtendedKeyManager));
-        assertThat("UnsupportedOperationException.message", ex.getMessage(), containsString("X509ExtendedKeyManager only supported on " + SslContextFactory.Server.class.getName()));
-    }
-
-    @Test
-    public void testSniX509ExtendedKeyManager_BaseClass_Start() throws Exception
+    public void testBaseClass_WithSni()
    {
        SslContextFactory baseSsl = new SslContextFactory();
        Path keystorePath = MavenTestingUtils.getTestResourcePathFile("keystore_sni.p12");
        baseSsl.setKeyStoreResource(new PathResource(keystorePath));
        baseSsl.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
        baseSsl.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
-        baseSsl.start(); // should not throw an exception
+        IllegalStateException ex = assertThrows(IllegalStateException.class, baseSsl::start);
+        assertThat("IllegalStateException.message", ex.getMessage(), containsString("KeyStores with multiple certificates are not supported on the base class"));
    }

    @Test
-    public void testSniX509ExtendedKeyManager_ClientClass() throws Exception
-    {
-        SslContextFactory clientSsl = new SslContextFactory.Client();
-        X509ExtendedKeyManager x509ExtendedKeyManager = getX509ExtendedKeyManager(clientSsl);
-        UnsupportedOperationException ex = assertThrows(UnsupportedOperationException.class, () -> clientSsl.newSniX509ExtendedKeyManager(x509ExtendedKeyManager));
-        assertThat("SNI X509 ExtendedKeyManager is unsupported in Client mode", ex.getMessage(), containsString("X509ExtendedKeyManager only supported on " + SslContextFactory.Server.class.getName()));
-    }
-
-    @Test
-    public void testSniX509ExtendedKeyManager_ServerClass() throws Exception
+    public void testServerClass_WithSni() throws Exception
    {
        SslContextFactory serverSsl = new SslContextFactory.Server();
-        X509ExtendedKeyManager x509ExtendedKeyManager = getX509ExtendedKeyManager(serverSsl);
-        serverSsl.newSniX509ExtendedKeyManager(x509ExtendedKeyManager);
+        Path keystorePath = MavenTestingUtils.getTestResourcePathFile("keystore_sni.p12");
+        serverSsl.setKeyStoreResource(new PathResource(keystorePath));
+        serverSsl.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
+        serverSsl.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
+        serverSsl.start();
+    }
+
+    @Test
+    public void testClientClass_WithSni() throws Exception
+    {
+        SslContextFactory clientSsl = new SslContextFactory.Client();
+        Path keystorePath = MavenTestingUtils.getTestResourcePathFile("keystore_sni.p12");
+        clientSsl.setKeyStoreResource(new PathResource(keystorePath));
+        clientSsl.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
+        clientSsl.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
+        clientSsl.start();
+    }
+
+    @Test
+    public void testBaseClass_WithoutSni() throws Exception
+    {
+        SslContextFactory baseSsl = new SslContextFactory();
+        Resource keystoreResource = Resource.newSystemResource("keystore");
+        baseSsl.setKeyStoreResource(keystoreResource);
+        baseSsl.setKeyStorePassword("storepwd");
+        baseSsl.setKeyManagerPassword("keypwd");
+        baseSsl.start();
+    }
+
+    @Test
+    public void testServerClass_WithoutSni() throws Exception
+    {
+        SslContextFactory serverSsl = new SslContextFactory.Server();
+        Resource keystoreResource = Resource.newSystemResource("keystore");
+        serverSsl.setKeyStoreResource(keystoreResource);
+        serverSsl.setKeyStorePassword("storepwd");
+        serverSsl.setKeyManagerPassword("keypwd");
+        serverSsl.start();
+    }
+
+    @Test
+    public void testClientClass_WithoutSni() throws Exception
+    {
+        SslContextFactory clientSsl = new SslContextFactory.Client();
+        Resource keystoreResource = Resource.newSystemResource("keystore");
+        clientSsl.setKeyStoreResource(keystoreResource);
+        clientSsl.setKeyStorePassword("storepwd");
+        clientSsl.setKeyManagerPassword("keypwd");
+        clientSsl.start();
    }
 }