diff --git a/core/src/main/java/io/undertow/protocols/ssl/SNISSLEngine.java b/core/src/main/java/io/undertow/protocols/ssl/SNISSLEngine.java index 092e7e1803..13c5de6485 100644 --- a/core/src/main/java/io/undertow/protocols/ssl/SNISSLEngine.java +++ b/core/src/main/java/io/undertow/protocols/ssl/SNISSLEngine.java @@ -17,8 +17,6 @@ import java.nio.ByteBuffer; import java.nio.channels.ClosedChannelException; -import java.security.Principal; -import java.security.cert.Certificate; import java.util.List; import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.atomic.AtomicReference; @@ -30,10 +28,7 @@ import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLParameters; -import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; -import javax.net.ssl.SSLSessionContext; -import javax.security.cert.X509Certificate; import io.undertow.UndertowMessages; @@ -205,104 +200,14 @@ class InitialState extends SSLEngine { private final SNIContextMatcher selector; private final AtomicInteger flags = new AtomicInteger(FL_SESSION_CRE); private final Function engineFunction; - private int packetBufferSize = SNISSLExplorer.RECORD_HEADER_SIZE; private String[] enabledSuites; private String[] enabledProtocols; - private final SSLSession handshakeSession = new SSLSession() { - public byte[] getId() { - throw new UnsupportedOperationException(); - } - - public SSLSessionContext getSessionContext() { - throw new UnsupportedOperationException(); - } - - public long getCreationTime() { - throw new UnsupportedOperationException(); - } - - public long getLastAccessedTime() { - throw new UnsupportedOperationException(); - } - - public void invalidate() { - throw new UnsupportedOperationException(); - } - - public boolean isValid() { - return false; - } - - public void putValue(final String s, final Object o) { - throw new UnsupportedOperationException(); - } - - public Object getValue(final String s) { - return null; - } - - public void removeValue(final String s) { - } - - public String[] getValueNames() { - throw new UnsupportedOperationException(); - } - - public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { - throw new UnsupportedOperationException(); - } - - public Certificate[] getLocalCertificates() { - return null; - } - - public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { - throw new UnsupportedOperationException(); - } - - public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { - throw new UnsupportedOperationException(); - } - - public Principal getLocalPrincipal() { - throw new UnsupportedOperationException(); - } - - public String getCipherSuite() { - throw new UnsupportedOperationException(); - } - - public String getProtocol() { - throw new UnsupportedOperationException(); - } - - public String getPeerHost() { - return SNISSLEngine.this.getPeerHost(); - } - - public int getPeerPort() { - return SNISSLEngine.this.getPeerPort(); - } - - public int getPacketBufferSize() { - return packetBufferSize; - } - - public int getApplicationBufferSize() { - throw new UnsupportedOperationException(); - } - }; - InitialState(final SNIContextMatcher selector, final Function engineFunction) { this.selector = selector; this.engineFunction = engineFunction; } - public SSLSession getHandshakeSession() { - return handshakeSession; - } - public SSLEngineResult wrap(final ByteBuffer[] srcs, final int offset, final int length, final ByteBuffer dst) throws SSLException { return OK_UNWRAP; } @@ -312,12 +217,10 @@ public SSLEngineResult unwrap(final ByteBuffer src, final ByteBuffer[] dsts, fin final int mark = src.position(); try { if (src.remaining() < SNISSLExplorer.RECORD_HEADER_SIZE) { - packetBufferSize = SNISSLExplorer.RECORD_HEADER_SIZE; return UNDERFLOW_UNWRAP; } final int requiredSize = SNISSLExplorer.getRequiredSize(src); if (src.remaining() < requiredSize) { - packetBufferSize = requiredSize; return UNDERFLOW_UNWRAP; } List names = SNISSLExplorer.explore(src); diff --git a/core/src/main/java/io/undertow/server/BasicSSLSessionInfo.java b/core/src/main/java/io/undertow/server/BasicSSLSessionInfo.java index ab4bac39d5..0d74729c17 100644 --- a/core/src/main/java/io/undertow/server/BasicSSLSessionInfo.java +++ b/core/src/main/java/io/undertow/server/BasicSSLSessionInfo.java @@ -24,8 +24,6 @@ import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; -import javax.security.cert.CertificateException; -import javax.security.cert.X509Certificate; import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; @@ -41,7 +39,6 @@ public class BasicSSLSessionInfo implements SSLSessionInfo { private final byte[] sessionId; private final String cypherSuite; private final java.security.cert.Certificate[] peerCertificate; - private final X509Certificate[] certificate; private final Integer keySize; private final String secureProtocol; @@ -52,9 +49,8 @@ public class BasicSSLSessionInfo implements SSLSessionInfo { * @param certificate A string representation of the client certificate * @param keySize The key-size used by the cypher * @throws java.security.cert.CertificateException If the client cert could not be decoded - * @throws CertificateException If the client cert could not be decoded */ - public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException, CertificateException { + public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException { this(sessionId, cypherSuite, certificate, keySize, null); } @@ -66,9 +62,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific * @param keySize The key-size used by the cypher * @param secureProtocol the secure protocol, example {@code TLSv1.2} * @throws java.security.cert.CertificateException If the client cert could not be decoded - * @throws CertificateException If the client cert could not be decoded */ - public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException, CertificateException { + public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException { this.sessionId = sessionId; this.cypherSuite = cypherSuite; this.keySize = keySize; @@ -79,26 +74,13 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific ByteArrayInputStream stream = new ByteArrayInputStream(certificateBytes); Collection certCol = cf.generateCertificates(stream); this.peerCertificate = new java.security.cert.Certificate[certCol.size()]; - X509Certificate[] legacyCertificate = new X509Certificate[certCol.size()]; int i=0; for(java.security.cert.Certificate cert : certCol) { this.peerCertificate[i] = cert; - if (legacyCertificate != null) { - try { - legacyCertificate[i] = X509Certificate.getInstance(cert.getEncoded()); - } catch (CertificateException ce) { - // [UNDERTOW-1969] We don't care about deprecated JDK methods failure caused by the fact newer JDKs - // doesn't support them anymore. "this.certificate" is used only by deprecated method - // {@link SSLSessionInfo.getPeerCertificateChain()} which call should be avoided by API users. - legacyCertificate = null; - } - } i++; } - this.certificate = legacyCertificate; } else { this.peerCertificate = null; - this.certificate = null; } } @@ -108,9 +90,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific * @param cypherSuite The cypher suite name * @param certificate A string representation of the client certificate * @throws java.security.cert.CertificateException If the client cert could not be decoded - * @throws CertificateException If the client cert could not be decoded */ - public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException, CertificateException { + public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException { this(sessionId, cypherSuite, certificate, null); } @@ -120,9 +101,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific * @param cypherSuite The cypher suite name * @param certificate A string representation of the client certificate * @throws java.security.cert.CertificateException If the client cert could not be decoded - * @throws CertificateException If the client cert could not be decoded */ - public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException, CertificateException { + public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException { this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, null); } @@ -133,9 +113,8 @@ public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certific * @param certificate A string representation of the client certificate * @param keySize The key-size used by the cypher * @throws java.security.cert.CertificateException If the client cert could not be decoded - * @throws CertificateException If the client cert could not be decoded */ - public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException, CertificateException { + public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException { this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, keySize); } @@ -147,9 +126,8 @@ public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certific * @param keySize The key-size used by the cypher * @param secureProtocol the secure protocol, example {@code TLSv1.2} * @throws java.security.cert.CertificateException If the client cert could not be decoded - * @throws CertificateException If the client cert could not be decoded */ - public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException, CertificateException { + public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException { this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, keySize, secureProtocol); } @@ -185,15 +163,6 @@ public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnve return peerCertificate; } - @Deprecated - @Override - public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { - if (certificate == null) { - throw UndertowMessages.MESSAGES.peerUnverified(); - } - return certificate; - } - @Override public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException { throw UndertowMessages.MESSAGES.renegotiationNotSupported(); diff --git a/core/src/main/java/io/undertow/server/ConnectionSSLSessionInfo.java b/core/src/main/java/io/undertow/server/ConnectionSSLSessionInfo.java index 91a59aaf7b..e3a6ed229b 100644 --- a/core/src/main/java/io/undertow/server/ConnectionSSLSessionInfo.java +++ b/core/src/main/java/io/undertow/server/ConnectionSSLSessionInfo.java @@ -25,7 +25,6 @@ import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; -import javax.security.cert.X509Certificate; import org.xnio.ChannelListener; import org.xnio.IoUtils; @@ -98,32 +97,6 @@ public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, Re } } - @Override - @Deprecated(since="2.2.3", forRemoval=false) - public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException, RenegotiationRequiredException { - if (unverified != null) { - throw unverified; - } - if (renegotiationRequiredException != null) { - throw renegotiationRequiredException; - } - try { - return channel.getSslSession().getPeerCertificateChain(); - } catch (SSLPeerUnverifiedException e) { - try { - SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE); - if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) { - renegotiationRequiredException = RENEGOTIATION_REQUIRED_EXCEPTION; - throw renegotiationRequiredException; - } - } catch (IOException ioe) { - // ignore, will not actually happen - } - unverified = PEER_UNVERIFIED_EXCEPTION; - throw unverified; - } - } - @Override public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException { if ("TLSv1.3".equals(channel.getSslSession().getProtocol())) { diff --git a/core/src/main/java/io/undertow/server/SSLSessionInfo.java b/core/src/main/java/io/undertow/server/SSLSessionInfo.java index 95d228f3cc..56932dbd80 100644 --- a/core/src/main/java/io/undertow/server/SSLSessionInfo.java +++ b/core/src/main/java/io/undertow/server/SSLSessionInfo.java @@ -100,15 +100,6 @@ default int getKeySize() { */ java.security.cert.Certificate[] getPeerCertificates() throws javax.net.ssl.SSLPeerUnverifiedException, RenegotiationRequiredException; - /** - * This method is no longer supported on java 15 and should be avoided. - * @deprecated in favor of {@link #getPeerCertificates()} because {@link SSLSession#getPeerCertificateChain()} - * throws java 15. - * @see SSLSession#getPeerCertificateChain() - */ - @Deprecated(since="2.2.3", forRemoval=false) - javax.security.cert.X509Certificate[] getPeerCertificateChain() throws javax.net.ssl.SSLPeerUnverifiedException, RenegotiationRequiredException; - /** * Renegotiate in a blocking manner. This will set the client aut * diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParseState.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParseState.java index 0cdbcd53c3..5366be10b2 100644 --- a/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParseState.java +++ b/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParseState.java @@ -128,8 +128,6 @@ BasicSSLSessionInfo createSslSessionInfo() { return new BasicSSLSessionInfo(sessionId, cypher, cert, keySize); } catch (CertificateException e) { return null; - } catch (javax.security.cert.CertificateException e) { - return null; } } diff --git a/core/src/main/java/io/undertow/server/protocol/http2/Http2SslSessionInfo.java b/core/src/main/java/io/undertow/server/protocol/http2/Http2SslSessionInfo.java index 251540c0dc..c0dc7bb51a 100644 --- a/core/src/main/java/io/undertow/server/protocol/http2/Http2SslSessionInfo.java +++ b/core/src/main/java/io/undertow/server/protocol/http2/Http2SslSessionInfo.java @@ -22,7 +22,6 @@ import java.security.cert.Certificate; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; -import javax.security.cert.X509Certificate; import org.xnio.Options; import org.xnio.SslClientAuthMode; @@ -70,24 +69,6 @@ public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, Re } } - @Override - public X509Certificate[] getPeerCertificateChain() - throws SSLPeerUnverifiedException, RenegotiationRequiredException { - try { - return channel.getSslSession().getPeerCertificateChain(); - } catch (SSLPeerUnverifiedException e) { - try { - SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE); - if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) { - throw new RenegotiationRequiredException(); - } - } catch (IOException e1) { - // ignore, will not actually happen - } - throw e; - } - } - @Override public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException { throw UndertowMessages.MESSAGES.renegotiationNotSupported(); diff --git a/core/src/main/java/io/undertow/util/Certificates.java b/core/src/main/java/io/undertow/util/Certificates.java index 183ca18f95..ed807130db 100644 --- a/core/src/main/java/io/undertow/util/Certificates.java +++ b/core/src/main/java/io/undertow/util/Certificates.java @@ -28,12 +28,6 @@ public class Certificates { public static final String END_CERT = "-----END CERTIFICATE-----"; - @Deprecated (since = "2.3.0", forRemoval=true) - public static String toPem(final javax.security.cert.X509Certificate certificate) - throws javax.security.cert.CertificateEncodingException { - return toPem(certificate.getEncoded()); - } - /** * Converts a certificate to PEM format. * @param certificate the Certificate to recode