View Javadoc
1   /*
2    * Copyright 2018 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.ssl;
17  
18  import io.netty.util.internal.EmptyArrays;
19  import io.netty.util.internal.PlatformDependent;
20  import io.netty.util.internal.SuppressJava6Requirement;
21  import io.netty.util.internal.logging.InternalLogger;
22  import io.netty.util.internal.logging.InternalLoggerFactory;
23  
24  import javax.net.ssl.SSLContext;
25  import javax.net.ssl.TrustManager;
26  import javax.net.ssl.X509ExtendedTrustManager;
27  import javax.net.ssl.X509TrustManager;
28  import java.lang.reflect.Field;
29  import java.security.AccessController;
30  import java.security.KeyManagementException;
31  import java.security.NoSuchAlgorithmException;
32  import java.security.NoSuchProviderException;
33  import java.security.PrivilegedAction;
34  import java.security.cert.CertificateException;
35  import java.security.cert.X509Certificate;
36  
37  /**
38   * Utility which allows to wrap {@link X509TrustManager} implementations with the internal implementation used by
39   * {@code SSLContextImpl} that provides extended verification.
40   *
41   * This is really a "hack" until there is an official API as requested on the in
42   * <a href="https://bugs.openjdk.java.net/projects/JDK/issues/JDK-8210843">JDK-8210843</a>.
43   */
44  @SuppressJava6Requirement(reason = "Usage guarded by java version check")
45  final class OpenSslX509TrustManagerWrapper {
46      private static final InternalLogger LOGGER = InternalLoggerFactory
47              .getInstance(OpenSslX509TrustManagerWrapper.class);
48      private static final TrustManagerWrapper WRAPPER;
49  
50      private static final TrustManagerWrapper DEFAULT = new TrustManagerWrapper() {
51          @Override
52          public X509TrustManager wrapIfNeeded(X509TrustManager manager) {
53              return manager;
54          }
55      };
56  
57      static {
58          // By default we will not do any wrapping but just return the passed in manager.
59          TrustManagerWrapper wrapper = DEFAULT;
60  
61          Throwable cause = null;
62          Throwable unsafeCause = PlatformDependent.getUnsafeUnavailabilityCause();
63          if (unsafeCause == null) {
64              SSLContext context;
65              try {
66                  context = newSSLContext();
67                  // Now init with an array that only holds a X509TrustManager. This should be wrapped into an
68                  // AbstractTrustManagerWrapper which will delegate the TrustManager itself but also do extra
69                  // validations.
70                  //
71                  // See:
72                  // - https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/
73                  //          cadea780bc76/src/share/classes/sun/security/ssl/SSLContextImpl.java#l127
74                  context.init(null, new TrustManager[] {
75                          new X509TrustManager() {
76                              @Override
77                              public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
78                                      throws CertificateException {
79                                  throw new CertificateException();
80                              }
81  
82                              @Override
83                              public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
84                                      throws CertificateException {
85                                  throw new CertificateException();
86                              }
87  
88                              @Override
89                              public X509Certificate[] getAcceptedIssuers() {
90                                  return EmptyArrays.EMPTY_X509_CERTIFICATES;
91                              }
92                          }
93                  }, null);
94              } catch (Throwable error) {
95                  context = null;
96                  cause = error;
97              }
98              if (cause != null) {
99                  LOGGER.debug("Unable to access wrapped TrustManager", cause);
100             } else {
101                 final SSLContext finalContext = context;
102                 Object maybeWrapper = AccessController.doPrivileged(new PrivilegedAction<Object>() {
103                     @Override
104                     public Object run() {
105                         try {
106                             Field contextSpiField = SSLContext.class.getDeclaredField("contextSpi");
107                             final long spiOffset = PlatformDependent.objectFieldOffset(contextSpiField);
108                             Object spi = PlatformDependent.getObject(finalContext, spiOffset);
109                             if (spi != null) {
110                                 Class<?> clazz = spi.getClass();
111 
112                                 // Let's cycle through the whole hierarchy until we find what we are looking for or
113                                 // there is nothing left in which case we will not wrap at all.
114                                 do {
115                                     try {
116                                         Field trustManagerField = clazz.getDeclaredField("trustManager");
117                                         final long tmOffset = PlatformDependent.objectFieldOffset(trustManagerField);
118                                         Object trustManager = PlatformDependent.getObject(spi, tmOffset);
119                                         if (trustManager instanceof X509ExtendedTrustManager) {
120                                             return new UnsafeTrustManagerWrapper(spiOffset, tmOffset);
121                                         }
122                                     } catch (NoSuchFieldException ignore) {
123                                         // try next
124                                     }
125                                     clazz = clazz.getSuperclass();
126                                 } while (clazz != null);
127                             }
128                             throw new NoSuchFieldException();
129                         } catch (NoSuchFieldException e) {
130                             return e;
131                         } catch (SecurityException e) {
132                             return e;
133                         }
134                     }
135                 });
136                 if (maybeWrapper instanceof Throwable) {
137                     LOGGER.debug("Unable to access wrapped TrustManager", (Throwable) maybeWrapper);
138                 } else {
139                     wrapper = (TrustManagerWrapper) maybeWrapper;
140                 }
141             }
142         } else {
143             LOGGER.debug("Unable to access wrapped TrustManager", cause);
144         }
145         WRAPPER = wrapper;
146     }
147 
148     static boolean isWrappingSupported() {
149         return WRAPPER != DEFAULT;
150     }
151 
152     private OpenSslX509TrustManagerWrapper() { }
153 
154     static X509TrustManager wrapIfNeeded(X509TrustManager trustManager) {
155         return WRAPPER.wrapIfNeeded(trustManager);
156     }
157 
158     private interface TrustManagerWrapper {
159         X509TrustManager wrapIfNeeded(X509TrustManager manager);
160     }
161 
162     private static SSLContext newSSLContext() throws NoSuchAlgorithmException, NoSuchProviderException {
163         // As this depends on the implementation detail we should explicit select the correct provider.
164         // See https://github.com/netty/netty/issues/10374
165         return SSLContext.getInstance("TLS", "SunJSSE");
166     }
167 
168     private static final class UnsafeTrustManagerWrapper implements TrustManagerWrapper {
169         private final long spiOffset;
170         private final long tmOffset;
171 
172         UnsafeTrustManagerWrapper(long spiOffset, long tmOffset) {
173             this.spiOffset = spiOffset;
174             this.tmOffset = tmOffset;
175         }
176 
177         @SuppressJava6Requirement(reason = "Usage guarded by java version check")
178         @Override
179         public X509TrustManager wrapIfNeeded(X509TrustManager manager) {
180             if (!(manager instanceof X509ExtendedTrustManager)) {
181                 try {
182                     SSLContext ctx = newSSLContext();
183                     ctx.init(null, new TrustManager[] { manager }, null);
184                     Object spi = PlatformDependent.getObject(ctx, spiOffset);
185                     if (spi != null) {
186                         Object tm = PlatformDependent.getObject(spi, tmOffset);
187                         if (tm instanceof X509ExtendedTrustManager) {
188                             return (X509TrustManager) tm;
189                         }
190                     }
191                 } catch (NoSuchAlgorithmException e) {
192                     // This should never happen as we did the same in the static block
193                     // before.
194                     PlatformDependent.throwException(e);
195                 } catch (KeyManagementException e) {
196                     // This should never happen as we did the same in the static block
197                     // before.
198                     PlatformDependent.throwException(e);
199                 } catch (NoSuchProviderException e) {
200                     // This should never happen as we did the same in the static block
201                     // before.
202                     PlatformDependent.throwException(e);
203                 }
204             }
205             return manager;
206         }
207     }
208 }