View Javadoc
1   /*
2    * Copyright 2023 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  
17  package io.netty.handler.ssl;
18  
19  import io.netty.util.internal.SuppressJava6Requirement;
20  
21  import javax.net.ssl.SSLEngine;
22  import javax.net.ssl.X509ExtendedTrustManager;
23  import javax.net.ssl.X509TrustManager;
24  import java.net.Socket;
25  import java.security.cert.CertificateException;
26  import java.security.cert.X509Certificate;
27  import java.util.Collection;
28  import java.util.List;
29  
30  
31  /**
32   * Wraps an existing {@link X509ExtendedTrustManager} and enhances the {@link CertificateException} that is thrown
33   * because of hostname validation.
34   */
35  @SuppressJava6Requirement(reason = "Usage guarded by java version check")
36  final class EnhancingX509ExtendedTrustManager extends X509ExtendedTrustManager {
37      private final X509ExtendedTrustManager wrapped;
38  
39      EnhancingX509ExtendedTrustManager(X509TrustManager wrapped) {
40          this.wrapped = (X509ExtendedTrustManager) wrapped;
41      }
42  
43      @Override
44      public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
45              throws CertificateException {
46          wrapped.checkClientTrusted(chain, authType, socket);
47      }
48  
49      @Override
50      public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
51              throws CertificateException {
52          try {
53              wrapped.checkServerTrusted(chain, authType, socket);
54          } catch (CertificateException e) {
55              throwEnhancedCertificateException(chain, e);
56          }
57      }
58  
59      @Override
60      public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
61              throws CertificateException {
62          wrapped.checkClientTrusted(chain, authType, engine);
63      }
64  
65      @Override
66      public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
67              throws CertificateException {
68          try {
69              wrapped.checkServerTrusted(chain, authType, engine);
70          } catch (CertificateException e) {
71              throwEnhancedCertificateException(chain, e);
72          }
73      }
74  
75      @Override
76      public void checkClientTrusted(X509Certificate[] chain, String authType)
77              throws CertificateException {
78          wrapped.checkClientTrusted(chain, authType);
79      }
80  
81      @Override
82      public void checkServerTrusted(X509Certificate[] chain, String authType)
83              throws CertificateException {
84          try {
85              wrapped.checkServerTrusted(chain, authType);
86          } catch (CertificateException e) {
87              throwEnhancedCertificateException(chain, e);
88          }
89      }
90  
91      @Override
92      public X509Certificate[] getAcceptedIssuers() {
93          return wrapped.getAcceptedIssuers();
94      }
95  
96      private static void throwEnhancedCertificateException(X509Certificate[] chain, CertificateException e)
97              throws CertificateException {
98          // Matching the message is the best we can do sadly.
99          String message = e.getMessage();
100         if (message != null && e.getMessage().startsWith("No subject alternative DNS name matching")) {
101             StringBuilder names = new StringBuilder(64);
102             for (int i = 0; i < chain.length; i++) {
103                 X509Certificate cert = chain[i];
104                 Collection<List<?>> collection = cert.getSubjectAlternativeNames();
105                 if (collection != null) {
106                     for (List<?> altNames : collection) {
107                         // 2 is dNSName. See X509Certificate javadocs.
108                         if (altNames.size() >= 2 && ((Integer) altNames.get(0)).intValue() == 2) {
109                             names.append((String) altNames.get(1)).append(",");
110                         }
111                     }
112                 }
113             }
114             if (names.length() != 0) {
115                 // Strip of ,
116                 names.setLength(names.length() - 1);
117                 throw new CertificateException(message +
118                         " Subject alternative DNS names in the certificate chain of " + chain.length +
119                         " certificate(s): " + names, e);
120             }
121         }
122         throw e;
123     }
124 }