You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2021/08/04 13:19:47 UTC
[activemq-artemis] branch main updated: ARTEMIS-3302 fix regression
with OpenSSL
This is an automated email from the ASF dual-hosted git repository.
clebertsuconic pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new 8799fe8 ARTEMIS-3302 fix regression with OpenSSL
new 9b49e63 This closes #3682
8799fe8 is described below
commit 8799fe807e12b546465015940013f4a5acdaaecb
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Tue Aug 3 22:29:37 2021 -0500
ARTEMIS-3302 fix regression with OpenSSL
When using the OpenSSL provider on the broker the getPeerCertificates()
method does *not* return a X509Certificate[] so we need to convert the
Certificate[] that is returned. This code is inspired by Tomcat's
org.apache.tomcat.util.net.jsse.JSSESupport class.
---
.../activemq/artemis/utils/CertificateUtil.java | 33 ++++++++++++++++++++--
1 file changed, 30 insertions(+), 3 deletions(-)
diff --git a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/CertificateUtil.java b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/CertificateUtil.java
index 56a7ae9..bd23a74 100644
--- a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/CertificateUtil.java
+++ b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/CertificateUtil.java
@@ -18,26 +18,53 @@
package org.apache.activemq.artemis.utils;
import javax.net.ssl.SSLPeerUnverifiedException;
+import java.io.ByteArrayInputStream;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.handler.ssl.SslHandler;
+import org.jboss.logging.Logger;
public class CertificateUtil {
+ private static final Logger logger = Logger.getLogger(CertificateUtil.class);
public static X509Certificate[] getCertsFromChannel(Channel channel) {
- X509Certificate[] certificates = null;
+ Certificate[] plainCerts = null;
ChannelHandler channelHandler = channel.pipeline().get("ssl");
if (channelHandler != null && channelHandler instanceof SslHandler) {
SslHandler sslHandler = (SslHandler) channelHandler;
try {
- certificates = (X509Certificate[]) sslHandler.engine().getSession().getPeerCertificates();
+ plainCerts = sslHandler.engine().getSession().getPeerCertificates();
} catch (SSLPeerUnverifiedException e) {
// ignore
}
}
- return certificates;
+ X509Certificate[] x509Certs = null;
+ if (plainCerts != null && plainCerts.length > 0) {
+ x509Certs = new X509Certificate[plainCerts.length];
+ for (int i = 0; i < plainCerts.length; i++) {
+ if (plainCerts[i] instanceof X509Certificate) {
+ x509Certs[i] = (X509Certificate) plainCerts[i];
+ } else {
+ try {
+ x509Certs[i] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(plainCerts[i].getEncoded()));
+ } catch (Exception ex) {
+ if (logger.isTraceEnabled()) {
+ logger.trace("Failed to convert SSL cert", ex);
+ }
+ return null;
+ }
+ }
+ if (logger.isTraceEnabled()) {
+ logger.trace("Cert #" + i + " = " + x509Certs[i]);
+ }
+ }
+ }
+
+ return x509Certs;
}
}