Allow to change the limit for the maximum size of the certificate cha…

…in. (#13355)


Motivation:

Sometimes large certificate chains are used which might be larger then the default maximum size.

Modifications:

- Allow to configure the limit
- Add unit test

Result:

Be able to adjust limit

bom/pom.xml

@@ -65,7 +65,7 @@
 
   <properties>
     <!-- Keep in sync with ../pom.xml -->
-    <tcnative.version>2.0.59.Final</tcnative.version>
+    <tcnative.version>2.0.60.Final</tcnative.version>
   </properties>
 
   <build>

handler/src/main/java/io/netty/handler/ssl/OpenSslContextOption.java

@@ -68,4 +68,10 @@ private OpenSslContextOption(String name) {
      */
     public static final OpenSslContextOption<OpenSslCertificateCompressionConfig> CERTIFICATE_COMPRESSION_ALGORITHMS =
             new OpenSslContextOption<OpenSslCertificateCompressionConfig>("CERTIFICATE_COMPRESSION_ALGORITHMS");
+
+    /**
+     * Set the maximum number of bytes that is allowed during the handshake for certificate chain.
+     */
+    public static final OpenSslContextOption<Integer> MAX_CERTIFICATE_LIST_BYTES =
+            new OpenSslContextOption<Integer>("MAX_CERTIFICATE_LIST_BYTES");
 }

handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java

@@ -227,6 +227,7 @@ public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListene
         OpenSslPrivateKeyMethod privateKeyMethod = null;
         OpenSslAsyncPrivateKeyMethod asyncPrivateKeyMethod = null;
         OpenSslCertificateCompressionConfig certCompressionConfig = null;
+        Integer maxCertificateList = null;
 
         if (ctxOptions != null) {
             for (Map.Entry<SslContextOption<?>, Object> ctxOpt : ctxOptions) {
@@ -242,6 +243,8 @@ public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListene
                     asyncPrivateKeyMethod = (OpenSslAsyncPrivateKeyMethod) ctxOpt.getValue();
                 } else if (option == OpenSslContextOption.CERTIFICATE_COMPRESSION_ALGORITHMS) {
                     certCompressionConfig = (OpenSslCertificateCompressionConfig) ctxOpt.getValue();
+                } else if (option == OpenSslContextOption.MAX_CERTIFICATE_LIST_BYTES) {
+                    maxCertificateList = (Integer) ctxOpt.getValue();
                 } else {
                     logger.debug("Skipping unsupported " + SslContextOption.class.getSimpleName()
                             + ": " + ctxOpt.getKey());
@@ -416,6 +419,9 @@ public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListene
                     }
                 }
             }
+            if (maxCertificateList != null) {
+                SSLContext.setMaxCertList(ctx, maxCertificateList);
+            }
             // Set the curves.
             SSLContext.setCurvesList(ctx, OpenSsl.NAMED_GROUPS);
             success = true;

handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java

@@ -1601,4 +1601,43 @@ public void testExtraDataInLastSrcBufferForClientUnwrapNonjdkCompatabilityMode()
                 wrapEngine(clientSslCtx.newHandler(UnpooledByteBufAllocator.DEFAULT).engine()),
                 wrapEngine(serverSslCtx.newHandler(UnpooledByteBufAllocator.DEFAULT).engine()));
     }
+
+    @MethodSource("newTestParams")
+    @ParameterizedTest
+    public void testMaxCertificateList(final SSLEngineTestParam param) throws Exception {
+        SelfSignedCertificate ssc = new SelfSignedCertificate();
+        clientSslCtx = wrapContext(param, SslContextBuilder.forClient()
+                .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                .keyManager(ssc.certificate(), ssc.privateKey())
+                .sslProvider(sslClientProvider())
+                .sslContextProvider(clientSslContextProvider())
+                .protocols(param.protocols())
+                .ciphers(param.ciphers())
+                .option(OpenSslContextOption.MAX_CERTIFICATE_LIST_BYTES, 10)
+                .build());
+        serverSslCtx = wrapContext(param, SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
+                .sslProvider(sslServerProvider())
+                .sslContextProvider(serverSslContextProvider())
+                .protocols(param.protocols())
+                .ciphers(param.ciphers())
+                .option(OpenSslContextOption.MAX_CERTIFICATE_LIST_BYTES, 10)
+                .clientAuth(ClientAuth.REQUIRE)
+                .build());
+
+        final SSLEngine client = wrapEngine(clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
+        final SSLEngine server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
+
+        try {
+            assertThrows(SSLHandshakeException.class, new Executable() {
+                @Override
+                public void execute() throws Throwable {
+                    handshake(param.type(), param.delegate(), client, server);
+                }
+            });
+        } finally {
+            cleanupClientSslEngine(client);
+            cleanupServerSslEngine(server);
+            ssc.delete();
+        }
+    }
 }

pom.xml

@@ -622,7 +622,7 @@
     <os.detection.classifierWithLikes>fedora,suse,arch</os.detection.classifierWithLikes>
     <tcnative.artifactId>netty-tcnative</tcnative.artifactId>
     <!-- Keep in sync with bom/pom.xml -->
-    <tcnative.version>2.0.59.Final</tcnative.version>
+    <tcnative.version>2.0.60.Final</tcnative.version>
     <tcnative.classifier>${os.detected.classifier}</tcnative.classifier>
     <conscrypt.groupId>org.conscrypt</conscrypt.groupId>
     <conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId>