View Javadoc
1   /*
2    * Copyright 2023 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  
17  package io.netty.handler.ssl;
18  
19  import java.net.Socket;
20  import java.security.cert.CertificateException;
21  import java.security.cert.X509Certificate;
22  import java.util.Collection;
23  import java.util.List;
24  import javax.net.ssl.SSLEngine;
25  import javax.net.ssl.X509ExtendedTrustManager;
26  import javax.net.ssl.X509TrustManager;
27  
28  /**
29   * Wraps an existing {@link X509ExtendedTrustManager} and enhances the {@link CertificateException} that is thrown
30   * because of hostname validation.
31   */
32  final class EnhancingX509ExtendedTrustManager extends X509ExtendedTrustManager {
33      private final X509ExtendedTrustManager wrapped;
34  
35      EnhancingX509ExtendedTrustManager(X509TrustManager wrapped) {
36          this.wrapped = (X509ExtendedTrustManager) wrapped;
37      }
38  
39      @Override
40      public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
41              throws CertificateException {
42          wrapped.checkClientTrusted(chain, authType, socket);
43      }
44  
45      @Override
46      public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
47              throws CertificateException {
48          try {
49              wrapped.checkServerTrusted(chain, authType, socket);
50          } catch (CertificateException e) {
51              throwEnhancedCertificateException(chain, e);
52          }
53      }
54  
55      @Override
56      public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
57              throws CertificateException {
58          wrapped.checkClientTrusted(chain, authType, engine);
59      }
60  
61      @Override
62      public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
63              throws CertificateException {
64          try {
65              wrapped.checkServerTrusted(chain, authType, engine);
66          } catch (CertificateException e) {
67              throwEnhancedCertificateException(chain, e);
68          }
69      }
70  
71      @Override
72      public void checkClientTrusted(X509Certificate[] chain, String authType)
73              throws CertificateException {
74          wrapped.checkClientTrusted(chain, authType);
75      }
76  
77      @Override
78      public void checkServerTrusted(X509Certificate[] chain, String authType)
79              throws CertificateException {
80          try {
81              wrapped.checkServerTrusted(chain, authType);
82          } catch (CertificateException e) {
83              throwEnhancedCertificateException(chain, e);
84          }
85      }
86  
87      @Override
88      public X509Certificate[] getAcceptedIssuers() {
89          return wrapped.getAcceptedIssuers();
90      }
91  
92      private static void throwEnhancedCertificateException(X509Certificate[] chain, CertificateException e)
93              throws CertificateException {
94          // Matching the message is the best we can do sadly.
95          String message = e.getMessage();
96          if (message != null && e.getMessage().startsWith("No subject alternative DNS name matching")) {
97              StringBuilder names = new StringBuilder(64);
98              for (int i = 0; i < chain.length; i++) {
99                  X509Certificate cert = chain[i];
100                 Collection<List<?>> collection = cert.getSubjectAlternativeNames();
101                 if (collection != null) {
102                     for (List<?> altNames : collection) {
103                         // 2 is dNSName. See X509Certificate javadocs.
104                         if (altNames.size() >= 2 && ((Integer) altNames.get(0)).intValue() == 2) {
105                             names.append((String) altNames.get(1)).append(",");
106                         }
107                     }
108                 }
109             }
110             if (names.length() != 0) {
111                 // Strip of ,
112                 names.setLength(names.length() - 1);
113                 throw new CertificateException(message +
114                         " Subject alternative DNS names in the certificate chain of " + chain.length +
115                         " certificate(s): " + names, e);
116             }
117         }
118         throw e;
119     }
120 }