Support TLSv 1.3

Signed-off-by: Jorge Bescos Gascon <[email protected]>
eclipse-ee4j · Jul 13, 2020 · f0cf77a · f0cf77a
1 parent a05f5fb
commit f0cf77a
Show file tree

Hide file tree

Showing 9 changed files with 83 additions and 53 deletions.
diff --git a/...rs/jdk-connector/src/main/java/org/glassfish/jersey/jdk/connector/internal/SslFilter.java b/...rs/jdk-connector/src/main/java/org/glassfish/jersey/jdk/connector/internal/SslFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2019 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Public License v. 2.0, which is available at
@@ -50,6 +50,7 @@ class SslFilter extends Filter<ByteBuffer, ByteBuffer, ByteBuffer, ByteBuffer> {
     /* Some operations on SSL engine require a buffer as a parameter even if they don't need any data.
     This buffer is for that purpose. */
     private static final ByteBuffer emptyBuffer = ByteBuffer.allocate(0);
+    private static final String TLSV13 = "TLSv1.3";
 
     // buffer for passing data to the upper filter
     private final ByteBuffer applicationInputBuffer;
@@ -61,6 +62,7 @@ class SslFilter extends Filter<ByteBuffer, ByteBuffer, ByteBuffer, ByteBuffer> {
     private final WriteQueue writeQueue = new WriteQueue();
 
     private volatile State state = State.NOT_STARTED;
+    private volatile boolean tlsv13 = false;
     /*
      * Pending write operation stored when writing data was not possible. It will be resumed when write operation is
      * available again. Only one write operation can be in progress at a time. Trying to store more than one pending
@@ -169,14 +171,14 @@ BUFFER_UNDERFLOW can occur only after unwrap(), but to be 100% sure we handle al
                 }
 
                 case CLOSED: {
-                    state = State.CLOSED;
+                    setState(State.CLOSED);
                     break;
                 }
 
                 case OK: {
                     // check if we started re-handshaking
-                    if (result.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
-                        state = State.REHANDSHAKING;
+                    if (isHandshaking(result.getHandshakeStatus())) {
+                        setState(State.REHANDSHAKING);
                     }
 
                     ((Buffer) networkOutputBuffer).flip();
@@ -367,10 +369,10 @@ private boolean handleRead(ByteBuffer networkData) {
                     }
 
                     // we started re-handshaking
-                    if (result.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING
+                    if (!tlsv13 && isHandshaking(result.getHandshakeStatus())
                             // make sure we don't confuse re-handshake with closing handshake
                             && !sslEngine.isOutboundDone()) {
-                        state = State.REHANDSHAKING;
+                        setState(State.REHANDSHAKING);
                         return doHandshakeStep(networkData);
                     }
 
@@ -392,7 +394,8 @@ private boolean doHandshakeStep(ByteBuffer networkData) {
         boolean handshakeFinished = false;
 
         synchronized (this) {
-            if (SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING.equals(sslEngine.getHandshakeStatus())) {
+            SSLEngineResult.HandshakeStatus hs = sslEngine.getHandshakeStatus();
+            if (!isHandshaking(hs)) {
                 // we stopped handshaking while waiting for the lock
                 return true;
             }
@@ -403,7 +406,7 @@ private boolean doHandshakeStep(ByteBuffer networkData) {
                 LazyBuffer outputBuffer = new LazyBuffer();
                 boolean stepFinished = false;
                 while (!stepFinished) {
-                    SSLEngineResult.HandshakeStatus hs = sslEngine.getHandshakeStatus();
+                    hs = sslEngine.getHandshakeStatus();
 
                     switch (hs) {
                         case NOT_HANDSHAKING: {
@@ -416,12 +419,8 @@ private boolean doHandshakeStep(ByteBuffer networkData) {
                         }
 
                         case FINISHED: {
-                            /* According to SSLEngine javadoc FINISHED status can be returned only in SSLEngineResult,
-                            but just to make sure we don't end up in an infinite loop when presented with an SSLEngine
-                            implementation that does not respect this:*/
-                            stepFinished = true;
-                            handshakeFinished = true;
-                            break;
+                            throw new IllegalStateException("Trying to handshake, but SSL engine not in HANDSHAKING state."
+                                    + "SSL filter state: \n" + getDebugState());
                         }
                         // needs to write data to the network
                         case NEED_WRAP: {
@@ -449,7 +448,7 @@ that BUFFER_UNDERFLOW can occur only after unwrap(), but to be 100% sure we hand
 
                                 case CLOSED: {
                                     stepFinished = true;
-                                    state = State.CLOSED;
+                                    setState(State.CLOSED);
                                     break;
                                 }
                             }
@@ -490,7 +489,7 @@ that BUFFER_UNDERFLOW can occur only after unwrap(), but to be 100% sure we hand
 
                                 case CLOSED: {
                                     stepFinished = true;
-                                    state = State.CLOSED;
+                                    setState(State.CLOSED);
                                     break;
                                 }
                             }
@@ -532,6 +531,7 @@ that BUFFER_UNDERFLOW can occur only after unwrap(), but to be 100% sure we hand
 
         if (handshakeFinished) {
             handleHandshakeFinished();
+            tlsv13 = TLSV13.equals(sslEngine.getSession().getProtocol());
             // indicate that there still might be usable data in the input buffer
             return true;
         }
@@ -550,10 +550,10 @@ private void handleHandshakeFinished() {
         }
 
         if (state == State.HANDSHAKING) {
-            state = State.DATA;
+            setState(State.DATA);
             upstreamFilter.onSslHandshakeCompleted();
         } else if (state == State.REHANDSHAKING) {
-            state = State.DATA;
+            setState(State.DATA);
             if (pendingApplicationWrite != null) {
                 Runnable write = pendingApplicationWrite;
                 // set pending write to null to cover the extremely improbable case that we start re-handshaking again
@@ -571,7 +571,7 @@ private void handleSslError(Throwable t) {
     @Override
     void startSsl() {
         try {
-            state = State.HANDSHAKING;
+            setState(State.HANDSHAKING);
             sslEngine.beginHandshake();
             doHandshakeStep(emptyBuffer);
         } catch (SSLException e) {
@@ -707,4 +707,14 @@ public String toString() {
             }
         }
     }
+
+    private void setState(State state) {
+        this.state = state;
+    }
+
+    private boolean isHandshaking(SSLEngineResult.HandshakeStatus hs) {
+        return SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING != hs
+                // TLSv1.3 introduces this, and it is considered as not handshaking
+                && SSLEngineResult.HandshakeStatus.FINISHED != hs;
+    }
 }
diff --git a/connectors/jdk-connector/src/test/resources/client.cert b/connectors/jdk-connector/src/test/resources/client.cert
diff --git a/connectors/jdk-connector/src/test/resources/clientkey.cert b/connectors/jdk-connector/src/test/resources/clientkey.cert
@@ -0,0 +1,27 @@
+Alias name: clientkey
+Creation date: Jun 22, 2020
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIEdX5IhDANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJD
+WjEXMBUGA1UECBMOQ3plY2ggUmVwdWJsaWMxDzANBgNVBAcTBlByYWd1ZTEbMBkG
+A1UEChMST3JhY2xlIENvcnBvcmF0aW9uMQ8wDQYDVQQLEwZKZXJzZXkxDzANBgNV
+BAMTBkNsaWVudDAgFw0yMDA2MjIwNzI5MzZaGA8yMTIwMDUyOTA3MjkzNlowdjEL
+MAkGA1UEBhMCQ1oxFzAVBgNVBAgTDkN6ZWNoIFJlcHVibGljMQ8wDQYDVQQHEwZQ
+cmFndWUxGzAZBgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjEPMA0GA1UECxMGSmVy
+c2V5MQ8wDQYDVQQDEwZDbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQClVUtMXL/+WK5Ma6mV+BeGZlSlGqT9teUUDwPkipZMA9wdXTC3iSIp098s
+NCiPJBPXs+0KSrrPVgcHlMONcAzg3FHQrbP1aIH0oFOHR1bF/KNG1/XzV8HLMHqM
+ynnDJ69sYOUy6BO6lYQM1GaPf0fdqkdii2/clKiKzzT/Ohr6549q3vdzHw4hKmoE
+SKrdmv4OkOFGKzAH2dzNciHGnpiQj03DhjAN/8KobdUbsxoklnYOdDkg2UErI0zC
+qPRg2DVVOxhViMOmPBheXVvdDiIAdLlXRiPTraetr1KxDHV6KXsQhKmADZhIj8jY
+NjIyMo52bRTToaJQL5DKF6Boyx/tAgMBAAGjITAfMB0GA1UdDgQWBBSjbPqA6Tkv
+6oS99eZLNQk11M+DODANBgkqhkiG9w0BAQsFAAOCAQEACNAqN0lz1cUlIocfhSk8
+JlAHsRbWoCxxJZNJE0WWZ6lfH5xdlW0/87yfSvtLwDOY/8OYAhbzjG5O8mQv/I32
+b2Acs42Sh+otVyLjbYicv+1yMuvmBnhEImeMHSGFjczYf9zQ+2PlerxdNwVKdpUL
+V3Dt68wTlWNRYm9X6uVpNRG7fy7/goeJhAXuVER9Gtl/LQ6GJyZjVxYemckoXWDY
+DCqVlzsZpnyoI2lrYXlcT3liPlRLJjqnWvmmF9GyqiIVeng9VTfStsEQ6LUfwKQO
+dtvwYhbVtL++fuX/99WYCDRL8mSFu8REruQln3TJf79wOQ14O0H5jWjr4QoeOIf9
+aw==
+-----END CERTIFICATE-----
diff --git a/connectors/jdk-connector/src/test/resources/keystore_client b/connectors/jdk-connector/src/test/resources/keystore_client
diff --git a/connectors/jdk-connector/src/test/resources/keystore_server b/connectors/jdk-connector/src/test/resources/keystore_server
diff --git a/connectors/jdk-connector/src/test/resources/server.cert b/connectors/jdk-connector/src/test/resources/server.cert
diff --git a/connectors/jdk-connector/src/test/resources/serverkey.cert b/connectors/jdk-connector/src/test/resources/serverkey.cert
@@ -0,0 +1,27 @@
+Alias name: serverkey
+Creation date: Jun 22, 2020
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIEPcyqRDANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJD
+WjEXMBUGA1UECBMOQ3plY2ggUmVwdWJsaWMxDzANBgNVBAcTBlByYWd1ZTEbMBkG
+A1UEChMST3JhY2xlIENvcnBvcmF0aW9uMQ8wDQYDVQQLEwZKZXJzZXkxEjAQBgNV
+BAMTCWxvY2FsaG9zdDAgFw0yMDA2MjIwNzI5MzVaGA8yMTIwMDUyOTA3MjkzNVow
+eTELMAkGA1UEBhMCQ1oxFzAVBgNVBAgTDkN6ZWNoIFJlcHVibGljMQ8wDQYDVQQH
+EwZQcmFndWUxGzAZBgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjEPMA0GA1UECxMG
+SmVyc2V5MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCSeyzbVQcWrPEWRamOT7qD1unq3RXVNIWW4Ty80aWkVZfGknaM
+eLN4u5E1KaOpzZiz0bRMJHmODleqClK3x5agVc7fZHS5+7UpIK2YFjR40gVwtSm8
+QEqgM2Oupx64xre7ueuStc+r3w+8ogI15/NY2RmlEKbsDvb5U336vIqwkSnMQ2sc
+yVe0eqhVfjKh157GA6ORh3YeYCh2rpprBDUwuAXaRQUFENmSB7Scfa9WsVBsngwY
+OUkaksosSVs9HU7WDkGLa2tVcNakaroT9MRFIttVuT3o5LjCImdBF0jqqyinipIk
+EZaQJWmR8RgS/nB3SqDIrcASMTfKnQOWh9XXAgMBAAGjITAfMB0GA1UdDgQWBBRi
+o3s6iusqJmz27RQuZ4X/PJWC5jANBgkqhkiG9w0BAQsFAAOCAQEAetRLpMZwt/Fp
+6JLiywxEm0cpWZY3CtZpRXUYK6oiBxSoY4ZI/802cWFJnakYYRuRnTAj9yCEYbww
+fbDMYVgS2x/q+CJsvPqg7aqPfR/2tqqm24pgpTE8QrH8FCGIsMHymc3sYV+pfkyI
+mXMeztbDj3h+i654qgBI+stcnhTXhi7Hf2nHLGg2280XMC2+NVNhn3hGcbALr1mr
+ka/s+LJw8jch9UkQT4fvL6jMn3v9LJL7vpIDiOtCYtralrLG7qLBYn0uXTA6IT8G
+j22jxaJPtTZz+mXnCLqe+xQCOjp14uO0vbVf2yIOUwY5psaB2JkEJp8VlXjI0J+Z
+c3pd96UiJw==
+-----END CERTIFICATE-----
diff --git a/connectors/jdk-connector/src/test/resources/truststore_client b/connectors/jdk-connector/src/test/resources/truststore_client
diff --git a/connectors/jdk-connector/src/test/resources/truststore_server b/connectors/jdk-connector/src/test/resources/truststore_server