undertow-io · eirbjo · Apr 14, 2023 · Apr 14, 2023
diff --git a/core/src/main/java/io/undertow/protocols/ssl/SNISSLEngine.java b/core/src/main/java/io/undertow/protocols/ssl/SNISSLEngine.java
@@ -17,8 +17,6 @@
 
 import java.nio.ByteBuffer;
 import java.nio.channels.ClosedChannelException;
-import java.security.Principal;
-import java.security.cert.Certificate;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicReference;
@@ -30,10 +28,7 @@
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
-import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSessionContext;
-import javax.security.cert.X509Certificate;
 
 import io.undertow.UndertowMessages;
 
@@ -205,104 +200,14 @@ class InitialState extends SSLEngine {
         private final SNIContextMatcher selector;
         private final AtomicInteger flags = new AtomicInteger(FL_SESSION_CRE);
         private final Function<SSLContext, SSLEngine> engineFunction;
-        private int packetBufferSize = SNISSLExplorer.RECORD_HEADER_SIZE;
         private String[] enabledSuites;
         private String[] enabledProtocols;
 
-        private final SSLSession handshakeSession = new SSLSession() {
-            public byte[] getId() {
-                throw new UnsupportedOperationException();
-            }
-
-            public SSLSessionContext getSessionContext() {
-                throw new UnsupportedOperationException();
-            }
-
-            public long getCreationTime() {
-                throw new UnsupportedOperationException();
-            }
-
-            public long getLastAccessedTime() {
-                throw new UnsupportedOperationException();
-            }
-
-            public void invalidate() {
-                throw new UnsupportedOperationException();
-            }
-
-            public boolean isValid() {
-                return false;
-            }
-
-            public void putValue(final String s, final Object o) {
-                throw new UnsupportedOperationException();
-            }
-
-            public Object getValue(final String s) {
-                return null;
-            }
-
-            public void removeValue(final String s) {
-            }
-
-            public String[] getValueNames() {
-                throw new UnsupportedOperationException();
-            }
-
-            public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
-                throw new UnsupportedOperationException();
-            }
-
-            public Certificate[] getLocalCertificates() {
-                return null;
-            }
-
-            public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
-                throw new UnsupportedOperationException();
-            }
-
-            public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
-                throw new UnsupportedOperationException();
-            }
-
-            public Principal getLocalPrincipal() {
-                throw new UnsupportedOperationException();
-            }
-
-            public String getCipherSuite() {
-                throw new UnsupportedOperationException();
-            }
-
-            public String getProtocol() {
-                throw new UnsupportedOperationException();
-            }
-
-            public String getPeerHost() {
-                return SNISSLEngine.this.getPeerHost();
-            }
-
-            public int getPeerPort() {
-                return SNISSLEngine.this.getPeerPort();
-            }
-
-            public int getPacketBufferSize() {
-                return packetBufferSize;
-            }
-
-            public int getApplicationBufferSize() {
-                throw new UnsupportedOperationException();
-            }
-        };
-
         InitialState(final SNIContextMatcher selector, final Function<SSLContext, SSLEngine> engineFunction) {
             this.selector = selector;
             this.engineFunction = engineFunction;
         }
 
-        public SSLSession getHandshakeSession() {
-            return handshakeSession;
-        }
-
         public SSLEngineResult wrap(final ByteBuffer[] srcs, final int offset, final int length, final ByteBuffer dst) throws SSLException {
             return OK_UNWRAP;
         }
@@ -312,12 +217,10 @@ public SSLEngineResult unwrap(final ByteBuffer src, final ByteBuffer[] dsts, fin
             final int mark = src.position();
             try {
                 if (src.remaining() < SNISSLExplorer.RECORD_HEADER_SIZE) {
-                    packetBufferSize = SNISSLExplorer.RECORD_HEADER_SIZE;
                     return UNDERFLOW_UNWRAP;
                 }
                 final int requiredSize = SNISSLExplorer.getRequiredSize(src);
                 if (src.remaining() < requiredSize) {
-                    packetBufferSize = requiredSize;
                     return UNDERFLOW_UNWRAP;
                 }
                 List<SNIServerName> names = SNISSLExplorer.explore(src);

diff --git a/core/src/main/java/io/undertow/server/BasicSSLSessionInfo.java b/core/src/main/java/io/undertow/server/BasicSSLSessionInfo.java
@@ -24,8 +24,6 @@
 
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.security.cert.CertificateException;
-import javax.security.cert.X509Certificate;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@@ -41,7 +39,6 @@ public class BasicSSLSessionInfo implements SSLSessionInfo {
     private final byte[] sessionId;
     private final String cypherSuite;
     private final java.security.cert.Certificate[] peerCertificate;
-    private final X509Certificate[] certificate;
     private final Integer keySize;
     private final String secureProtocol;
 
@@ -52,9 +49,8 @@ public class BasicSSLSessionInfo implements SSLSessionInfo {
      * @param certificate A string representation of the client certificate
      * @param keySize The key-size used by the cypher
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException {
         this(sessionId, cypherSuite, certificate, keySize, null);
     }
 
@@ -66,9 +62,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific
      * @param keySize The key-size used by the cypher
      * @param secureProtocol the secure protocol, example {@code TLSv1.2}
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException {
         this.sessionId = sessionId;
         this.cypherSuite = cypherSuite;
         this.keySize = keySize;
@@ -79,26 +74,13 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific
             ByteArrayInputStream stream = new ByteArrayInputStream(certificateBytes);
             Collection<? extends java.security.cert.Certificate> certCol = cf.generateCertificates(stream);
             this.peerCertificate = new java.security.cert.Certificate[certCol.size()];
-            X509Certificate[] legacyCertificate = new X509Certificate[certCol.size()];
             int i=0;
             for(java.security.cert.Certificate cert : certCol) {
                 this.peerCertificate[i] = cert;
-                if (legacyCertificate != null) {
-                    try {
-                        legacyCertificate[i] = X509Certificate.getInstance(cert.getEncoded());
-                    } catch (CertificateException ce) {
-                        // [UNDERTOW-1969] We don't care about deprecated JDK methods failure caused by the fact newer JDKs
-                        // doesn't support them anymore. "this.certificate" is used only by deprecated method
-                        // {@link SSLSessionInfo.getPeerCertificateChain()} which call should be avoided by API users.
-                        legacyCertificate = null;
-                    }
-                }
                 i++;
             }
-            this.certificate = legacyCertificate;
         } else {
             this.peerCertificate = null;
-            this.certificate = null;
         }
     }
 
@@ -108,9 +90,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific
      * @param cypherSuite The cypher suite name
      * @param certificate A string representation of the client certificate
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException {
         this(sessionId, cypherSuite, certificate, null);
     }
 
@@ -120,9 +101,8 @@ public BasicSSLSessionInfo(byte[] sessionId, String cypherSuite, String certific
      * @param cypherSuite The cypher suite name
      * @param certificate A string representation of the client certificate
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate) throws java.security.cert.CertificateException {
         this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, null);
     }
 
@@ -133,9 +113,8 @@ public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certific
      * @param certificate A string representation of the client certificate
      * @param keySize The key-size used by the cypher
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize) throws java.security.cert.CertificateException {
         this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, keySize);
     }
 
@@ -147,9 +126,8 @@ public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certific
      * @param keySize The key-size used by the cypher
      * @param secureProtocol the secure protocol, example {@code TLSv1.2}
      * @throws java.security.cert.CertificateException If the client cert could not be decoded
-     * @throws CertificateException If the client cert could not be decoded
      */
-    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException, CertificateException {
+    public BasicSSLSessionInfo(String sessionId, String cypherSuite, String certificate, Integer keySize, String secureProtocol) throws java.security.cert.CertificateException {
         this(sessionId == null ? null : fromHex(sessionId), cypherSuite, certificate, keySize, secureProtocol);
     }
 
@@ -185,15 +163,6 @@ public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnve
         return peerCertificate;
     }
 
-    @Deprecated
-    @Override
-    public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
-        if (certificate == null) {
-            throw UndertowMessages.MESSAGES.peerUnverified();
-        }
-        return certificate;
-    }
-
     @Override
     public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
         throw UndertowMessages.MESSAGES.renegotiationNotSupported();

diff --git a/core/src/main/java/io/undertow/server/ConnectionSSLSessionInfo.java b/core/src/main/java/io/undertow/server/ConnectionSSLSessionInfo.java
@@ -25,7 +25,6 @@
 
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.security.cert.X509Certificate;
 
 import org.xnio.ChannelListener;
 import org.xnio.IoUtils;
@@ -98,32 +97,6 @@ public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, Re
         }
     }
 
-    @Override
-    @Deprecated(since="2.2.3", forRemoval=false)
-    public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException, RenegotiationRequiredException {
-        if (unverified != null) {
-            throw unverified;
-        }
-        if (renegotiationRequiredException != null) {
-            throw renegotiationRequiredException;
-        }
-        try {
-            return channel.getSslSession().getPeerCertificateChain();
-        } catch (SSLPeerUnverifiedException e) {
-          try {
-              SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
-              if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
-                  renegotiationRequiredException = RENEGOTIATION_REQUIRED_EXCEPTION;
-                  throw renegotiationRequiredException;
-              }
-          } catch (IOException ioe) {
-              // ignore, will not actually happen
-          }
-            unverified = PEER_UNVERIFIED_EXCEPTION;
-            throw unverified;
-        }
-    }
-
     @Override
     public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
         if ("TLSv1.3".equals(channel.getSslSession().getProtocol())) {

diff --git a/core/src/main/java/io/undertow/server/SSLSessionInfo.java b/core/src/main/java/io/undertow/server/SSLSessionInfo.java
@@ -100,15 +100,6 @@ default int getKeySize() {
      */
     java.security.cert.Certificate[] getPeerCertificates() throws javax.net.ssl.SSLPeerUnverifiedException, RenegotiationRequiredException;
 
-    /**
-     * This method is no longer supported on java 15 and should be avoided.
-     * @deprecated in favor of {@link #getPeerCertificates()} because {@link SSLSession#getPeerCertificateChain()}
-     *             throws java 15.
-     * @see SSLSession#getPeerCertificateChain()
-     */
-    @Deprecated(since="2.2.3", forRemoval=false)
-    javax.security.cert.X509Certificate[] getPeerCertificateChain() throws javax.net.ssl.SSLPeerUnverifiedException, RenegotiationRequiredException;
-
     /**
      * Renegotiate in a blocking manner. This will set the client aut
      *

diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParseState.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParseState.java
@@ -128,8 +128,6 @@ BasicSSLSessionInfo createSslSessionInfo() {
             return new BasicSSLSessionInfo(sessionId, cypher, cert, keySize);
         } catch (CertificateException e) {
             return null;
-        } catch (javax.security.cert.CertificateException e) {
-            return null;
         }
     }
 

diff --git a/core/src/main/java/io/undertow/server/protocol/http2/Http2SslSessionInfo.java b/core/src/main/java/io/undertow/server/protocol/http2/Http2SslSessionInfo.java
@@ -22,7 +22,6 @@
 import java.security.cert.Certificate;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.security.cert.X509Certificate;
 import org.xnio.Options;
 import org.xnio.SslClientAuthMode;
 
@@ -70,24 +69,6 @@ public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, Re
         }
     }
 
-    @Override
-    public X509Certificate[] getPeerCertificateChain()
-        throws SSLPeerUnverifiedException, RenegotiationRequiredException {
-        try {
-            return channel.getSslSession().getPeerCertificateChain();
-        } catch (SSLPeerUnverifiedException e) {
-            try {
-                SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
-                if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
-                    throw new RenegotiationRequiredException();
-                }
-            } catch (IOException e1) {
-              // ignore, will not actually happen
-            }
-            throw e;
-        }
-    }
-
     @Override
     public void renegotiate(HttpServerExchange exchange, SslClientAuthMode sslClientAuthMode) throws IOException {
         throw UndertowMessages.MESSAGES.renegotiationNotSupported();

diff --git a/core/src/main/java/io/undertow/util/Certificates.java b/core/src/main/java/io/undertow/util/Certificates.java
@@ -28,12 +28,6 @@ public class Certificates {
 
     public static final String END_CERT = "-----END CERTIFICATE-----";
 
-    @Deprecated (since = "2.3.0", forRemoval=true)
-    public static String toPem(final javax.security.cert.X509Certificate certificate)
-            throws javax.security.cert.CertificateEncodingException {
-        return toPem(certificate.getEncoded());
-    }
-
     /**
      * Converts a certificate to PEM format.
      * @param certificate the Certificate to recode